* Posts by Andrew Commons

189 posts • joined 22 Dec 2007

Page:

Radio gaga: Techies fear EU directive to stop RF device tinkering will do more harm than good

Andrew Commons

Re: What's the problem....

My reference was Australian regulations. The point is that these regulations are widely accepted as a 'good thing' for a good reason.

Andrew Commons

Re: What's the problem....

Smart heaters? Smart ovens?

Botnets created from rooted routers to take down critical infrastructure.

My point is that we actually have reached the point where insecure devices can cause harm and destruction and we need to start thinking about that because there are billions of them out there.

Andrew Commons

What's the problem....

Now electrical equipment that is plugged into the electrical grid are expected to be safe. There are regulations in place that attempt to protect consumers, and the grid, from unsafe equipment. The electricity grid has safeguards built into it to minimise the impact of unsafe equipment. I don't think anybody thinks this is a bad thing.

So why such strong objections for equipment plugging into the RF grid which, I think, lacks the kind of safeguards that apply to the electricity grid.

We know that all the gadgets being plugged in are completely fucked. They are full of bugs and are actually dangerous when you consider how they can be exploited. So this legislation is basically saying you need to be compliant before you get on the grid...just like electrical equipment, just like cars before they get on the road, just like aircraft before they carry passengers,..... I don't hear objections in these cases.

Is this really so bad?

Cue down votes.

Nice 'AI solution' you've bought yourself there. Not deploying it direct to users, right? Here's why maybe you shouldn't

Andrew Commons

Re: "No one really understands why machine-learning code is so brittle"

The last link given in the Reg piece goes to a neat piece of research that used adversarial examples thrown at an image recognition application to conclude that it triggered on texture rather than shape.

This highlights the real problem...they do stuff but we don't know how and as a result have no idea how they will behave if the input goes off-piste. So, dressing a wolf in sheep's clothing actually works with the current technology.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints

Andrew Commons

No, cue a policy that uses native access control to only allow those who need to run Powershell to access the executables.

Simple and sensible.

This image-recognition neural net can be trained from 1.2 million pictures in the time it takes to make a cup o' tea

Andrew Commons

Re: You can't make a cup of tea in 90 seconds

The answer is TeaOps...

1. Rapid delivery of tea - kettle still hot from previous pot

2. Pot still warm and half full, just add more tea

3. Brew?? What's that, we don't care what it tastes like!

Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo

Andrew Commons

DEC HALs

DEC were certainly users of hardware abstraction layers. They had one in VAX/VMS I think, it was always instructive to go through the BLISS header files looking at the comments to see next years models emerging.

Crash, bang, wallop: What a power-down. But what hit the kill switch?

Andrew Commons

Placement of kill switch and other quirks

Probably similar timeframe - VAX 11/780s in late 1970s. Kill switch next to a phone on the wall... Engineer makes call on phone, leans against wall,.... lights out!

Same installation. Telecomms 'electricians' removing a cabinet. Not sure if power is off. Large screwdriver between active and earth shows, momentarily, that power WAS on, lights out once again.

Some air-conditioning fun from same location if On-Call is interested in that sort of thing.

Object-recognition AI – the dumb program's idea of a smart program: How neural nets are really just looking at textures

Andrew Commons

It seems to be an extension of this study...

https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1006613

Keep in mind that the smallest change required to get an image classification algorithm to misclassify is .... 1 pixel.

This must be some kind of mistake. IT managers axed, CEO and others' wallets lightened in patient hack aftermath

Andrew Commons

Re: Seems legit

@Peter2

As far as I understand it they segment the network so that if Internet access is required for work purposes then you (the employee) have internet access. if Internet access is not required for work purposes then no access. This includes email. Devices with Internet access do not have access to the protected segment.

There are many roles that do not require Internet access in an organisation. Technical roles are often considered an exception but there are ways that this can be minimised.

Andrew Commons

Re: Seems legit

Indeed, and the western world should probably follow Singapore in removing Internet access from most public service accounts. They committed to this in mid 2016. See this commentary related to this incident:

https://www.gov.sg/news/content/internet-separation-could-and-should-have-been-implemented-in-public-healthcare-system

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'

Andrew Commons

Re: An opposing point of view

That would be interesting. I suppose you could also extend negligence to include using software that you knew was faulty regardless of how much you patched it. Proving you weren't negligent does indeed become a challenge.

Andrew Commons

An opposing point of view

Interestingly there is an opinion from Marsh LLC, part of Marsh and McLennan who are in the same business as Zurich and about the same size as Zurich, that is was NOT Cyber War.

[PDF]https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/NotPetya-Was-Not-Cyber-War-08-2018.pdf

I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.

US trade watchdog, mobe makers queue to smack Qualcomm as antitrust trilogy opens

Andrew Commons

Re: Patently ridiculous?

Actually it shows that people do not think the investment companies make in developing ground breaking technologies and turning them into a successful market should be returned to those companies along with a profit. This enables them to pay the researchers and continue their research and so continue to employ and pay researchers.

Andrew Commons

Well exactly. And bundle pricing is a feature used everywhere not just in this business.

Andrew Commons

Re: Patently ridiculous?

Isn't this is about hardware rather than software? From my reading of the Reg piece Intel can, and do, manufacture compatible modems without treading on Qualcomm patents. These modems presumably comply with the standards and are used by major players.

Andrew Commons

Re: Patently ridiculous?

I think Qualcomm were open about their patents and the standards.

Andrew Commons

Re: Patently ridiculous?

So they are clever business men as well??

It would seem that those who created the public standards created this problem then.

Andrew Commons

Patently ridiculous?

So Qualcomm owns the patents, there seems to be no dispute about that. Ownership of the patents provides control over the use of the technology. Qualcomm exercises those rights to maximise it's revenue, as you would, and then has to defend itself in civil court because it holds some really good patents.

Does this sort of shit happen in other domains, Pharmaceuticals for instance?

An upset tummy and a sphincter-loosening blackout: Lunar spaceflight is all glamour

Andrew Commons

Re: Lunch from both ends?

And this was in the days before laser hair removal.....

Andrew Commons

Re: Lunch from both ends?

I read somewhere that taking a dump in an Apollo capsule involved the use of a carefully positioned plastic bag on the part of the dumpee. The remaining two crew got as far away as they could during the process. If you have seen one of these capsules you soon realise that 'as far away as you can' is a pretty meaningless concept in these circumstances.

Serverless is awesome (if you overlook inflated costs, dislike distributed computing, love vendor lock-in), say boffins

Andrew Commons

Re: Measurements?

Good choice, it will need to be calibrated of course. So maybe a Drone can have an innovation of 1 Sinclair and disruption, measured in Gatwicks, of 36?

Andrew Commons

Measurements?

...just imagine how much innovation will be done one these platforms...

How is 'innovation' quantified? Innovations per second? A metric fuck-ton of innovation? And is there a one-to-one correspondence between 'innovation' and 'disruption', we need to measure the inevitable 'disruption' as well.

Can the El Reg Units desk help out here?

Oh Deer! Poacher sentenced to 12 months of regular Bambi screenings in the cooler

Andrew Commons

Well there is always...

Bambi Meets Godzilla. Now available on YouTube. I saw the VT100 ASCII animation way back, so there a number of ways the sentence can be carried out.

25% of NHS trusts have zilch, zip, zero staff who are versed in security

Andrew Commons

How easy is it to hack a fax machine anyway?

Not that hard apparently. There was a lot of press about it in August of this year. A lot of them come bundled with MultiFunction Devices and you have to tweak a few configuration options to stop them being used as a path into the internal network. This has been the case for quite a few years now.

FYI: NASA has sent a snatch-and-grab spacecraft to an asteroid to seize some rock and send it back to Earth

Andrew Commons

Not exactly 'snatch and grab'

A burst of nitrogen gas will stir up regolith on the asteroid’s surface, which will be caught in the TAGSAM head.

More like a blow job.

Britain may not be able to fend off a determined cyber-attack, MPs warn

Andrew Commons

Re: Carp

I've run security at a utility subject to the sort of controls described here. You have to get your proposed budget through your management plus the external body controlling prices. In my case this was an exercise you performed every 5 years, you were bidding for 5 years money, so a lot of educated guessing was involved in the guise of 'strategic planning'. Note that the submission to the external authority includes everything the utility does so the security budget is at best a single line somewhere with external material to justify it. My modest budget was still cut internally due to overall limits on opex rather than capex. Another (more critical) utility subject to the same process had their security budget savaged by the regulator.

I found the main problem was head count. For the size of the team we had enough money to run all the projects we could handle and we could get contractors in for project work. Getting a head count increase was a different matter entirely.

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Andrew Commons

The last paragraph says it all

"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple."

And the great digital transformation drive has turned this into critical infrastructure.

Russian computer failure on ISS is nothing to worry about – they're just going to turn it off and on again

Andrew Commons

Re: Failure is not an option

Indeed, "Build Failure In" is the current paradigm. Fits nicely with the "Fail Fast, Fail Often" methodology.

Should a robo-car run over a kid or a grandad? Healthy or ill person? Let's get millions of folks to decide for AI...

Andrew Commons

Re: egregious Jaywalking

I just love that word - egregious. It's original meaning is completely the opposite of current usage which leads to interesting speculation regarding the intentions of the author...'remarkably good' or 'outstandingly bad'. Perfect word for having a bet both ways!

Cybercrooks home in on infosec's weakest link – you poor gullible people

Andrew Commons

Re: About one quarter right...

@Claptrap.

Let's look at some of the things the 'top professional team' will do.

* Originate emails from compromised accounts. The sender information is completely valid and if the address book and Inbox/Outbox are used to select recipients they are used to receiving emails from the compromised sender. Going a step further, they may be used to receiving emails with links from the trusted (but compromised) sender.

* Use a valid domain where the domain owner has not implemented any countermeasures such as SPF or DMARC. A major bank had such a domain, it was regularly used for phishing attacks, they never used the domain for customer emails but the customers didn't know that.

* Use non-standard email headers to trick the email client into presenting an external email exactly as if it had been sent internally. The displayed From address is a valid internal address, all adornments applied to internal emails are present, visually perfect.

* Time emails so that they get into the recipients Inbox at the start of local business hours. They get actioned quickly when the user starts work. Volume sent is small to make them harder to detect, 10 or 12 is enough.

* Use information gleaned from the Internet to make the Subject and content more convincing. An online job add was used to provide context in one case, anything out there will be used against you.

This is just a small sample. The top teams are highly skilled and they will take care in their targeted attacks. Your walls don't really exist. The recipients, the users, are way out of their depth.

Andrew Commons

Lambs to the slaughter

Your office soccer team (imagine you have one, any other team sport will do) gets a game against a top professional team. They get thrashed. Management decides awareness of the rules will help and the whole office gets training. There is a rematch with the office team. They get thrashed. The office team is taken to one side and given two days intensive awareness of the rules and tactics before another match. They get thrashed.

So it is with security.

The security industry has realised that the People side of the process hasn't really been fully milked yet and the technology snake oil is starting to wear thin. So this is where the new focus is.

The office team will never beat the professionals. You have to change the rules to do that. But organisations don't have the balls to change the rules. Restrict Internet access for example, only allow business emails, segregate areas of the business that need unfiltered interactions,... All technically possible. Then look explicitly at how Process and Technology failures can impact you and implement countermeasures.

Don't put the weakest link on the front line.

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Andrew Commons

Re: Number of vulns means nothing

Vulnerability counts of this type are very misleading. You just keep changing the product names to keep the numbers down. Sum all the MS Server counts regardless of version and then start making comparisons.

Microsoft devises new way of making you feel old: Windows NT is 25

Andrew Commons

@ Dave Pickles

When Win NT was first released we were doing side by side comparisons with VMS and two things that Cutler didn't bring over were puzzling. First up Logical Names which gave you a level of indirection for practically everything along with protected name spaces. Then there was the big omission of Installed Images that allowed privileges to be assigned to trusted pieces of code (amongst other things, sharing, fast startup etc as well) removing the need for users to have privileges. Both were probably out of place in a PC operating system.

America's forgotten space station and a mission tinged with urine, we salute you

Andrew Commons

Re: "Who's the best pilot you ever saw?"

It was a great book/film. And Tom Wolfe died two days ago so a double whammy.

Andrew Commons

Re: the whole setup was pretty crude

Each spacecraft was hand made and unique. The men inside them were seasoned test pilots who flew 'experimental, hand made, and unique' for a living. They were highly intelligent and understood the risks. Brave is not an adequate word to describe them.

You're in charge of change, and now you need to talk about DevOps hater Robin

Andrew Commons

FinTech startups

They are not big enough to cause a fuss if they fail and haven't been around long enough for their failures to catch up with them.

Andrew Commons

Re: Change for the sake of change

Once upon a time....there was this sudden push to go 'Agile'. This was OK but having spent a bit of time in the process improvement space I started asking some questions. These were along the lines of 'what is wrong with the current methodology', where is it failing; 'what do we want to keep from the current methodology', where is it working; and 'how do we measure success'. After a lot of ducking and weaving it came down to 'HR think we will not be able to recruit young people unless we are 'doing Agile'. And DevOps is different because...

Commbank data loss: Non-disclosure was pretty reasonable

Andrew Commons

The Reg piece suggests that the appropriate authorities were notified and that they made the determination that there was not a real risk of serious harm to the CBA customers involved.

Note that it is not there is a distinction between 'harm' and 'serious harm' that was made deliberately to minimise the number of breaches that needed to be reported.

The explanatory memorandum that accompanies the legislation makes quite interesting reading in this context.

NASA dusts off FORTRAN manual, revives 20-year-old data on Ganymede

Andrew Commons

Re: The problem probably wasn't the software...

"VAXes have serial interfaces"

I think they all had a serial console interface so yes, that would work well.

Andrew Commons

Re: The problem probably wasn't the software...

"languages such as FORTRAN and BASIC were all wrappers around the RTL"

Actually each language had its own RTL as well as the common RTLs, these were fully documented in versions of VMS before 4.

Andrew Commons

Re: The problem probably wasn't the software...

Almost certainly not the software although the software migration could be non trivial if the code relied on long deprecated low level run time functions.

The other factor to consider with the hardware is not just reading the stuff but being able to write it to something your more modern hardware can handle.

Scratch Earth-killer asteroid off your list of existential threats

Andrew Commons

Re: n-body problem?

Well, yes, but for very large values of 'n'.

See 'Oumuamua to estimate how large that might be.

Air gapping PCs won't stop data sharing thanks to sneaky speakers

Andrew Commons

Re: Relevance

@Doctor

With just in time manufacturing you could get quite specific. And if you stuffed something in the BIOS then infecting everything is no big deal. Compromise the machines you are potentially interested in at source. You just need a listening device not another machine in the same room and you can build that into the wall.

Andrew Commons

Re: Relevance

The people who build them and ship them have physical access so that's one hell of a big handful.

Andrew Commons

Re: Alexa

You forgot to add the spooky laughing.

Andrew Commons

Re: training a camera at the screen while it displays information

Just make the screen flicker a bit.

Andrew Commons

An appreciation of a good bass player is useful as you get older :)

Andrew Commons

Fast enough...

You can get a big cryptyo key out in less than an hour.

Andrew Commons

Deja vue all over again

Sure did. And it was also reported on The Register.

https://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

Page:

Biting the hand that feeds IT © 1998–2019