* Posts by Andrew Commons

180 posts • joined 22 Dec 2007

Page:

This must be some kind of mistake. IT managers axed, CEO and others' wallets lightened in patient hack aftermath

Andrew Commons

Re: Seems legit

@Peter2

As far as I understand it they segment the network so that if Internet access is required for work purposes then you (the employee) have internet access. if Internet access is not required for work purposes then no access. This includes email. Devices with Internet access do not have access to the protected segment.

There are many roles that do not require Internet access in an organisation. Technical roles are often considered an exception but there are ways that this can be minimised.

Andrew Commons

Re: Seems legit

Indeed, and the western world should probably follow Singapore in removing Internet access from most public service accounts. They committed to this in mid 2016. See this commentary related to this incident:

https://www.gov.sg/news/content/internet-separation-could-and-should-have-been-implemented-in-public-healthcare-system

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'

Andrew Commons

Re: An opposing point of view

That would be interesting. I suppose you could also extend negligence to include using software that you knew was faulty regardless of how much you patched it. Proving you weren't negligent does indeed become a challenge.

Andrew Commons

An opposing point of view

Interestingly there is an opinion from Marsh LLC, part of Marsh and McLennan who are in the same business as Zurich and about the same size as Zurich, that is was NOT Cyber War.

[PDF]https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/NotPetya-Was-Not-Cyber-War-08-2018.pdf

I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.

US trade watchdog, mobe makers queue to smack Qualcomm as antitrust trilogy opens

Andrew Commons

Re: Patently ridiculous?

Actually it shows that people do not think the investment companies make in developing ground breaking technologies and turning them into a successful market should be returned to those companies along with a profit. This enables them to pay the researchers and continue their research and so continue to employ and pay researchers.

Andrew Commons

Well exactly. And bundle pricing is a feature used everywhere not just in this business.

Andrew Commons

Re: Patently ridiculous?

Isn't this is about hardware rather than software? From my reading of the Reg piece Intel can, and do, manufacture compatible modems without treading on Qualcomm patents. These modems presumably comply with the standards and are used by major players.

Andrew Commons

Re: Patently ridiculous?

I think Qualcomm were open about their patents and the standards.

Andrew Commons

Re: Patently ridiculous?

So they are clever business men as well??

It would seem that those who created the public standards created this problem then.

Andrew Commons

Patently ridiculous?

So Qualcomm owns the patents, there seems to be no dispute about that. Ownership of the patents provides control over the use of the technology. Qualcomm exercises those rights to maximise it's revenue, as you would, and then has to defend itself in civil court because it holds some really good patents.

Does this sort of shit happen in other domains, Pharmaceuticals for instance?

An upset tummy and a sphincter-loosening blackout: Lunar spaceflight is all glamour

Andrew Commons

Re: Lunch from both ends?

And this was in the days before laser hair removal.....

Andrew Commons

Re: Lunch from both ends?

I read somewhere that taking a dump in an Apollo capsule involved the use of a carefully positioned plastic bag on the part of the dumpee. The remaining two crew got as far away as they could during the process. If you have seen one of these capsules you soon realise that 'as far away as you can' is a pretty meaningless concept in these circumstances.

Serverless is awesome (if you overlook inflated costs, dislike distributed computing, love vendor lock-in), say boffins

Andrew Commons

Re: Measurements?

Good choice, it will need to be calibrated of course. So maybe a Drone can have an innovation of 1 Sinclair and disruption, measured in Gatwicks, of 36?

Andrew Commons

Measurements?

...just imagine how much innovation will be done one these platforms...

How is 'innovation' quantified? Innovations per second? A metric fuck-ton of innovation? And is there a one-to-one correspondence between 'innovation' and 'disruption', we need to measure the inevitable 'disruption' as well.

Can the El Reg Units desk help out here?

Oh Deer! Poacher sentenced to 12 months of regular Bambi screenings in the cooler

Andrew Commons

Well there is always...

Bambi Meets Godzilla. Now available on YouTube. I saw the VT100 ASCII animation way back, so there a number of ways the sentence can be carried out.

25% of NHS trusts have zilch, zip, zero staff who are versed in security

Andrew Commons

How easy is it to hack a fax machine anyway?

Not that hard apparently. There was a lot of press about it in August of this year. A lot of them come bundled with MultiFunction Devices and you have to tweak a few configuration options to stop them being used as a path into the internal network. This has been the case for quite a few years now.

FYI: NASA has sent a snatch-and-grab spacecraft to an asteroid to seize some rock and send it back to Earth

Andrew Commons

Not exactly 'snatch and grab'

A burst of nitrogen gas will stir up regolith on the asteroid’s surface, which will be caught in the TAGSAM head.

More like a blow job.

Britain may not be able to fend off a determined cyber-attack, MPs warn

Andrew Commons

Re: Carp

I've run security at a utility subject to the sort of controls described here. You have to get your proposed budget through your management plus the external body controlling prices. In my case this was an exercise you performed every 5 years, you were bidding for 5 years money, so a lot of educated guessing was involved in the guise of 'strategic planning'. Note that the submission to the external authority includes everything the utility does so the security budget is at best a single line somewhere with external material to justify it. My modest budget was still cut internally due to overall limits on opex rather than capex. Another (more critical) utility subject to the same process had their security budget savaged by the regulator.

I found the main problem was head count. For the size of the team we had enough money to run all the projects we could handle and we could get contractors in for project work. Getting a head count increase was a different matter entirely.

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Andrew Commons

The last paragraph says it all

"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple."

And the great digital transformation drive has turned this into critical infrastructure.

Russian computer failure on ISS is nothing to worry about – they're just going to turn it off and on again

Andrew Commons

Re: Failure is not an option

Indeed, "Build Failure In" is the current paradigm. Fits nicely with the "Fail Fast, Fail Often" methodology.

Should a robo-car run over a kid or a grandad? Healthy or ill person? Let's get millions of folks to decide for AI...

Andrew Commons

Re: egregious Jaywalking

I just love that word - egregious. It's original meaning is completely the opposite of current usage which leads to interesting speculation regarding the intentions of the author...'remarkably good' or 'outstandingly bad'. Perfect word for having a bet both ways!

Cybercrooks home in on infosec's weakest link – you poor gullible people

Andrew Commons

Re: About one quarter right...

@Claptrap.

Let's look at some of the things the 'top professional team' will do.

* Originate emails from compromised accounts. The sender information is completely valid and if the address book and Inbox/Outbox are used to select recipients they are used to receiving emails from the compromised sender. Going a step further, they may be used to receiving emails with links from the trusted (but compromised) sender.

* Use a valid domain where the domain owner has not implemented any countermeasures such as SPF or DMARC. A major bank had such a domain, it was regularly used for phishing attacks, they never used the domain for customer emails but the customers didn't know that.

* Use non-standard email headers to trick the email client into presenting an external email exactly as if it had been sent internally. The displayed From address is a valid internal address, all adornments applied to internal emails are present, visually perfect.

* Time emails so that they get into the recipients Inbox at the start of local business hours. They get actioned quickly when the user starts work. Volume sent is small to make them harder to detect, 10 or 12 is enough.

* Use information gleaned from the Internet to make the Subject and content more convincing. An online job add was used to provide context in one case, anything out there will be used against you.

This is just a small sample. The top teams are highly skilled and they will take care in their targeted attacks. Your walls don't really exist. The recipients, the users, are way out of their depth.

Andrew Commons

Lambs to the slaughter

Your office soccer team (imagine you have one, any other team sport will do) gets a game against a top professional team. They get thrashed. Management decides awareness of the rules will help and the whole office gets training. There is a rematch with the office team. They get thrashed. The office team is taken to one side and given two days intensive awareness of the rules and tactics before another match. They get thrashed.

So it is with security.

The security industry has realised that the People side of the process hasn't really been fully milked yet and the technology snake oil is starting to wear thin. So this is where the new focus is.

The office team will never beat the professionals. You have to change the rules to do that. But organisations don't have the balls to change the rules. Restrict Internet access for example, only allow business emails, segregate areas of the business that need unfiltered interactions,... All technically possible. Then look explicitly at how Process and Technology failures can impact you and implement countermeasures.

Don't put the weakest link on the front line.

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Andrew Commons

Re: Number of vulns means nothing

Vulnerability counts of this type are very misleading. You just keep changing the product names to keep the numbers down. Sum all the MS Server counts regardless of version and then start making comparisons.

Microsoft devises new way of making you feel old: Windows NT is 25

Andrew Commons

@ Dave Pickles

When Win NT was first released we were doing side by side comparisons with VMS and two things that Cutler didn't bring over were puzzling. First up Logical Names which gave you a level of indirection for practically everything along with protected name spaces. Then there was the big omission of Installed Images that allowed privileges to be assigned to trusted pieces of code (amongst other things, sharing, fast startup etc as well) removing the need for users to have privileges. Both were probably out of place in a PC operating system.

America's forgotten space station and a mission tinged with urine, we salute you

Andrew Commons

Re: "Who's the best pilot you ever saw?"

It was a great book/film. And Tom Wolfe died two days ago so a double whammy.

Andrew Commons

Re: the whole setup was pretty crude

Each spacecraft was hand made and unique. The men inside them were seasoned test pilots who flew 'experimental, hand made, and unique' for a living. They were highly intelligent and understood the risks. Brave is not an adequate word to describe them.

You're in charge of change, and now you need to talk about DevOps hater Robin

Andrew Commons

FinTech startups

They are not big enough to cause a fuss if they fail and haven't been around long enough for their failures to catch up with them.

Andrew Commons

Re: Change for the sake of change

Once upon a time....there was this sudden push to go 'Agile'. This was OK but having spent a bit of time in the process improvement space I started asking some questions. These were along the lines of 'what is wrong with the current methodology', where is it failing; 'what do we want to keep from the current methodology', where is it working; and 'how do we measure success'. After a lot of ducking and weaving it came down to 'HR think we will not be able to recruit young people unless we are 'doing Agile'. And DevOps is different because...

Commbank data loss: Non-disclosure was pretty reasonable

Andrew Commons

The Reg piece suggests that the appropriate authorities were notified and that they made the determination that there was not a real risk of serious harm to the CBA customers involved.

Note that it is not there is a distinction between 'harm' and 'serious harm' that was made deliberately to minimise the number of breaches that needed to be reported.

The explanatory memorandum that accompanies the legislation makes quite interesting reading in this context.

NASA dusts off FORTRAN manual, revives 20-year-old data on Ganymede

Andrew Commons

Re: The problem probably wasn't the software...

"VAXes have serial interfaces"

I think they all had a serial console interface so yes, that would work well.

Andrew Commons

Re: The problem probably wasn't the software...

"languages such as FORTRAN and BASIC were all wrappers around the RTL"

Actually each language had its own RTL as well as the common RTLs, these were fully documented in versions of VMS before 4.

Andrew Commons

Re: The problem probably wasn't the software...

Almost certainly not the software although the software migration could be non trivial if the code relied on long deprecated low level run time functions.

The other factor to consider with the hardware is not just reading the stuff but being able to write it to something your more modern hardware can handle.

Scratch Earth-killer asteroid off your list of existential threats

Andrew Commons

Re: n-body problem?

Well, yes, but for very large values of 'n'.

See 'Oumuamua to estimate how large that might be.

Air gapping PCs won't stop data sharing thanks to sneaky speakers

Andrew Commons

Re: Relevance

@Doctor

With just in time manufacturing you could get quite specific. And if you stuffed something in the BIOS then infecting everything is no big deal. Compromise the machines you are potentially interested in at source. You just need a listening device not another machine in the same room and you can build that into the wall.

Andrew Commons

Re: Relevance

The people who build them and ship them have physical access so that's one hell of a big handful.

Andrew Commons

Re: Alexa

You forgot to add the spooky laughing.

Andrew Commons

Re: training a camera at the screen while it displays information

Just make the screen flicker a bit.

Andrew Commons

An appreciation of a good bass player is useful as you get older :)

Andrew Commons

Fast enough...

You can get a big cryptyo key out in less than an hour.

Andrew Commons

Deja vue all over again

Sure did. And it was also reported on The Register.

https://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

Great, we're going to get DevOps-ed. So, 15 years of planning processes – for the bin?

Andrew Commons

Re: Where’s the part that ensures the software is actually legal?

@Rob@rob

A good tool chain can certainly help. I assume you are doing this with requirements as well and test coverage includes requirements traceability that extends through all work products? In other words end to end with senior management using the tools as well? Tampering with the audit trail not possible, integration between different audit trails all present and correct, and the entire chain future proofed so it can be pulled in 10+ years time?

Andrew Commons

Re: Where’s the part that ensures the software is actually legal?

I would like to see how this gets implemented in an organisation exposed to the Sarbanes-Oxley Act. I was with an organisation that was exposed to it and had to devise something that clearly showed that everything that hit production was known and approved by management before we got hit by an audit. Being able to reconstruct Production as it was at any specific time was also in the mix. Doing this convincingly in DevOps must be interesting.

Australia's new insta-pay scheme has insta-lookup of any user's phone number

Andrew Commons

If your an online crim....

Britain, where online banking fraud jumped 132 per cent after it introduced a faster payments system in 2008.

See:

http://www.smh.com.au/business/rising-fraud-risk-tipped-from-move-to-realtime-payments-20170127-gtzulk.html

And:

http://www.afr.com/business/banking-and-finance/cyber-fraud-risks-rise-ahead-of-instant-payments-20170612-gwpeva

Andrew Commons

What happens when email is used as the Id?

Just curious.

Would not be surprised if the persons name was again displayed.

I'm staying well away from it.

Hands up who HASN'T sued Intel over Spectre, Meltdown chip flaws

Andrew Commons

Software next?

Maybe we could see software manufacturers being sued for vulnerable products at last? Although I imagine they have covered themselves as much as they can in the EULAs, but these are not sufficient in all jurisdictions.

You can resurrect any deleted GitHub account name. And this is why we have trust issues

Andrew Commons

What am I missing here?

Nothing.

If you use a third party module you download it, put it under your source code control, and be prepared to maintain it yourself.

Home taping revisited: A mic in each hand, pointing at speakers

Andrew Commons

Re: Why on earth do you clean the tracks?

It depends on the age of the vinyl. I do it selectively mainly on the quiet sections. If its a loud section it just stays there unless it is really bad.

Andrew Commons

Vinyl to Digital

Getting old vinyl records into digital format is still a thing and it is very time consuming. Record the album, break it up into tracks, clean the tracks taking care not to edit out drum hits that look like scratches in the audio wave form, burn to a CD and also convert to MP3.

Takes quite a while to do each album.

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Andrew Commons

Re: Happy Days!

@Phil O'Sophical

You don't need an old PC, a Raspberry Pi will do!

https://www.rs-online.com/designspark/a-raspberry-pi-vax-cluster

I used to be quite familiar with manually booting various early VAX models and tweaking a few of the parameters in the early boot stages once upon a time.

Page:

Biting the hand that feeds IT © 1998–2019