247 posts • joined Tuesday 20th September 2011 22:56 GMT
People who don't take basic security steps, like anti-malware and anti-virus, also trend to choose dumb passwords!
Providers need to put basic checks into their systems to prevent such passwords in the first place. Just because 12345 is the combination for your luggage doesn't mean you should use it for your bank accounts!
Has the ASA ever made an enforcement ruling while an ad was still in widespread use? If not, it's entirely a waste of space, especially if it cannot force repeat offenders (such as ISPs) to stop being naughty.
You forgot one thing...
all good things must come to an end
You forgot to justify XP as a "good thing". Familiar, yes. I'm not sure it is "good" any more.
Since it's EOL was announced support for new hardware isn't guaranteed (and I suspect a lot of new wifi dongles/cards don't support XP very well, if at all), and the less said about it's IPv6 support the better.
Re: It does make you wonder what sort of hardware our banking network is running on.
I've not seen any indication of hardware failure in these incidents. It's all process or software related.
When I opened a bank account with RBS in my local branch in 2003 I found their office computers were running OS/2 (the banking app that the guy was using to open the account crashed and I saw the desktop). I suspect that's because the backend was an IBM mainframe and they were using one of the proprietary IBM communication protocols. The desktops (and ATMs, which also ran OS/2 for the same reason) have all been upgraded. You can see the result of the ATM upgrades on flickr and other photo sharing sites - Windows error boxes all over the place.
The backends? To be honest I'd probably trust a 20+ year old IBM mainframe that's under a proper support contract than I would a lot of the newer gear and newer OSs.
Re: about time FCC got off the dime
even better, I know of places that keep the ESS systems in place so they can say there is no room in the CO and that they can't allow other carriers to locate equipment there for unbundling services.
There's also a story I heard about a non-RBOC carrier who had a switch delivered many years ago (>10), but since the order was placed they'd started moving to a packet switched architecture and wanted to cancel the order. The manufacturer refused until the carrier said they'd take it out into the middle of a field and blow it up as a statement that circuit switched telephony was dead. The manufacturer suddenly changed their minds and took the switch back. Not entirely sure I believe that story myself, but I've heard it several times.
Cisco lost the plot long ago
From various people who work inside large enterprises, Cisco appears to have lost the plot quite a while ago. From personal experience, the 65xx chassis was massively underprovisioned in terms of backplane speed for the port density it provided (and this was back in 2002 when I worked at a large ISP. They haven't revised the backplane since AFAIK).
Cisco's answer? Push behaviour modules. Want your firewall in a blade? How about your IDS and IPS? Oh, and your e-mail hygiene product too!
They tried to cover up the lack of backplane bandwidth by pushing stuff that really should not be in a chassis slot in the first place. With the benefit for Cisco that they get to sell more switch chassis also!
The "cloud" companies moved off Cisco a while back, especially Google. If you take a minute to think about the way Google FS works, you'd realise why.
Re: Archaic architecture
That only applies at small scale
There is no PC on the market today that can cope with a real workload, e.g. 3xOC192 and multiple 10GBE links. The PCI Express slots just aren't designed for that.
Do you trust the SSL cert? The NSA, GCHQ, etc may be able to get a signing cert from somewhere and issue their own "fake" SSL certs on any box they like and have them accepted by the browsers as valid
Encryption without authentication is pointless
Encrypting the traffic by default is pointless unless you can authenticate that the system you think you are talking to is actually the system you want to talk to and not some intermediate spook system.
Mandatory encryption would therefore fail to solve the NSA "problem" because of the lack of trust in the authentication systems, i.e. the certificate authorities. They've been proven to be the weak points in the system before. And if people *don't* use authenticated certificates, then the mandatory encryption is pointless.
"I suggest you try SSL between client and server, with TLS between servers."
While that IN THEORY prevents snooping the message as it is transiting between servers:
- most MTA's do not enforce certificate chain validation of the certificate provided by the remote MTA, so spoofed, unsigned SSL certificates will generally be accepted
- that doesn't address the e-mail being stored outside your network border, which will invariably be in clear text (very few servers encrypt on disk, Lotus Notes being the only one I can think of and even then it's not on by default)
Clearly Tom Bakers time on screen was due to his equally long scarf.
Why on earth do they need the full content of the e-mail to pull down someones Linkedin profile? Surely all they need is the header From line, and maybe the To and CC lines if they're pulling down the profile for everyone on the e-mail?
If the complete e-mails pass through the Linkedin servers, then to me, the entire system is designed backwards. The client should pull down the mail to the phone and then make a request to Linkedin to see if any of the header From/To/CC addresses are recognised. End of story.
Re: What am I missing?
Yes, but HTTPS requires a valid certificate, for which you have to pay for.
Not entirely true. I've had a SSL cert, recognised by all clients I've tried so far as signed by a trusted CA, on my personal mail server for years without paying a penny for it.
So where are the "voluntary solutions" from the content industries to make their content more available? I recently tried to give them money for some content in HD just to find out it's not available in Europe. I could buy the stuff from Amazon in the USA and have it shipped over, but that's a risk since the MPAA love region locking crap for dubious reasons.
If they keep shooting themselves in the foot, they shouldn't be surprised when people go to "unofficial sources".
And maybe they should stop assuming that spending hundreds of millions of dollars on a single film will rake in the moolah. Make the films cheaper, and charge less for cinema tickets, DVD and Blu-Rays and see what that does for legal consumption.
And so it begins
Since Facebook has to make money for it's shareholders, a gradual erosion of privacy will happen to force more content to be readable by everyone so more pages can be served up and more ad revenue generated.
However, in a series of meetings in Bali last week, China took a more conciliatory tone, indicating that it was prepared to shorten the list of products it wants excluded
What are they asking for in return for their "concessions"? I doubt very much whether they are going to reduce the list of exclusions without getting something else in return....
Unicode needs to be taken out back and shot
Not just shot once, but repeatedly.
One of the principals of Unicode is to separate the character from the representation of the character. In other words, ASCII 65 (decimal) is "A". How your system chooses to display "A" is up to the system. The character is transmitted as decimal 65 no matter what the display representation is.
Unicode promptly goes on to rubbish this ideal.
Pre-Unicode Asian fonts had "full-width" representations of ASCII characters so displays that mixed ASCII and Japanese characters kept their formatting as the characters had the same width, while the usual ASCII characters were narrower and hence broke formatting.
Unfortunately this lives on in Unicode, shattering the idea that the display of the character is independent of the code point of the character because there are now two different Unicode code points that both print out a Latin-1 "A" (and also the rest of the alphabet and numbers and punctuation). In reality, the full width "A" should not be U+FF21, it should be decimal 65 with the renderer deciding if it should be full width or not.
This has caused me more than one problem in the past with things that sometimes correctly handle the full-width and ASCII mix and sometimes don't.
I read in a different article on this subject that Samsungs outside legal council did NOT share the confidential documents directly with Samsung. What happened was that the legal council hired some 3rd party to write a report on the confidential data, and did NOT mark the report as having the same level of confidentiality as the documents it was based on, despite directly quoting the source documents. It was this report that was shared with Samsung, allegedly.
It would be good if someone could clearly state what happened, as there are several different versions of this story floating about and while it doesn't change the fact that data was shared with Samsung that should not have been shared, it might be human error (in not marking the report as confidential) rather than deliberately violating attorney privileges.
However, there is no argument - Samsung should have known that they should not have had that data, and the fact they went on and allegedly used it in contract negotiations is highly indicative of the morals and character of Samsung executives.
<quote>I love how their power/internet bills were all paid up until the 1st of October, and no suddenly since they apparently have no money to pay them, they've been shut off with no notice.</quote>
It's more secure to leave a minimalist "We're not here" website up than the full website which could get severely pwned before the muppets on Capital Hill get their act together.
There's also a ton of infrastructure behind a lot of the sites, that will probably be turned off (or at least secured from being available online) for similar reasons.
AHCI has "known issues" with VSAN?
Really? Given that AHCI is a default industry standard for cheap SATA controllers to emulate (including a lot of the on-board controllers on most motherboards), I somewhat suspect that should be
"VSAN has a known issue with AHCI"
Given that the rest of the bloody planet has figured out how to work with these controllers, I somewhat suspect vmware are doing something wrong.
Data aggregrators are big targets because pwnage allows access to lots of data that would otherwise take a lot more pwned targets to find.
The fact that these places got pwned (again) is not a surprise. Humans work there, and spear phishing is a popular sport amongst miscreants and is proven (repeatedly) to be highly effective. The fact that someone, possibly one of the sysadmins if they got access to the databases, fell for it is concerning as they are in the "should know better" category.
The fact that they were pwned for months and didn't know is only mildly surprising.
These places need to learn some real security.
Is the intellectual property and remaining value in the customer base worth $4.7 billion? I know some people who love the built in physical keyboard over the newer touch screen versions, but RIM, I mean, BB aren't the only people doing those...
<quote>Indeed, plus the way they say they're sold out "today" when their next shipment will be in October (according to the article anyway).</quote>
No, the article says that orders placed online will be shipped in October. About 2am the online store was saying 7-10 days, and it's now slipped to "October", so there is (at least one) earlier batch that is already fully claimed for online sales, but presumably the physical stores will operate on a first come, first serve basis and they'll get some allocation from the earlier batch(es).
I find it odd that it is more difficult ...
to enter my own country (the United Kingdom) at a UK border point than it is to get into Europe. Every time I've gone to Europe (France, Netherlands, Germany, ROI), the passport bod takes a cursory glance at my passport page and indicates me to move on. No RFID chip scan. No anti-counterfitting measures are checked (uv light, etc). No databases are checked.
I enter the UK and I have to stand and wait while they read the RFID chip on my passport and do whatever it is that they do in that process.
Security is fine when used appropriately, but is it really necessary to make all the UK passport holders wait through that process? Making the process more efficient and/or reducing the requirements could go a long way to helping the passport control queues by allowing staff to process the non-EU visitors instead of harassing the natives.
Re: Never mind the physics
It's mysteriously situated over the Ancient/Alteran outpost. They're trying to drill down to get to the weapons platform.
(see Stargate SG-1)
Re: Wait what?
Uh, no, the damages part (i.e. fines, etc) comes in the next phase of the trial next year.
Re: Not relevant
uh, sure it is relevant if the parties offer goods or services to UK customers.
Re: 200 Employees?
No idea what they all do, but the antennas are movable. Not just rotation and inclination, but between pads to alter the "focus" of the telescope. There are two (from memory) special vehicles that were used to transport the antennas up to the observatory from the assembly point (much lower down where supplemental oxygen is not needed). Once all the antennas are up there, they're used to move the antenna between pads, and presumably drag one down the hill again if it needs more than a quick fix.
That's probably a few dozen people needed to do that work.
What the others do I have no idea.
Re: Schultz A lot of frustrated officials
a) It's the Government's secret information, so they already know it
Actually, they don't. Or more precisely, not everyone in government does. Lets consider a hypothetical situation where you are given a security clearance. That doesn't mean you instantly have access to all material classified at that level or below, it means you could be exposed to material at that level or below that is relevant to your job.
That is the entire point of compartmentalised (i.e. secret) information, you're only told on a need-to-know basis.
What has the spooks most worried is likely what the government doesn't know about what the spooks have been up to. It's been proven that the heads of the USA security services have been less than completely honest with their oversight committees and therefore with the people that authorise their expenditure and enable their function through legislation. It is not difficult to imagine that the same is true of the UK security services.
They're probably also worried about the risk to the Snoopers Charter currently being considered in the UK
The police should go after the leaker for wasting police time (the abandoned investigation) and interfering with a police investigation.
the victim should probably go after them also in a civil court case
Other acknowledgements of Area 51 / Groom Lake
As part of any outage which affects 911 services, US telco's have to file a report with the FCC detailing areas affected, what happened, and what the fix was
10-15 years ago Sprint filed an outage notice with the FCC detailing a DACC (from memory) that had failed. They listed one of the affected areas as "Military Base 'Area 51'"
I may still have a copy of that outage notification somewhere. Oh, it's even on the wayback machine
Re: Shock and horror
American government require a court order to read you emails, here we are talking about companies.
And there is some very interesting legal minefields in that very statement. Technically, if an employee of a company in the USA fires up tcpdump or wireshark, that COULD count as a wiretap and that COULD require a court order, even for a company. ISTR there was some law passed ~10 years ago in the USA that got some people looking a bit nervous, and AFAIK there has been no case about the law to define it's boundaries.
This came up because some customer I was working with didn't know their customers plain text passwords and wanted to fire up dsniff to pull them off the wire when they logged in to their e-mail or whatever (and no, they didn't use SSL). I told them they could do that, but I couldn't be any party to that action and had to explain why.
Re: Why bother?
An interesting comment I saw buried deep in an article, I think on the Washington Post, is that members of the Intelligence Oversight committees gave up trying to get the Patriot Act amended for one very simple reason: they couldn't discuss the reasons for wanting the amendment as it relied on compartmentalised information. It's very hard to make a coherent argument for changing a law when you can't tell the people who will vote on the proposal why the amendment is needed.
The committee members have to read their intelligence briefings in a secure room and can't take any of the data out of that room.
Since all the committee does is ask questions (as I understand it they have no real authority to change anything without a vote of the full house), which makes the entire oversight process a waste of time. The only real effect of the oversight committee is that the electorate probably think that the committee is there to stop abuse of power. i.e. yet more security theatre.
Lies, damned lies, and statistics
Assumption: the NSA does most of it's gathering on data that transits US soil, since most data is sent via oceanic fibre it can't be sniffed off satellites or radio (yes, I'm deliberately discounting the assertion Snowden made that they've spliced beam splitters into Chinese fibres)
The obvious conclusion from that assumption is that they're probably very deliberately using a very large figure (total global Internet traffic) and figuring out what percentage of that is caught in their sniffers.
A more relevant statistic is probably the percentage of USA traffic that they capture. I suspect it's quite a bit higher than the 1.6% from their publication.
He told the BBC that Xerox has flagged the issue in the user manual
because clearly all the users of the equipment will have read the manual
many of them won't be able to read the manual at all because IT will have it locked in some safe in case someone nicks it, or tries to do something other than what IT want you to do
If they knew it was a problem, the software should have had a big flashing notice when you turned the highest compression on saying "warning: this may change random numbers on your document". Any other notice is completely irrelevant, as they have discovered.
Re: and next week....
The regulator explained that telcos would need to keep records of any consent given confirming a switch to another provider.
Yeah, I don't think "keeping records" will really mean much. People, especially in telesales or door-to-door begging, will try and con people into saying "yes" any way they can. IMHO the best way to improve the current situation is to make ISPs give you your MAC code online and cut out the "valuable customer retention department" crap at your current ISP. Not perfect (since we all know website security is sometimes lacking), but a hell of a lot better than just trusting peoples record keeping to keep companies from slamming people.
Syria's nuclear programme?
US Secretary of State John Kerry and Secretary of Defence Chuck Hagel are due to meet their Russian counterparts in Washington to discuss "strategic stability, political-military cooperation and regional issues", including Syria and Iran's nuclear programme, the state department said.
Syria has a nuclear programme?
Yes, I know what the sentence means really, however the way it is structured it could also mean that they want to discuss Syria's nuclear programme.
Re: U.S. NATIONAL DEBT
I doubt very VERY much that an Airbus / Boeing decision will be purely made on whether the NSA snoops on data hosted or in transit through the USA. Likewise a GE versus Rolls Royce decision for the engines on the plane are a lot more complex.
I see more serious repercussions in cloud hosting, as this article alludes to, and perhaps also security related software/hardware. I doubt there are backdoors in as many applications as rumours suggest, but non-USA based vendors will use this to their advantage on the International market.
Actually, the two preferred ciphers that the facebook servers send are TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384.
Yes, you're right about Forward Secrecy, but you're wrong about the cipher. And Forward Secrecy appears to require that you use a very few select ciphers using DHE or ECDHE, which are both slower than the ones they've left enabled. When you're dealing with the volume of traffic Farcebook does, they probably can't afford the hit.
Yes, they still have RC4 enabled (it's the 3rd most preferred cipher), but they need to because very few browsers support the TLS v1.2 ciphers that allow you to avoid RC4 and CBC (the only two usable ciphers in TLSv1.0 and SSLv3). You could avoid the RC4 problem by using CBC, except it's *more* broken than RC4.
So until browser manufacturers catch up and enable TLSv1.2 by default, web sites *have* to leave TLS v1.0 / SSL v3 ciphers enabled, and that means RC4.
(yes, I recently went through a bunch of ssl code at work to try and make sense of the patchwork mess that different browser implementations have forced on ssl servers)
Sounds like if I ever go into a Starbucks again the first thing I'll fire up is a VPN
The only thing democratically elected representatives care about these days is the size of your donations, or how many kiddies will be affected if they don't change the law to protect them and therefore generate positive press. I think the era of caring about the electorate is over, if it ever existed.
“My preference is that we sit down more proactively with the government and talk about how can you step beyond commodity purchases because we've got a broad portfolio."
1) we want to be able to ignore procurement rules and lock in products and services without all this nasty bidding stuff
2) we have all these other high margin services that you're not buying. We want you to buy those too. maybe we'd be more flexible on pricing on the stuff you're buying if you'd buy some of that other stuff.
In other words, they want to go back to doing thing the old way where the big boys locked up all the juicy contracts with high profit margins. Having seen or heard some of the crap that used to be pulled under some of these contracts, I have no sympathy with the big vendors at all. They used to milk govt. procurement processes for insane amounts of money and didn't necessarily deliver anything at the end of it.
Alphanumeric passwords on a phone?!
Complex alphanumeric passwords (especially with symbols) are a pain to enter on nearly every mobile device I have. There's no way I'd lock my phone with one as it'd take me too long to get the typing right on the tiny on-screen keyboard. Maybe phones with physical keyboards would be better for that
Even on my tablet I stick with a numeric only PIN.
Although I tend to do better than the people surveyed here, as none of my devices are locked with 4 digit PINs, they're all longer than that.
Re: Anon 0 Government 1
The censorship won't work. China has spent *billions* on their censorship and it barely works. It just drives innovation amongst those what want freedom from oppression. The UK is too poor to waste money on crap like this. About the most the government has to do is mandate a minimum standard for parental control and then let the companies slug it out for best service.
The one big difference, I believe, is that a large part of the Great Firewall of China is state sponsored. This system is being forced on private enterprises and they will be footing the bill for implementing it (or rather, their customers will be in increased ISP bills)
I wonder if some of the smaller ISPs, who are likely less able to absorb the start up costs associated with this system, could appeal to the competition commission that the govt. hasn't undertaken a proper equality impact assessment.
Re: How to stop this happening again
I agree, partly. My caveat is around the "it's secret, therefore it must be secure" mindset some companies have. Mifare comes to mind as one example.
Publish the crypto algorithms and code for 3rd party scrutiny, or face the possibility of crippling jail and/or fines. Don't have to open source them for world+dog to use, but for $DIETYs sake get some people who know what they're doing to validate that you're not a complete muppet.
If your device or application is used often enough or in high value target, bad people will find out exactly how sh*t your security is, and possibly before the good people.
IMHO if you insist that your security is "good enough" and don't take steps to validate this, then you deserve everything you get.
Re: Static IP
makes me wonder if the entire purpose of Sky buying Be was to get it's grubby paws on a bunch more IPv4 address space. Everyone on static IPs gets turfed off and they re-purpose the space as dynamic IPs and laugh at everyone else who is running out of IPv4 space
Probably easier and less troublesome than CGN.
Re: Slight confusion here
Who is going to find the Babel Fish and prove $DIETY exists, and in doing so actually causes them to cease to exist because proof denies faith?
@mickey mouse the fith
I suspect most people would squirm with that question. Even if you believe the Big Bang theory, where did the energy come from to create the Big Bang? As far as I am aware there is currently no good answer for that.
Re: Eh, c'est la France !
I believe due to the NL media tax, you can't get prosecuted for downloading things from BitTorrent since you've already paid the tax on the storage.
I may be wrong, someone who lives there told me.
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Review Best budget Android smartphone there is? Must be the Moto G
- NSFW Confessions of a porn site boss: How the net porn industry flopped
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- OHM MY GOD! Move over graphene, here comes '100% PERFECT' stanene