* Posts by Andrew Commons

162 posts • joined 22 Dec 2007

Page:

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Andrew Commons

The last paragraph says it all

"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple."

And the great digital transformation drive has turned this into critical infrastructure.

8
1

Russian computer failure on ISS is nothing to worry about – they're just going to turn it off and on again

Andrew Commons

Re: Failure is not an option

Indeed, "Build Failure In" is the current paradigm. Fits nicely with the "Fail Fast, Fail Often" methodology.

12
0

Should a robo-car run over a kid or a grandad? Healthy or ill person? Let's get millions of folks to decide for AI...

Andrew Commons

Re: egregious Jaywalking

I just love that word - egregious. It's original meaning is completely the opposite of current usage which leads to interesting speculation regarding the intentions of the author...'remarkably good' or 'outstandingly bad'. Perfect word for having a bet both ways!

7
0

Cybercrooks home in on infosec's weakest link – you poor gullible people

Andrew Commons

Re: About one quarter right...

@Claptrap.

Let's look at some of the things the 'top professional team' will do.

* Originate emails from compromised accounts. The sender information is completely valid and if the address book and Inbox/Outbox are used to select recipients they are used to receiving emails from the compromised sender. Going a step further, they may be used to receiving emails with links from the trusted (but compromised) sender.

* Use a valid domain where the domain owner has not implemented any countermeasures such as SPF or DMARC. A major bank had such a domain, it was regularly used for phishing attacks, they never used the domain for customer emails but the customers didn't know that.

* Use non-standard email headers to trick the email client into presenting an external email exactly as if it had been sent internally. The displayed From address is a valid internal address, all adornments applied to internal emails are present, visually perfect.

* Time emails so that they get into the recipients Inbox at the start of local business hours. They get actioned quickly when the user starts work. Volume sent is small to make them harder to detect, 10 or 12 is enough.

* Use information gleaned from the Internet to make the Subject and content more convincing. An online job add was used to provide context in one case, anything out there will be used against you.

This is just a small sample. The top teams are highly skilled and they will take care in their targeted attacks. Your walls don't really exist. The recipients, the users, are way out of their depth.

1
0
Andrew Commons

Lambs to the slaughter

Your office soccer team (imagine you have one, any other team sport will do) gets a game against a top professional team. They get thrashed. Management decides awareness of the rules will help and the whole office gets training. There is a rematch with the office team. They get thrashed. The office team is taken to one side and given two days intensive awareness of the rules and tactics before another match. They get thrashed.

So it is with security.

The security industry has realised that the People side of the process hasn't really been fully milked yet and the technology snake oil is starting to wear thin. So this is where the new focus is.

The office team will never beat the professionals. You have to change the rules to do that. But organisations don't have the balls to change the rules. Restrict Internet access for example, only allow business emails, segregate areas of the business that need unfiltered interactions,... All technically possible. Then look explicitly at how Process and Technology failures can impact you and implement countermeasures.

Don't put the weakest link on the front line.

7
1

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Andrew Commons

Re: Number of vulns means nothing

Vulnerability counts of this type are very misleading. You just keep changing the product names to keep the numbers down. Sum all the MS Server counts regardless of version and then start making comparisons.

12
1

Microsoft devises new way of making you feel old: Windows NT is 25

Andrew Commons

@ Dave Pickles

When Win NT was first released we were doing side by side comparisons with VMS and two things that Cutler didn't bring over were puzzling. First up Logical Names which gave you a level of indirection for practically everything along with protected name spaces. Then there was the big omission of Installed Images that allowed privileges to be assigned to trusted pieces of code (amongst other things, sharing, fast startup etc as well) removing the need for users to have privileges. Both were probably out of place in a PC operating system.

3
0

America's forgotten space station and a mission tinged with urine, we salute you

Andrew Commons

Re: "Who's the best pilot you ever saw?"

It was a great book/film. And Tom Wolfe died two days ago so a double whammy.

7
0
Andrew Commons

Re: the whole setup was pretty crude

Each spacecraft was hand made and unique. The men inside them were seasoned test pilots who flew 'experimental, hand made, and unique' for a living. They were highly intelligent and understood the risks. Brave is not an adequate word to describe them.

54
0

You're in charge of change, and now you need to talk about DevOps hater Robin

Andrew Commons

FinTech startups

They are not big enough to cause a fuss if they fail and haven't been around long enough for their failures to catch up with them.

1
0
Andrew Commons

Re: Change for the sake of change

Once upon a time....there was this sudden push to go 'Agile'. This was OK but having spent a bit of time in the process improvement space I started asking some questions. These were along the lines of 'what is wrong with the current methodology', where is it failing; 'what do we want to keep from the current methodology', where is it working; and 'how do we measure success'. After a lot of ducking and weaving it came down to 'HR think we will not be able to recruit young people unless we are 'doing Agile'. And DevOps is different because...

4
0

Commbank data loss: Non-disclosure was pretty reasonable

Andrew Commons

The Reg piece suggests that the appropriate authorities were notified and that they made the determination that there was not a real risk of serious harm to the CBA customers involved.

Note that it is not there is a distinction between 'harm' and 'serious harm' that was made deliberately to minimise the number of breaches that needed to be reported.

The explanatory memorandum that accompanies the legislation makes quite interesting reading in this context.

1
0

NASA dusts off FORTRAN manual, revives 20-year-old data on Ganymede

Andrew Commons

Re: The problem probably wasn't the software...

"VAXes have serial interfaces"

I think they all had a serial console interface so yes, that would work well.

3
0
Andrew Commons

Re: The problem probably wasn't the software...

"languages such as FORTRAN and BASIC were all wrappers around the RTL"

Actually each language had its own RTL as well as the common RTLs, these were fully documented in versions of VMS before 4.

7
0
Andrew Commons

Re: The problem probably wasn't the software...

Almost certainly not the software although the software migration could be non trivial if the code relied on long deprecated low level run time functions.

The other factor to consider with the hardware is not just reading the stuff but being able to write it to something your more modern hardware can handle.

15
0

Scratch Earth-killer asteroid off your list of existential threats

Andrew Commons

Re: n-body problem?

Well, yes, but for very large values of 'n'.

See 'Oumuamua to estimate how large that might be.

4
0

Air gapping PCs won't stop data sharing thanks to sneaky speakers

Andrew Commons

Re: Relevance

@Doctor

With just in time manufacturing you could get quite specific. And if you stuffed something in the BIOS then infecting everything is no big deal. Compromise the machines you are potentially interested in at source. You just need a listening device not another machine in the same room and you can build that into the wall.

1
0
Andrew Commons

Re: Relevance

The people who build them and ship them have physical access so that's one hell of a big handful.

2
0
Andrew Commons

Re: Alexa

You forgot to add the spooky laughing.

15
1
Andrew Commons

Re: training a camera at the screen while it displays information

Just make the screen flicker a bit.

6
0
Andrew Commons

An appreciation of a good bass player is useful as you get older :)

7
0
Andrew Commons

Fast enough...

You can get a big cryptyo key out in less than an hour.

6
0
Andrew Commons

Deja vue all over again

Sure did. And it was also reported on The Register.

https://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

8
0

Great, we're going to get DevOps-ed. So, 15 years of planning processes – for the bin?

Andrew Commons

Re: Where’s the part that ensures the software is actually legal?

@Rob@rob

A good tool chain can certainly help. I assume you are doing this with requirements as well and test coverage includes requirements traceability that extends through all work products? In other words end to end with senior management using the tools as well? Tampering with the audit trail not possible, integration between different audit trails all present and correct, and the entire chain future proofed so it can be pulled in 10+ years time?

0
0
Andrew Commons

Re: Where’s the part that ensures the software is actually legal?

I would like to see how this gets implemented in an organisation exposed to the Sarbanes-Oxley Act. I was with an organisation that was exposed to it and had to devise something that clearly showed that everything that hit production was known and approved by management before we got hit by an audit. Being able to reconstruct Production as it was at any specific time was also in the mix. Doing this convincingly in DevOps must be interesting.

13
0

Australia's new insta-pay scheme has insta-lookup of any user's phone number

Andrew Commons

If your an online crim....

Britain, where online banking fraud jumped 132 per cent after it introduced a faster payments system in 2008.

See:

http://www.smh.com.au/business/rising-fraud-risk-tipped-from-move-to-realtime-payments-20170127-gtzulk.html

And:

http://www.afr.com/business/banking-and-finance/cyber-fraud-risks-rise-ahead-of-instant-payments-20170612-gwpeva

3
1
Andrew Commons

What happens when email is used as the Id?

Just curious.

Would not be surprised if the persons name was again displayed.

I'm staying well away from it.

3
1

Hands up who HASN'T sued Intel over Spectre, Meltdown chip flaws

Andrew Commons

Software next?

Maybe we could see software manufacturers being sued for vulnerable products at last? Although I imagine they have covered themselves as much as they can in the EULAs, but these are not sufficient in all jurisdictions.

15
0

You can resurrect any deleted GitHub account name. And this is why we have trust issues

Andrew Commons

What am I missing here?

Nothing.

If you use a third party module you download it, put it under your source code control, and be prepared to maintain it yourself.

69
0

Home taping revisited: A mic in each hand, pointing at speakers

Andrew Commons

Re: Why on earth do you clean the tracks?

It depends on the age of the vinyl. I do it selectively mainly on the quiet sections. If its a loud section it just stays there unless it is really bad.

2
0
Andrew Commons

Vinyl to Digital

Getting old vinyl records into digital format is still a thing and it is very time consuming. Record the album, break it up into tracks, clean the tracks taking care not to edit out drum hits that look like scratches in the audio wave form, burn to a CD and also convert to MP3.

Takes quite a while to do each album.

4
0

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Andrew Commons

Re: Happy Days!

@Phil O'Sophical

You don't need an old PC, a Raspberry Pi will do!

https://www.rs-online.com/designspark/a-raspberry-pi-vax-cluster

I used to be quite familiar with manually booting various early VAX models and tweaking a few of the parameters in the early boot stages once upon a time.

1
0
Andrew Commons

Re: Happy Days!

@Phil

MAXSYSGRP or something like that as I recall. And I think you set that in VMB?? You set conversational boot anyway.

1
0
Andrew Commons

Re: Wasn't VMS...

@Norman

What crippled Win NT was that it was a consumer desktop operating system and many of the really good bits of VMS that should have been in there were left out. Think logical names and installed images for a start....although it seems that it is a flaw in a privileged installed image that is the problem here.

4
1
Andrew Commons

Re: Source code

I still have the microfiche...and a reader...getting a globe for the reader is a different problem.

0
0
Andrew Commons

Re: The sky is falling in

@Dan 55

"Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of"

Well, if you consider the free hobbyist licence expensive I guess it is.

11
0
Andrew Commons

Re: Simple workaround?

Yes you can, but it's rarely used.

0
0
Andrew Commons

Simple workaround?

Either remove CDU from non-privileged user command tables and/or reinstall it (this is VMS INSTALL) without CMEXEC. Not sure what the side effects of the second option would be.

It would be rare for non-privileged users to be using the SET COMMAND command.

7
0

You're the IT worker in charge of securing the cloud for your company. Welcome to Hell

Andrew Commons

Re: ..Osborne, you were spoilt!

@Doctor Syntax

The Silent 700 Model 763 - the one with the bubble memory - was 17 lb. I had an Osborne as well but I never had to lug that 1km to the train so it seemed lighter.

0
0
Andrew Commons

..Osborne, you were spoilt!

Try a TI Silent 700 for size. They were heavy!

https://en.wikipedia.org/wiki/Silent_700

8
0

DevOps: Bloody hell, we've got to think about security too! Sigh. Who wants coffee?

Andrew Commons

@Bill M

Presumably the firewall was relocated to where it was originally meant to be...blocking access from the Dev boxes to Production?

8
0

Dinosaurs gathered at NASA Goddard site for fatal feeding frenzy

Andrew Commons

Just a loose slab of rock?

In the Nature piece it looks like a loose slab of rock buried in the ground...there maybe more of it nearby?

4
0

On yer bike! Boffins teach AI drone to fly itself using cams on bicycles, self-driving car

Andrew Commons

Re: Rotating blades at groin height

"2.5 meters (high enough to avoid most urban obstacles testicles)"

There, fixed it for you.

20
0

'Do the DevOps?' No thanks! Not until a 'blameless post-mortem' really is one

Andrew Commons

Re: At exec level the word Agile has a completely different meaning

"They will not even realise its the name of a methodology."

Strictly speaking it is the name of a Manifesto, the methodologies associated with it try to adhere to the principles but may do so in different ways.

1
0

Parity calamity! Wallet code bug destroys $280m in Ethereum

Andrew Commons

Re: This is when I know I'm getting old...

Software defined money. That it's broken is no surprise because we cannot write software.

Thank god we don't have software defined networks, software defined infrastructure or software defined security because we would be royally screwed then.

33
0

Transparent algorithms? Here's why that's a bad idea, Google tells MPs

Andrew Commons

Re: The algorithmic model can be can be selectively tested with different types of input

Some research recently published on the arXiv preprint server examined inserting back-doors in algorithms during the training phase. The rationale was that training was likely to be outsourced - sent to the Cloud - to get the compute resources and that the training data could be manipulated while it was in the Cloud. Worked well. Back-door could not be detected looking at the model and it survived additional training largely unscathed.

9
0

Security pros' advice to consumers: 'We dunno, try 152 things'

Andrew Commons

An old survey.

"We used Google Forms (www.google.com

/forms/about) to write and host the survey, which ran

from February through June 2014"

That's in the final version in IEEE Security & Privacy as well so I assume it's the correct date.

4
0

Red (Planet) alert: Future astro-heroes face shocking adventures on Martian moon Phobos

Andrew Commons

There are Puns and Punishment

And that heading is the latter. The machine-pun approach does not befit El Reg. It may lead to negative feelings, sparks may fly, charges may be laid.

13
0

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

Andrew Commons

Re: Router firmware updates?

It looks like an update for my SOHO Access Point has been available for about a week. Check vendor support sites.

1
0

London Tube tracking trial may make commuting less miserable

Andrew Commons

Re: One thing I always failed to understand....

I believe iOS does a pretty good job of MAC address randomisation when not associated, Android is generally very poor. This could bias the sample.

2
4

Page:

Forums

Biting the hand that feeds IT © 1998–2018