59 posts • joined 28 Jun 2011
Re: I have argued for many years
6... any of the old chemistry books I possess (from the days when they included details of explosives, or "hazards in the chemical laboratory").
7. Copies of strong anonymising software such as tails or whonix.
8. Copies of privacy enhancing software such as GPG.
9. Provision or maintenance of privacy enhancing tools such as Tor....
Re: And if I actually USE Linux..........
"One of the problems with Linux is it's probably a hell of a lot harder to insert spyware, if you're any sort of a halfway decent admin."
Ummm - no actually it isn't. Where did you get your distro? How do you update it? Which repos do you use? Are you /certain/ that last update was completely free of any /deliberate/ trojan? Are you /certain/ that last update didn't contain any remotely exploitable vulnerability?
"If you look at the Windows processes list, you have no idea what half that shit is. They could probably run xkeyscore.exe and I sure as hell wouldn't find it."
Thay just says that you are not a windows admin. It does not mean that no-one else understands the windows process listing. But see the argument above. The same applies (but worse because the software is proprietary.)
"However, on my Linux box I know what every single process in pstree is doing and why it is there. I also know what's going on in the network activity bar of xosview and the netstat listing. Anything reporting back to NSA HQ would have to be pretty subtle."
No you don't. You just think you do. And even if you did, your pstree could be tojaned and not show processes it wanted to hide. So could netstat, or wireshark. That cupsd may not be just listening for print commands you know.
The point is, unless you have an external monitor (say a /known/ /provably/ clean network monitor running on a /known/ /provably/ clean OS) sitting on the wire between you and your ISP you have no guarantee whatosever that what is going in or out of you nice safe secure linux box is all it should be.
And even if you have, you could still be stuffed unless you /really/ understand network protocols in depth (Ever hear of DNS being used as a wrapper for file exfiltration? Or long time based UDP to call home?)
Don't be complacent. The only secure computer is one not switched on, not connected to anything and buried in a lead lined box in concrete.
And even then I'd worry in case it was exhumed and disk forensics run on it......
Re: Cloud security
Well, I had to make it 50.......
Re: NSA seal-of-approval
or as XKCD would have it - why attack the crypto when there are easier targets?
it could have been worse
They could have chosen Charles Farr.
Re: And this is why you cannot trust open source
Words fail me.
Yes, we certainly need a troll icon.
Re: What's that sound ?
Actually I doubt that they will be paid very much. UK Public servants rarely get rich.
"Everyone is getting Turkey's Twitter block wrong"
There is a very good post over at https://medium.com/technology-and-society/cb596ce5f27 by Zeynep Tufecki. She argues that Turkey is not really intending to block Twitter per se, because the Turkish Administration knows that to be largely futile (and it pushes the populace towarrds using avoiding technologies such as VPNs and Tor to bypass the problem). Rather, she says that Erdogan is attempting to "poison the well" of social media by painting it as a threat to family values in Turkey. She notes that Erdogan has talked about social media's disruption of privacy, and how the foreign companies do not obey Turkish court orders but obey US and European courts.
Well worth reading.
Take a look at Andrews and Arnold (aaisp.net).
No-one, but no-one should use BT.
re: where's the GCHQ version?
I got mine from the Guardian offers page at http://entertainment.guardianoffers.co.uk/i-aa-rm001699/g-c-h-q-always-listening-to-our-customers/. My wife bought me the NSA version for Christmas.
Unfortunately, the GCHQ version does actually not feature their logo - more a generic HMG "crown". As another poster has said though, GCHQ's site specifically states that the logo may not be used "inappropriately".
No sense of humour.
Journalistic licence. And in my view, not unreasonable. When I read the original article last night, my immediate conclusion was "wget".
But whatever the tool, the principle remains the same. An NSA insider, and a contractor to boot, was able to recursively scan and download a bucketload of highly classified documents, including documents from a Five Eyes partner, without any effective alarms going off.
That says an awful lot about the effectiveness of the NSA's security practices (for both technical and personnel security). No wonder they are pissed off.
Re: wget - The hackers friend
I have deleted all copies of wget from all my systems.
Re: It's a people problem
Plus 1 for that.
In the UK, the police call the "high vis jacket" the "cloak of invisibility". Wear one and no-one looks at you.
"Aside from the orchestration capability, it also removes the most troublesome parts of running a cloud - network engineers."
Great. I'm really looking forward to hosting a bunch of applications with a "cloud" provider which employs no network engineers. I feel safer already.
Re: Seen it before
Yep. Back in September 2002 OGC published "Open Source Software: Guidance on implementing UK Government Policy." I wrote it.
And if you look very carefully at the cover of that document you will notice that it includes a picture of a laptop running the (then) popular X11 game called "kill bill".
Nobody, but nobody, in the publication QA process spotted it.
Re: Volenteers != free
"Mind you, the picture at the foot of their home page makes it look like their test servers are in someone's garage!"
They probably are. I understand that TDR runs the build and test servers himself.
Re: "strict", "moderate" and "light".
"All I want for Christmas is a VPN connection outside of blighty."
Try openvpn. You can rent a really cheap VPS (less than 5.00 USD per month) in a variety of places other than dear old blighty. With your own VPN to that VPS (running on say, port 443) you are good to go.
Oh yes indeed. Because taking a tablet into the bog with you looks a little, shall we say, suspect.......
Despite the fairly obvious troll traits, I was going to comment on (and down vote) your original post. But a moderator quite sensibly removed it.
For some statistics on the relative usages of linux v BSD, take a look at http://w3techs.com/technologies/comparison/os-bsd,os-linux. BSD is not even in the running in an environment (servers) where it could be expected to be used. On the desktop it is not even a rounding error. I log statistics of OS/browser types hitting my website. I don't see any BSD anywhere.
And I note from your posting history that you have an apparently disturbing set of phobias. Seek help.
If you have to ask. then you wouldn't understand the answer.
Royal Palace security
"You will also need strong identification to get into a royal event such as a Buckingham Palace garden party – Palace police are quite strict on checking ID"
Several years ago I was doing some work with the Royal Palace on behalf of the UK Gov Dept I then worked for. Entry to the site was controlled by Police Officers who insisted on two pieces of identfiication. My official pass sufficed as one piece, but they needed another. On my first visit I gave them my ID pass and my passport. On a subsequent visit I forgot my passport so the officer on duty asked for an alternative to add to my ID pass. I furtled in my wallet, but all I could come up with (beyond the usual bank cards etc) was a fishing licence. He said, "OK, that'll do, it's an official document."
You can buy fishing licences at a post office.
Raiu said "“They are opening stolen documents on virtual machines without any internet connection to avoid exposing themselves that way,”
So how does he know that?
At least he didn't sing.
Re: Quoting Terry Pratchett???
Good grief. I agree with Eadon.
Relativity in lego
Very nice. But I think Andrew Lipson beats him. See http://www.andrewlipson.com/escher/relativity.html for example.
Re: a plea
Please dear Reg, use english in your reporting. The phrase "The Register reached out to Facebook" simply made me cringe. Yes, I am an old fart, yes I am being finnicky, yes I know what you think it means, but it is nonsense. It irritates me almost as much as "going forward" and other such twaddle.
There, I feel so much better now.
Re: The 'request filter' is signature driven
"random data generators, random traffic flows, leave your PC browsing on its own whilst you go to the park"
Interesting idea. Now how, exactly, would you get your PC to "randomly browse" in a way that would look anything other than stupidly robotic and predictable?
Nationwide Banking off-line
Seems to have been off-line for a while. I first tried about an hour ago, but of course it may have been down before that. Mobile banking and payments also down.
Back when I first installed FW/1, I was puzzled to find that they wanted the external IP address of the device before they would send the licence key (I assumed that the key would be hashed to that address in some way). No entirely happy with that, I stuck mine behind a NAT device so that the external address I gave them was drawn from RFC 1918,
Re: I'm reading that Mandiant report right now....
They are quite well embedded over here too. See http://www.cesg.gov.uk/News/Pages/Cyber-Incident-Response.aspx for example.
Re: Paper wins
Re: Who gives a donkeys...
Actually, no I would not. Not ever.
You clearly are not from Norfolk or you would know that a Norfolk "boy" is actually a good old "bor".
I, however, do live in Norfolk, and we are not all "bumpkins".
"Linux never supported the 286 or earlier."
Well, the linux kernel didn't appear until 1991 and Linus built it for a 386/486 target (he was playing with Minix 386 and was frustrated with its limitations).
However, somewhere in my loft I still have a copy of v2 of Xenix (an MS licensed version of Unix) dating from the mid 80s which ran on a 286. The earlier version ran on 8086 I believe.
Check that keyboard
Interesting that your pic of the "prototype keyboard" shows a rather, errm odd, layout. Looks as if someone has been prising off the chiclets and re-seating them.
I had one of these back in the late 80s when I was working in HMT's IT Unit (and shorty before I joined CCTA). It was a rather nice piece of kit. Light, good battery life, excellent screen for its time, and robust too. I used to carry mine around in my briefcase bungied onto the back of my motorcycle. It came loose one day and bounced down the Wandsworth road on the approach to Vauxhall. Brieface a bit battered, but the Liberator still worked perfectly.
I'm note sure the office Lisa would have coped as well.
Re: Consumer VPNs Exist?
Yes. If you a re a reasonably savvy consumer (and of course, as a Reg reader you are, right?) For the price of a cheap NAS running debian hanging off your home ADSL router you can set up openVPN and tunnel out through that from wherever you may be. Or you could spend a few more quid and set up the tunnel end point on a rented VPS somewhere. Just check the terms of serrvce first.
Re: Not Really
"Probably just paranoid (adjusts tinfoil hat), but I do know that about 85% of the intrusion attempts on my various networks originate from China."
No. You mean that "85%" (or whatever) attempts have source IP addresses in Chinese address space. You have no idea whether the /actual/ source is in some other place and is simply using chinese IP addresses as a cover. In the same way you have no idea of the /actual/ source of any DDOS attack - all you see are the multiple IP addresses of the compromised machines which form the 'bot.
"false flagging" is probably more common than most people believe.
Re: NUMBER of people!
Missed it. But I can never resist the temptation to correct poor grammar.
Re: NUMBER of people!
Errr. "fewer" people.
Well, someone had to say it.
No. He means PV. At least he does if he is talking about the old vetting system as seems likely .
PV = Positive Vetting.
DV = Developed Vetting.
Ross is an interesting guy and has some talented co-workers and students. But he is vehemently, and vociferously, anti-spook. So not surprising he is not on the list. Shame really. He might have been a useful counter to the possibility of group think.
Oh the irony
""Moving departmental websites onto GOV.UK will, in due course, realise significant savings for the taxpayer,"
Exactly the same argument was used about binning open.gov.uk (the first single portal into government) following the Gershon review which closed CCTA.
Guess who I used to work for, and what I used to do.
"this latest scheme puts the intelligence services directly in touch with the private sector for the first time,"
Rubbish (or CESG/GCHQ flummery). Both CPNI, and its predecessor organisation, NISCC, have long had direct contact with private sector organisations.
Re: From the article and comments, we can deduce 2 things;
"I would have thought Linkedin would have attracted users with some level of sense"
Now what on earth gave you that idea? It's a social network.
Re: How can anybody now justify using Google APIs?
I can lend you a disk drive. But you'll have to source whatever software and OS you used yourself. Now PCK tape would be a bit trickier.
no such thing
"In a closed session Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller, National Security Agency Director Keith Alexander and Principal Deputy Director of National Intelligence Stephanie O'Sullivan briefed the politicos on the current state of the cyberwar."
A plea to the Reg if I may. Whilst it might suit the americans (and some people in the UK) to talk about internet based "attacks" as constituting a war, there is no such war and the public is ill served by the media reporting in a manner which suggests there is.
Please stop it.
re: You know.....
One upvote from me on that. I wouldn't trust them any further than I can throw an elephant.
Eh? What does that mean in english?
- Updated HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
- Peak Apple: Mountain of 80 MILLION 'Air' iPhone 6s ordered
- Students hack Tesla Model S, make all its doors pop open IN MOTION
- BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion