* Posts by Paul Crawford

3342 posts • joined 15 Mar 2007

Honda plant in Japan briefly stops making cars after fresh WannaCrypt outbreak

Paul Crawford
Silver badge

Re: The price you pay for using generic OS for industrial control

I suspect it is more down to shitty vendor's software that breaks easily with MS patches, and/or the risk assessment that such problems were more likely than an infection.

Maybe in said assesment they were wrong, of course.

5
0

Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks

Paul Crawford
Silver badge
Coat

Re: the Morissette Scale?

I read that initially as the Morissey scale. Not sure if that counts as ironic or not.

Its the one with the book in a pocket about being miserable now =>

8
0

Avere: You're going to see tighter integration between us and Google

Paul Crawford
Silver badge

Encryption?

Now if only you could trust such an appliance to encrypt all cloud-stored data with a key that only yourself had access to...

0
0

F-Secure's Mikko Hypponen on IoT: If it uses electricity, it will go online

Paul Crawford
Silver badge

Re: Freedome will be illegal in the UK

Come now, the snooper's charter was only ever about catching the dumb and technically ignorant out there. Admittedly, that is most people.

As for trying to crack down on VPN services that would end up as another pointless whack-a-mole game and seriously piss of business users. Of course the gov often dances to the red-top paper's stupid suggestions so there is a fair chance they would try, but again I suspect the real experts know your biggest risk are the local muppets who can buy knifes and rent a van, as we have seen recently.

1
0

Costa Rica complains of US govt harassment over Pirate Bay domain

Paul Crawford
Silver badge

I am surprised The Pirate Bay has not developed an up-datable bit torrent model that allows the "web site" to be shared like any other torrent, with local searching by pointing the browser to it and some signed-key method of pushing out incremental (rsync-like) updates to it.

6
0

South Korean hosting co. pays $1m ransom to end eight-day outage

Paul Crawford
Silver badge

Lets face it, they can probably decrypt the lot and come back in a couple of week's time to find the systems *still* vulnerable to being screwed over again.

Lord, praise the profits!

0
0

'OK, everyone. Stop typing, this software is DONE,' said no one ever

Paul Crawford
Silver badge

Re: Hammers

U can't touch that!

6
0

Stack Clash flaws blow local root holes in loads of top Linux programs

Paul Crawford
Silver badge

Re: Why am I not surprised to see sudo there?

"Why can't you just give the permissions you need to the relevant user? Reliance on sudo seems pretty hacky...."

The reason for 'sudo' was to allow no root account being enable, so (1) any attacker has to know both a sudo-enabled user name AND the matching password, and (2) also to avoid the temptation to log in as root for general work.

2
0
Paul Crawford
Silver badge

Re: @Robert Carnegie

To provide a slightly more useful answer, and as said it is 'no' because Linux searches your path only, so even if its not in your path but in your directory it won't be run. This is unlike Windows where it will look in your current working directory and with trying various extensions like .exe .com .bat etc.

So if its not in your path you need to use a fully resolvable path such as:

/home/me/sudo (from anywhere)

./sudo (from /home/me or similar as your current working directory)

1
0

Report estimates cost of disruption to GPS in UK would be £1bn per day

Paul Crawford
Silver badge

True, but how many cell phone tower systems use anything but the USA's GPS?

Having the satellites up there is no good if a large proportion of time/frequency/navigation systems use the lowest common denominator.

1
0
Paul Crawford
Silver badge

Re: Alternatively... @TRT

Problem #1 is most cell tower systems rely on GPS for timing/frequency control and simply would go off-line without it. WiFi maybe in built up areas, but not in the country side really. Again, problem #2 is you would need to be prepared before the event to have all of the wifi database on your device, because if it goes wrong then #1 will prevent you getting it.

Yes, they could invest in better oscillators and systems to last longer, but it is a commercial system at the end of the day...

1
1
Paul Crawford
Silver badge

@Dan 55

ESA is indeed separate from the EU, but Galileo is an EU project* even though most of it is managed by ESA.

The funding and political overtones to the project are complex and stupid, but the underlying idea of having a European system for political and technological independence of the USA or Russia is a fairly good idea.

[*] also with some participation by China, Israel, and others.

3
0

Software dev bombshell: Programmers who use spaces earn MORE than those who use tabs

Paul Crawford
Silver badge

I tend to use tabs, because Makefiles demand it.

However python demand spaces.

Both are stupid because humans don't care and many editors make it non obvious. Finally there are tools like 'indent' that can fix C/C++ code to whatever format you like. And make it consistently so, which is probably more important than anything else.

2
0

BAE accused of flogging mass-spying toolkits to assh*le autocrats

Paul Crawford
Silver badge

Re: "It works with keywords"

While most names have multiple matches, if you know the opponent’s IMEI you probably could achieve that from knowledge of the device's location and traffic.

6
0
Paul Crawford
Silver badge

Meanwhile in the EU and 5-eyes...

They are trying to mandate this capability in law and every computing device sold.

What could possibly go wrong? Oh yes massive human rights abuse and cover-up for corruption and vested interests...

15
0

Look who's joined the anti-encryption posse: Germany, come on down

Paul Crawford
Silver badge

Short memories

Funny that Germany should come down in this way, given the still living memories of the Stasi and their love of spying on everyone. Maybe this is just election talk? Sadly there are enough stupid people around to buy the politicians bullshit.

As many have pointed out it is only the dumb one, and the mass majority of innocent public, who will be caught as so many options exist. It also remains to be seen how far Google & Apple are willing to bend over to support device compromise. Admittedly though so many Android devices are vulnerable anyway that installing backdoors should be simple enough without help from the USA end of things.

13
2

Don't all rush out at once, but there are a million devices ripe to be the next big botnet

Paul Crawford
Silver badge
Trollface

Better use?

Shame that malware writers would not use such vulnerable boxes for something usefully illegal such as Pirate Bay proxies...

1
0
Paul Crawford
Silver badge

Re: Slow performance

No, that is just shit software.

Like my VM Tivo box that takes longer to come out of hibernation than the old CRT television takes to be up and displaying a picture from cold.

7
0

FreeNAS releases version 11, so let us put the unpleasantness of failed V.10 behind us

Paul Crawford
Silver badge

Re: "WTF is a NAS doing hosting virtual machines?"

Depends on your situation. If you are running some big important system it would be very wise to keep the NAS simply serving files, and any VMs running on dedicated servers.

But if you are a typical home / small business it might be your NAS is lightly used and so why have two machines, at roughly double the cost/power/noise, if you can also run a VM for something you need to access from more than one client?

3
0

Europe-wide BitTorrent indexer blockade looms after Pirate Bay blow

Paul Crawford
Silver badge

Dangerous

Not the issue of TPB as that is going to run and run.

What is dangerous is the basic premise that ISPs should be made "guardians of public morality" for anyone with the money to get to court. ISPs generally won't fight for the public - they are in a low-profit business with customers who generally don't care about much but the price, and in many cases it will be in a different country / jurisdiction so it wont even be about the legality of a business. Also many ISPs are now in "content distribution" so have a biased view of what is in the public interest anyway.

17
1

Firefox 54 delivers sandboxes Mozilla's wanted since 2009

Paul Crawford
Silver badge

Re: Unusable

It is not just XP - seems that Firefox is trashing HDD on Linux as well.

Let me guess - developers with SSD who don't test their code on the majority of user's computers? Who don't check IOPS, etc, as part of any performance profile to show on going quality?

3
0

Five Eyes nations stare menacingly at tech biz and its encryption

Paul Crawford
Silver badge

Open source?

The other big question is how do they mandate that in any open source project? Are they going to actually make it illegal to have any properly implemented encryption? Can we ask how this might act in terms of business insurance when systems are in use for protecting IP and account details, etc, are known to be vulnerable?

Seems like the 1990's are back and want to discuss those flaws and key-size limits that bit system security a couple of decades later.

13
1

Damian Green now heads up UK Cabinet Office

Paul Crawford
Silver badge

Re: Oh bugger!

Well there is the small business about the massive amount of real, hard, tangible science they do as well to consider.

Still, you have a point about no-nothing career politicians managing stuff they don't (or won't) understand.

9
0

HPE claims new gen-10 ProLiants have more mem persistence, more secure server firmware

Paul Crawford
Silver badge

Re: ?WTF?

Given the piss-poor state of ILOM security in general it might help. But equally it might just be about screwing money out of customers for support contracts as no other update routes are possible,

But equally, what sort of muppet puts server management ports on the internet at large?

1
1
Paul Crawford
Silver badge

If its not open to inspection and to allow you to rebuild/compare with another set of compilers, then you are simply trusting them.

Sadly that counts for little now that past incompetence and secret courts are well known.

4
0

UK PM Theresa May's response to terror attacks 'shortsighted'

Paul Crawford
Silver badge

Re: Who needs broken algorithms

WhatsApp uses end-to-end encryption, they keys are generated on and stored on the user's devices.

Unless they change their software to hold copies of those keys on their servers (i.e. back-dooring the encryption system) then they CAN'T decrypt the messages passing through. Neither could a disgruntled employee working for them. Neither could a criminal gang or foreign (or own) power who hacked in to their servers. It is the whole point of end-to-end systems.

They can and do provide the metadata on court request, but that is not enough for some who demand a global panoptican.

13
0

Retirement age must move as life expectancy grows, says WEF

Paul Crawford
Silver badge

And your solution is?

1
1

Qualcomm names its Windows 10 ARM PC partners

Paul Crawford
Silver badge

Re: Stop me if this sounds familiar...

MS has a history of "supporting" non-x86 CPUs then burning its customers (Alpha, MIPS, PowerPC, Itanium, ARM) so I would be suspicious.

Having said that, this time round the chip should have native x68 support for traditional windows software. Remains to be seen just how compatible that turns out to be, of course...

9
2

Healthcare tops UK data breach chart – but it's not what you're thinking

Paul Crawford
Silver badge

And handles a lot of sensitive data.

Would be interesting to see a "ratio" metric of breach per 1000 data-using employee-days or whatever to see if they are really any better/worse than other organisations in terms of mistakes made.

2
0

German court says 'Nein' on Facebook profile access request

Paul Crawford
Silver badge

Re: @ Dan 55

Can you provide any reference to say that WhatsApp did not have any metadata to share? It seems that they do collect this and have provided it in the past:

https://fossbytes.com/whatsapp-chats-collect-data-metadata/

http://money.cnn.com/2016/04/05/technology/whatsapp-encryption/?iid=EL

Brazilian authorities have demanded WhatsApp hand over IP addresses, customer information, geo-location data and messages related to an ongoing drug trafficking case.

WhatsApp says it has been cooperating, but is not able to provide "the full extent of the information law enforcement is looking for" because of the encryption it had already implemented.

0
0
Paul Crawford
Silver badge

Re: Misreading on whatsapp

Exactly where did anyone say that WHO it was sent to was inaccessible?

That was my point, people here and elsewhere are saying that WhatsApp would not tell the police the message metadata (i.e. who, when) but in fact all that was actually said was "British security sources last month revealed Masood sent a WhatsApp message but it could not be accessed because it was encrypted by the popular messaging service". I.e. the result of end-to-end encryption.

Please read the original AC post where they said "they refused to reveal who the London attacker had been WhatsApp-ing" and my own again, and then come back with any reading comprehension issues.

0
1
Paul Crawford
Silver badge

Re: a solution

"The article you linked doesn't say that WhatsApp spilled the message, but suggests that the UK police found some other means. Perhaps the recipient themselves got in touch with the police."

Since when was the story that WhatsApp would not disclose the destination of the message? Apparently Amber Rudd was quoted as saying ‘this terrorist sent a WhatsApp message and it can’t be accessed’ which implies they were interested in the contents more than who received it (I guess in case they had then destroyed their phone, etc, if it was secret, but catching associates was probably easier).

2
0
Paul Crawford
Silver badge

Re: a solution

"Not that Facebook are particularly receptive to such orders; they refused to reveal who the London attacker had been WhatsApp-ing, despite that aspect of WhatsApp communications being something they do know"

Er, that is bollocks. They can't decrypt it as they don't hold the keys (the whole point of end to end encryption) but it seems it was not that hard to find out:

http://www.news.com.au/world/europe/westminster-attacker-khalid-masoods-last-message-revealed/news-story/a178e1545e4905daf26f040482fe1fb7

4
14

NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack

Paul Crawford
Silver badge

Hmm, so Russian researchers conclude "To mask malicious activity, the hackers used a three-layer C&C infrastructure and pretended to be Russians.” No possible conflict of interest here, move along now...

11
1

Ransomware realities: In your normal life, strangers don't extort you. But here you are

Paul Crawford
Silver badge

Re: Inevitable - erm no

Much more important for any OS would be making user-writeable areas no-execute (mount option in Linux, ACLs for windows). Won't stop zero-day stuff with privilege escalation from Word or similar, but will stop many email Trojans.

7
1
Paul Crawford
Silver badge

While it helps, it should not be you major factor as people ALWAYS make mistakes, myself and other more competent admins included. Your system has to allow for this and deal with it.

14
0

Defend yourself against ISP tracking in an Trump-era free-for-all

Paul Crawford
Silver badge

Re: Good ideas, but...

Hmm, I wonder how they ever managed to vet people before they spaffed everything on line?

4
0
Paul Crawford
Silver badge

Re: Good ideas, but...

"For some levels of security clearance you will be asked if you have ever browsed via VPN (they will almost certainly know the answer beforehand) and if you have they don't like it."

Really? I would have though that knowing how to protect your privacy and security (more so when using dodgy "free wifi" on the move) would be a definite advantage for someone they don't want leaking information or being blackmailed.

7
1
Paul Crawford
Silver badge

Re: A lot of VPN providers out there provide badly configured clients.

As with any system, test it. Test it again. FOR FSCK SAKE, TEST IT! These are a start:

https://www.ipleak.net/

https://www.dnsleaktest.com/

No doubt many more exist. The point is, don't use anything important without regular testing. Oh and please don't use PPTP either as its known to be poor security.

6
0
Paul Crawford
Silver badge

Re: Ensure your *router* is doing your VPNing ...

A VPN is not about hiding yourself. They (ISP, gov, etc) already know you so very well. Its about making it harder for the bar stewards to spy on you.

The other top tip is to go with a VPN provider in another country, ideally not one with odious spying laws like the UK obviously. That way your own gov has to make a proper request to another countries legal system to spy on you. It won't help at all if you are considered a high-value target, but for most people it raises the bar to spying as they can't just lean on the provider using their own secret courts, etc. Sure it won't stop NSA/GCHQ level spying via network compromises, etc, but it sure will stop every jumped up petty bureaucrat or advertising slime-ball from seeing your history in case you have something like the UK's Snopper's Charter giving world+dog access without judicial oversight.

14
1

Google can't spare 113 seconds of revenue to compile data on its gender pay gap

Paul Crawford
Silver badge

( ! )

Are you sure of where you are talking from?

10
2

EU axes geo-blocking: Upsets studios, delights consumers

Paul Crawford
Silver badge

Re: hurting pirates

Some pirate simply because the can (or should I say, because they arrrrr!). This makes life fractionally easier for them.

Many pirate because they are pissed off being unable to pay for what they want to view because of where they live. For them this is a breath of sanity and will see many change to being paying customers. Assuming the suppliers don't fuck up and expect you to install silverlight or some other shitty software to access stuff, of course...

24
3
Paul Crawford
Silver badge

Re: one common set of audiovisual rules across the EU

"BBC R4 LW seems erratic power, few radios even have LW."

I think you can put that down to the shitty state of EMC enforcement where so much crap, including a lot of ISP-supplied broadband router/modems, etc, churn out noise in the whole lower frequency range (LW/MW/SW).

14
1

TRUMP SCANDAL! No, not that one. Or that one. Or that one. Or that one.

Paul Crawford
Silver badge

Re: Weird.

Well done, over many years you have found 11 examples of Muslims causing atrocities in the USA. Now then, maybe we should talk about the approx 30,000 gun related deaths in the USA every year?

Or, should you choose to define a "mass shooting" as 3 or more victims at one event, the practically daily occurrence of said shootings?

http://www.bbc.co.uk/news/world-us-canada-34996604

Sure you might not like the BBC as a politically neutral news source, but you can check up on the facts and report any that are actually incorrect.

7
0

BA's 'global IT system failure' was due to 'power surge'

Paul Crawford
Silver badge

Re: should be child's-play?

Well our out-sourced staff can't do it.

Say, can you find us a child with some computing aptitude?

2
1

Horse named 'Cloud Computing' finds burst of speed to beat 'Classic Empire' in actual race

Paul Crawford
Silver badge

Re: But...

Sort of hard reset?

My best friend during university said if he ever had a racing hose it would be called "JK bistable" but I'm not sure why. Wonder what the masses would make of that?

2
0

Mi casa es su casa: Ubuntu bug makes 'guests' anything but

Paul Crawford
Silver badge

Re: Flaky guest account

Well considering the number of things that systemd forced changes upon that were then broken, its a reasonable starting point:

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1535840

https://bugs.launchpad.net/ubuntu/+source/watchdog/+bug/1448924

https://bugs.launchpad.net/ubuntu/+source/watchdog/+bug/1535854

14
1
Paul Crawford
Silver badge

Flaky guest account

The "guest account" has always been a mixed bag as far as security is concerned, but clearly someone has screwed up here and deserves to be spanked. A systemd-related change perhaps?

On the one hand it is a good idea that guests can use a machine without widespread access, and once they log out their own privacy is maintained by deleting the account. However, there are some aspects that are security issues (I guess why GCHQ advise disabling it):

1) If using a corporate VPN on boot, then they are in without user log in (even if internal resources should be checking credentials as well)

2) Typically the guest area is a fuse loop-back mount in /tmp but that allows execution even if /tmp has been mounted noexec, etc.

3) The implementation creates random-ish UID/GID values but on a system crash (think - person switching off machine without guest logging off) these accumulate as they don't get purged.

See also https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1604-lts where they also advise that all usual user accounts should have 'other' access removes (e.g. chmod o-rx /home/*)

6
2

Azure users told they're not WannaCrypt-proof

Paul Crawford
Silver badge

Re: @LDS

Ah - my mistake then!

I just did not read it that way as I never considered that you would disable V2 / V3 but still plan on using SMB V1.

0
0

You think your day was bad? OS X malware hackers just swiped a Mac dev's app source

Paul Crawford
Silver badge

Re: Lost ?

Biggest risk really is malicious GIT commits using the compromised credentials - they need to be sure the developers check all "their" stuff since the incident until they found out to see that it really was work they did.

3
0

Forums

Biting the hand that feeds IT © 1998–2017