* Posts by Aodhhan

646 posts • joined 25 Apr 2008

Page:

Nah, National Cyber Security Centre doesn't need its own minister, UK.gov tells Parliament

Aodhhan Bronze badge

Don't meddle.

You'd probably be shocked by just how many American's are involved in not only training British cyber spooks, but working along side them--in various areas of the world.

Adding greater oversight than there already is, will only make things more difficult in handling situations. Further, based on who is allowed to do what doesn't need any more bureaucracy than there already is--focusing mainly on offensive cyber operations, where discussing too much in a committee will only add more problems--not solve them.

In short: for the most part what's established is working. Meddling will only break things.

Jeez, what a Huawei to go: Now US senators want Chinese kit ripped out of national leccy grid

Aodhhan Bronze badge

Man you're gullible

An article gets over dramatic, uses wild and crazy words, and spins in some hysteria in order to make a story out of nothing, and so many buy into it.

I will sell you some land in Louisiana, and even throw in a bridge.

There are no legislators wanting to "RIP" out inverters, as if they contain a virus which will plague the states.

For those who think there isn't any direct threat, then you don't understand industrial control systems. Nearly every piece of hardware is now controlled by some sort of software. Oh yeah, and many of the protocols used by ICS hardware wasn't exactly designed with security in mind--including wireless.

So yes, the concern is valid, and banning future purchases of the product as well as looking into where the dangers are most critical is in line with due diligence. Especially when electrical power is everything these days.

Given this, nobody is in a panic or demanding wholesale changes.

Stop letting someone with a typewriter, a thesaurus and an over active imagination turn you into an idiot.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints

Aodhhan Bronze badge

The article didn't suggest the attack vector is new. Heck, it's been available long before your phrack 2004 article.

However, PS makes it very easy to do.

For instance: with one line of PS code you can load into memory and run mimikatz--with various options, or run your favorite script(s).

Perhaps you should take some time to learn PowerShell, instead of thinking there is no way it can be better than Linux.

Think about it... if all you can do is Linux, then you're half the hacker of someone who can do both!

Accused hacker Lauri Love loses legal bid to reclaim seized IT gear

Aodhhan Bronze badge

Pitty the English

Just another example of someone who willingly jumps off a cliff--in hopes the world sees them as a victim.

What's equally moronic, is how people buy into it.

The "woe is me" attitude of the English. So self-absorbed, they have no idea just how good their life actually is.

The press and politicians have the general population believing the worst. So much so, that they once again control the people.

The country's wealth is being squandered--making the people and country over all weaker. All while, making the press and politicians more powerful.

Look at yourselves. Blaming everyone else--while becoming too lazy to effect change.

What's next, you call out to the USA for help (yet again)? Don't be silly... do you help someone who wrongly points fingers at you?

Bad news for WannaCry slayer Marcus Hutchins: Judge rules being young, hungover, and in a strange land doesn't obviate evidence

Aodhhan Bronze badge

Re: No Good Deed Goes Unpunished

Stopping a computer virus you helped unleash isn't exactly a good deed. More like, a selfish need to get yourself into the spotlight.

First they came for Equifax and we did nothing because America. Now they are coming for back-end systems and we're...

Aodhhan Bronze badge

Really? Do you not read your own local news?

American's understand you having an inferiority complex--giving you the need to bash something else to make you feel big and mighty (especially on the Internet); however, at least have the brains to think about it for 30 seconds beforehand... to keep your own shoe from flying towards your mouth.

One click and you're out: UK makes it an offence to view terrorist propaganda even once

Aodhhan Bronze badge

What's next, we start burning books again?

A country which makes laws like this is likely to find their citizens emigrating in droves to another country which doesn't stymie experience or attempt to burn their books.

Then suddenly, this country everyone left for suddenly kicks the hell out of the old country in just about everything.

You'd think the UK would have learned this lesson the first time around.

If the UK keeps it up, you'll soon be thrown in jail for witnessing a crime because you were in the wrong place at the wrong time.

ACLU: Here's how FBI tried to force Facebook to wiretap its chat app. Judge: Oh no you don't

Aodhhan Bronze badge

Read what is going on, not what you assume or want to read into the story.

Granted, the author of this story didn't do the best job interpreting what's going on, but this is the norm today. Not to mention, using the ACLU (or any petitioner) as the main--if not only source, doesn't exactly make it good journalism.

This has nothing to do with encryption or privacy, and obviously a search warrant was granted.

The problem comes down to techniques currently employed or under research to (legally) monitor potential crimes. It's pretty much this simple.

It's a bit hypocritical to demand your own privacy without allowing a law enforcement agency some of their own--within reason. In this case, it does the public more harm than good to expose how law enforcement goes about using the Internet to catch criminals.

Yeah, I get it... it allows the FBI to possibly abuse this power. Nobody knows this more than Trump himself. Yet, funny the same people who have a problem with this in general, are cheering the FBI for abusing their power against Trump, and cheering the DoJ -- allowing Mueller to dig for evidence in search of a crime which doesn't seem to exist. Which is basically what the USSR did and China still does against their people.

Accused hacker Lauri Love tries to retrieve Fujitsu lappie and other gear from Britain's FBI in court

Aodhhan Bronze badge

Re: "Britain's FBI"

You actually think anyone in the USA gives a rat's ass about the law enforcement agencies in lil ole England? LOL It's almost a criminal act of humor.

That's like saying England cares about the different law enforcement agencies in Andorra.

US lawmakers furious (again) as mobile networks caught (again) selling your emergency location data to bounty hunters (again)

Aodhhan Bronze badge

Okay... simmer down.

This is one of those stories which include about 10% truth 70% spin and 20% lies. Not to mention a congressional representative, who knows about 15% about what he's talking about, because he isn't interested in the entire truth. Really, raise your hand if you think you can trust a representative? He's likely doing this to get communication lobbyists to donate money to him.

I enjoy my privacy, and I hate the fact a company can spy on you... All they need to do is put out a phone app, get you to install it, and they have your location--and don't think you are being alerted about your location or you give it permission. There are ways around this, especially if someone has rooted their phone and removed protections. There is no law preventing this. So keep this in mind when you blow up on what you're being "told" about this case.

When 'location' data is merely historic data, the FCC doesn't have any jurisdiction over this, because if fails to be communications once it is historic/trend data. It isn't 'live' comms, its just numbers on a spreadsheet. Thanks to information and civil needs (aka transparency) laws you can get almost any historical data from a phone company. You can't blame the FCC on this one, this is Congress' weight to bear because of their oversight and limitations of the FCC.

Here is the odd thing. Nobody is screaming about companies tracking us and selling information. Or credit card companies selling every bit of our purchasing life data. Yet, people are screaming about protecting the location of criminals who are jumping bail. Does this make sense? of course not.

Give me a break.

Whenever a lawmaker/representative is overbearing about something, first check to see if they have any qualification/expert knowledge; second, try to determine why they are making such a big case about this, when there are obviously more important items to deal with. Not to mention a bigger picture to fix when it comes to privacy.

I'm not a big fan of the FCC, but I also don't trust most politicians... no matter what party they affiliate with.

Accused hacker Lauri Love to sue National Crime Agency to retrieve confiscated computing kit

Aodhhan Bronze badge

A bit silly.

What he's doing--basically, is pressing the government to prosecute him or not.

The problem is, if the UK decides to drop prosecution he will subject himself to being extradited again; since the original extradition case was only stopped to pursue local prosecution; the extradition was not dismissed on merit.

Of course they've done bit copies of everything. You don't forensically investigate the original media. This would be ridiculous. Anyone experienced in cyber security knows this, and the importance of proper chain-of-custody. Even with the copies, as soon as they return any evidence, CoC is lost; making any copies worthless. This is likely the main reason he wants his property back.

Since it's been in government custody for 5 years--it's hard to say what sort of malicious hardware/software they will put on it. So he isn't going to want to use it. I doubt he's this stupid.

I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt

Aodhhan Bronze badge

Companies don't do anything which isn't in writing

Look... if a company doesn't have a published policy for bug bounties, then you aren't likely going to get anything but swag--if that.

The InfoSec organization in the company doesn't have funds set aside for bounties, and they can't just give money to someone--even if they want to.

So if you're trying to make a living doing this, then search for those businesses with a published bounty policy.

Pentagon admits it's now probing conflicts of interest at AWS over $10bn JEDI cloud deal

Aodhhan Bronze badge

Oracle is gasping

Having worked for the DoD as a civilian and contractor for nearly 15 years... Oracle's effort to show some sort of bias is a losing battle.

Oracle has nobody to blame but themselves. Just for starters, their products are over priced and where security is paramount... Oracle scores low for number of vulnerabilities and timeframe to mitigate issues; often causing the DoD to spend more money and resources to deal with these issues until a patch is "Finally" released.

Over the past several years, the DoD as a whole has been replacing Oracle solutions with other available systems during refresh. When another vendor's product can offer the same functionality with higher usability grades from end users, better security/patching at a lower cost... you're going to start losing business.

Oracle sees this, and the only thing they can do is cry 'unfair' and 'bias' phrases.

Even if Oracle some how can display bias in the procurement area of the DoD, you won't be able to get past the DoD's IT community who is sick of you.

Instead of wasting money on a losing battle, you might want to reinvest it back into your products, lower your prices, and work harder on the usability aspect of ALL of your products.

Year after being blasted for dodgy security, GPS kid tracker biz takes heat again for leaving families' private info lying around for crims

Aodhhan Bronze badge

Interesting comments

...so how many of you are so put off by this company's lack of due care to their customers, that you called your government representatives and encouraged them to create laws to prevent these types of breaches?

Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data

Aodhhan Bronze badge

C'mon, who is really shocked?`

Typical leftist strategy.

Use what power you have to gain more power.

Then use this power to find dirt on everyone--in order to have control.

If it's information you really can't use or don't care about... you can bet someone does.

...so sell this information for money or a commodity you can use.

Zuckerberg and the rest of Facebook's minions are simply crooked information brokers.

You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit

Aodhhan Bronze badge

Re: Possible quick fix

Bob...

New to information security and/or application development are you?

You're too fixated on an issue without looking at the entire requirement(s) a product is meant to provide.

You're 'solution' doesn't even come close to providing a work around for Exchange.

Also, thinking Linux is so much more secure than Windows is short sided and short minded.

Especially when both require humans to build and configure them--not to mention the applications running on top of the OS.

Google faces another GDPR probe – this time in the land of meatballs and flat-pack furniture

Aodhhan Bronze badge

Where is the uproar--

Credit card companies and banks do the same thing. The only difference is the frequency of the data points.

Why isn't there uproar about this? This information is sold to credit agencies, political parties, etc. to learn everything about you.

Think about the number of transactions you do with a debit/credit card, the information you have to provide to get a loan, etc.

It doesn't take long before someone with this information knows more about you than you'd like them to--and it's being sold.

The biggest difference so far, seems to be the amount of money and perks banks, credit agencies, and other lobby groups provide to politicians.

Tech sector meekly waves arms in another bid to get Oz to amend its crypto-busting laws

Aodhhan Bronze badge

You have to wonder

...if law enforcement's best chance of prosecuting someone is using files which are encrypted, then the case is likely weak to begin with--and/or they are rushing through the investigation.

If you really need to get at encrypted files, there are ways to get them, but patience is a must along with a good enuf reason--and enuf evidence--to receive a warrant to tap into an individual's cyber communications.

You have to wonder, just how tech savvy a government is, who keeps launching this fight against encryption.

Perhaps it's about time Australia's citizens to begin looking at who they are voting in to government--and placing a high value on someone who understands technology beyond typing on Twitter.

En garde! 'Cyber-war has begun' – and France will hack first, its defence sec declares

Aodhhan Bronze badge

Whoa!

First Brexit and now France has declared cyber war.

The first nation to openly declare it's a cyber bully!!

Does this really shock anybody? It doesn't take a lot of balls to be a cyber bully.

CIA and MI6 can now take a break. The French are "en garde" !! :)

I used to be a dull John Doe. Thanks to Huawei, I'm now James Bond!

Aodhhan Bronze badge

All Brit's and EU citizens should purchase a WhaHey phone.

If China is using it to spy on you and the CIA knows about it. This then means, the CIA has tapped into it and is spying on you too.

If the CIA knows, then they are sharing it with both Canada and Australia. UK has to totally Brexit before they get the info! ;) Because Brussels cannot be trusted.

Eventually, someone will leak the information and you'll see some strange charges on your tap and go VISA... but who cares? It's the price of technology.

..and the sweetness of the WhaHey phone is worth every bit of risk!

It doesn't even bother you when you find out the Chinese stole proprietary information and put the company you worked for out of business. Ditch diggers will always be needed, so you can still do this, and maintain the sweet WhaHey phone!

This is the "me" generation, and it's the "me" time.

Who cares about anyone else? Who cares about anything you don't understand?

Staying ignorant, allows you to have an easier life in the "me" moment. Right!?

Besides, a phone app which will provide you an abundance of food is coming out soon, I'm sure.

EDGAR Wrong: Ukrainians hacked SEC, stole docs for inside trading, says Uncle Sam

Aodhhan Bronze badge

This does burn me a bit.

This is the same information government politicians are allowed to look at and make investments on, but the every day person gets racked and quartered if they see the report and then act on it.

About 2 years ago. The US Congress passed a law saying they could no longer do this or other things often considered 'insider trading'. They made a big thing about it--and praised themselves for it.

Then six months later they very VERY quietly removed the law so they could once again do this.

Don't you just love politicians?

Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

Aodhhan Bronze badge

Re: GDPR?

It's not a backlog of fines needing to be issued.

...it's a delay from Belgium, to see if the guilty companies are willing to pay big $$$$ to the fat-cats in charge of the EU.

This is why BREXIT is a good idea. EU isn't there to protect the people, it's to protect the privilege.

It's 2019, and from Beijing to Blighty folk are still worried about slurp-happy apps

Aodhhan Bronze badge

Re: I'm a bit surprised . . .

They really don't have to.

Encryption is pretty much outlawed unless you have permission from the government.

The government owns all ISPs and routers.

So they just happily sniff away and get the entire picture. Not to mention, they likely require ISPs to install hidden monitoring applications on each device.

Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Aodhhan Bronze badge

You're correct--in what you say; but what you're saying doesn't really apply in this case. So I present you with an 'epic fail', in attempting to show off and belittle others.

The vulnerability doesn't apply to the application--as a matter of having privileged access to the Skype application.

The vulnerability is due to the privileges the application is provided on top of the O/S along with other applications, and when these privileges are allowed/provided to the application; and/or when the application is available while the operating system is 'locked'.

2018 ain't done yet... Amazon sent Alexa recordings of man and girlfriend to stranger

Aodhhan Bronze badge

Too many missing the point

I expect this technology to record any transactions I make using the device. However, I don't expect it to record local information, such as when I ask it to turn off the lights or change the thermostat.

Moreover, I don't expect it to record casual conversations and noises. This is absolutely an invasion of privacy.

Furthermore... if any device is recording, and this recording exceeds 30 seconds, the device should beep or provide another alert to let me know it is recording.

It's time our lawmakers step up and begin to tighten controls on what technology can do.

This includes the capturing of day-to-day information on us. Such as, purchasing merchandise using a credit card--and what I purchased--and then selling this information.

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

Aodhhan Bronze badge

Re: "MSPs are firms that other companies trust to store, process, and protect commercial data"

They likely were using perimeter and local defenses; however, if you were a bit more experienced in security, you'd know THERE ARE WAYS AROUND THESE DEFENSES.

Stop thinking every new security hardware/software will protect your IP. I've been pen testing and conducting breach investigations for more than 20 years. While it's nice to have all the latest gadgets, and build a robust and in-depth security infrastructure... these things aren't worth crap if you don't invest heavily in well trained and experienced security personnel.

Too many corporations hire inexperienced individuals to handle security, and they have no idea how to interpret and/or investigate breaches. It's not funny when I ask for logs and a timeline--and the hired security personnel haven't gathered this info.

You also need to understand, no network is un-hackable.

Influential cypherpunk and crypto-anarchist Tim May dies aged 67

Aodhhan Bronze badge

RE: Influential cypherpunk and crypto-anarchist Tim May dies aged 67

Apparently, you're young and not very well traveled.

Google / Facebook aren't even close to being more powerful than MOST governments. Both Google/Facebook can be silenced by simply denying them electricity; or they can be hijacked which will call into question their credibility. There are a couple of other things, but you get the point.

Both Google and Facebook have assisted in ADDING BARBED WIRE. Look at how they assist China and the fact they are quicker to remove harmless pages/links regarding rants against Hillary Clinton than they are to remove terrorist pages/links. The fact is, BOTH take whatever side is paying them. If you have gold, then they are happy to assist your cause.

Laws DO NOT embrace what the public deems acceptable. If you use your brain for just 5 minutes you will see this is true. I find it unacceptable how high the tax rate is in Europe compared to the USA. In fact, most people do. I find it unacceptable the laws in China and other countries muffle free speech. I find it unacceptable how Australia has decided to squash encryption.

LAWS embrace MONEY and or POWER for those running governments. Many laws regarding public safety and other concerns only appease citizens. However, don't think for a moment the government doesn't put their own purse and stick above your needs. Even in the western hemisphere.

The bigger government is, the more power people are giving up.

Many people are starting to see this, and are leaving left wing political parties. Right now, the biggest show of this is in France. A year ago it was in Germany. 2 years ago it was in the USA.

Taylor's gonna spy, spy, spy, spy, spy... fans can't shake cam off, shake cam off

Aodhhan Bronze badge

So many security people who are saying--instead of asking.

This isn't about capturing people's facial data...

...it's about what is being done with it?

Of course we know the obvious, but is the data being wiped as soon as the concert is over, or is it being saved? Is it being sold? Who is given access to it? Are the methods used for collection secure?

As horrible as it is for the USA to regress and become England, it's bound to happen--the gov't spying on us all; everywhere. Eventually Democrats will find a silent way around the 4th and 5th amendments. Likely saying one thing and doing another.

US elections watchdog says it's OK to spend surplus campaign cash on cybersecurity gear

Aodhhan Bronze badge

Another Investment Opportunity for Congress

Love it when Europeans think they have a handle on how politics work in the USA.

What this means is: now every member of Congress will have one of their buddies start up a cybersecurity firm (which of course, they themselves will heavily invest in). Then the senator or representative will hire this firm and funnel excess cash to their friends.

They really don't care if their website or network gets pwned or not. They just want to be able to funnel money so they can make money.

Salesforce has named a chief ethics officer and yes, the job description is appropriately woolly

Aodhhan Bronze badge

How Left Sided

They will appoint someone, who has no idea what it's like to be poor--or know first hand any hardship an individual may face.

Like most moronic decisions which lean to the left, they will side and promote any idea being touted by the loudest squeaky wheel... which of course, will be the whacked out media.

In short, it's just a round-about way of still selling out. You're just ensuring you have more options and choices while doing so.

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

Aodhhan Bronze badge

What's next.

For safety's sake... we will now torture you, to ensure we find all narcotics and any chemical which can be used to make explosives.

US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That'd be the UK

Aodhhan Bronze badge

When someone bad mouths you--what do you think?

Why is it, people in England always try to compare/contrast themselves to the USA? Having lived in both countries, I know very well... they are two very different cultures and have many differing ideals.

One thing I always thought was funny, is how many English think they know anything about America. Fact is, they only know what their press tells them. It's interesting, the English know how inaccurate their press is when it comes to stories about their own people and have little trust for the press--except when it comes to information about the USA. Then of course, their press is perfect. Ludicrous, right?

Take Trump stories. English press only present to the people bad things without saying one of the many good things he's done. Does it occur to you why Trumps favorability numbers are increasing in the USA?

Most American's get why the English keep odd scores on things, like it's some sort of competition--but the fact is, most American's don't really care what people in England think, but American's do take note of the constant bad mouthing from England.

For those who think America believes it pushes their will upon other nations and has double standards:

American's are more than happy to keep their money at home and let another country take over the leadership of the world--but nobody else steps up. Not even the UK. Seems the UK would rather be a critic than a leader. Any moron can take this position on things, right? France's President Macron proves this point well.

Step up or shut up. Otherwise, all you appear to be is an under achieving loud mouth with an inferiority complex.

Oracle's JEDI mind-meld doesn't work on Uncle Sam's auditors: These are not the govt droids you are looking for

Aodhhan Bronze badge

DoD's opinion is sound

Less cooks in the kitchen working on the same pudding. Especially in the upper management tiers.

It is only unsound, if there happens to be a catastrophic vulnerability which cannot be monitored for and cannot be mitigated, which is very rare these days.

Not to mention, it's a lot easier to monitor one set of products, instead of many; where, when there is a problem--everyone points blame on everyone else. In the case of one vendor, the buck/responsibility is easily attributed to... and quickly rectified.

The DoD has been the InfoSec model for the USGov't. InfoSec w/n the DoD began to lock down things in 2007 (DIACAP) with increased responsibility laid on IASE/DISA and then more in 2014. After the 2016 elections, the rest of the Gov't was made to come on board with the additions to the CSA.

While most of the US Govt has been a laughing stock for InfoSec, the DoD--with some exceptions--has been doing it right for a while. Not to mention, the requirements the DoD laid out over the past 15 years when bidding out contracts, has arguably been the biggest drivers to InfoSec infrastructure development covering the entire stack. Especially in high speed, low frequency wireless security.

Oracle, careful what you ask for. Ask Cisco what happened when they began to demand and attempt to pin the DoD into a corner. Suddenly, they were losing contracts (and good engineers) they sat on for years to minority, female veteran owned companies.

Don't ever think you're the only game in town, especially with DoD contracts. The blue collar personnel working on them, just move to the company who wins the contract, and business goes on as normal...well, except for your stock holders.

Aodhhan Bronze badge

Oracle, you should be happy.

Now perhaps, you'll have extra time to look into plugging up all the friggen holes in your databases and other products.

Thankfully, more and more companies have stopped purchasing Oracle products.

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Aodhhan Bronze badge

The ignorant has so much to say, but a helluva lot more to learn.

The words from the world of the non-coders--ignorant as ever.

An intelligent individual recommends thoughtful solutions.

A fool talks down to others without any conscious thought or insight--obviously, because they have none.

You did accomplish something; since we can now say, we know more about you than you know about compilers.

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

Aodhhan Bronze badge

Apparently not responses from real Security Professionals

I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.

If you believe this looks phishy, then you're a ripe target for a well built phishing email.

You're basically stating, if it looks professional and is well written, then the email is legit.

Going off grammar or spelling is an method. Just look at the responses to this forum!

In fact, you should treat all unsigned external emails the same. No matter how they look or are written.

At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.

If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.

Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.

In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.

MIT to Oz: Crypto-busting laws risk banning security tests

Aodhhan Bronze badge

Politicians.

It appears even politicians down under are moronic.

Legislating against free speech (which this law will obviously do), doesn't mean someone won't tell someone, who tells another... and so on. Things slip out, mistakes are made... and others make the conscience effort to be jerks.

Unfortunately, as long as we keep electing officials without technical and computer expertise backgrounds... politicians are going to keep creating laws--which initially sound good--but have unintended consequences in the end, because of things they cannot see nor comprehend.

Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff

Aodhhan Bronze badge

Olaf... I see you've never worked at a large company where many individuals work together to design and build a product.

To say you must do more to secure information is a pretty obvious statement. Do you think companies don't know this? C'mon, you're smarter than this.

When you have 500+ people working on a project--some at other locations, to simply secure it on a private network isn't as easy as it sounds. Even if you employ best practices and proper security devices, there are many attack points. Even a novice InfoSec professional knows this and can point many out.

I've been a red team professional for nearly 10 years--even when companies do everything right to secure their systems, we manage to find a weak point to exploit within 30 days. A nation state has all the time in the world to do this, along with employing a workforce dedicated to working on zero days; on a variety of different and popular software. If you don't understand there are thousands of zero days available to nation states (which they keep secret), then you probably should consider working in another field.

All of this is pretty obvious to an experienced InfoSec professional. Especially those who keep up with the latest offensive security attack methods/techniques. Along with understanding you have a lot to learn--and should begin to consider not the obvious, but the unique and ambiguous.

You may also want to consider withholding judgement until you have a lot more experience.

Aodhhan Bronze badge

Re: Hypocritic US

Gathering information from a network in order to ensure national security is a lot different than theft of intellectual property. This shouldn't be too difficult to comprehend.

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Aodhhan Bronze badge

Put away emotion and rethink

In the USA, you can't just force an individual or an organization to do something unless national security or public safety is at risk. American's have every right to be as ignorant as they want to be.

To say security will not get better without government interaction is ignorant in itself. Security has gotten much better without government interaction. Corporations have also moved to be a lot more secure--again, without government interaction. Most companies want to become more secure faster, but the costs outweigh the risk in many cases. Don't forget the risk management aspect.

So if this is the case, why is IoT so insecure? Well, consider where many of these products are made, then ask yourself if these countries have an interest in secure IoT; as well as if they have something to gain if there are a great deal of IoT devices in western countries.

Another aspect is how new IoT is. Companies kick out IoT devices fast to make money and ignorant consumers rapidly purchase them so they can boss around Alexa and brag about it. Security is an after thought, and will be until consumers begin to demand it. A company has to compete with many others, adding security costs money--they can't sell a product which costs $20 more than competitor products.

The answer isn't government involvement. In fact, the last thing you should want is the government sticking their hands into my or anyone's business. Taxes are high enough.

The answer is educating consumers so secure products are what begin to sell, and becomes in demand. You know... this whole free enterprise thing.

It drives me crazy anytime people start expecting the government to step in and make changes. If you're intelligent enough... get up and make a difference yourself--else your taxes will increase and minimum wage will stay low. When is the last time you've asked a company for a more secure IoT device? Do you educate friends, family coworkers about the dangers and risk of IoT--in a manner they can understand? How does insecure IoT negatively affect their family?

Start educating people on the risks associated with IoT, and how it can negatively affect their family. Do this and you'll see people forcing change. Without additional taxes and/or politicians finding a way to corrupt it.

Morrisons supermarket: We're taking payroll leak liability fight to UK Supreme Court

Aodhhan Bronze badge

Poor article--Where is the information on due care

Horrible investigation by the author. It leaves far too many questions unanswered.

No mention of whether or not the company has policies in place regarding data--or if the company practices proper due care and due diligence. Which is going to be the center piece.

Due care is often the primary checkbox item regarding negligence and liability. The article should have really pursued this aspect--and failed to do so.

Did the employee have to circumvent policies/procedures... or was the data just handed to him?

When and how did the company find out about this?

Was a background investigation required for certain employees? ...on and on.

If a company doesn't do anything to protect data--especially regulated data--then it is negligent. Data must be protected logically as well as administratively. A person shouldn't be able to just ask for or have access to all data without controls.

Companies all over the globe are learning the hard way about due care.

Ex spy bosses: Cyber-warfare needs rules of engagement for nations to promptly ignore

Aodhhan Bronze badge

More Oracle Crap

Every year Oracle touts how wonderful their technology is, and how they've jumped light years ahead of competition when it comes to security.

This year is no different.

I'm willing to bet nothing will change this year. Oracle will still over charge for its products, will still have more vulnerabilities than other systems, and will take a ridiculous amount of time to patch these holes.

Fortunately, I work for an organization which has greatly reduced the amount of Oracle products in the enterprise.

Hunt for Red Bugtober: US military's weapon systems riddled with security holes – auditors

Aodhhan Bronze badge

Not shocking

Having worked in the DOD as a civilian--many of us have left the DOD for bigger paychecks. Why work for 90K when you can get nearly twice as much working for civilian companies. All who are now heavily investing in InfoSec. Another up-side, is I don't have to live life like an angel...worrying about losing my security clearance... and/or having my life turned upside down every 5 years dealing with a clearance investigation.

This is putting the DoD in hard times with InfoSec. Most of the civilians/military leadership O-5/GS-15 and above aren't proficient in technological computer fields--let alone information security. They are pilots, business grads, etc. Almost everything but a computer engineer, MIS, development, etc. education. So they aren't exactly proficient at leading--or understanding the support needs of computer professionals. Such as security hardware, cloud infrastructure, etc. Since they don't understand it... they don't get the right items implemented and make poor decisions.

Until the DoD and defense contractors get in line with civilian salaries, they will only be able to attract professionals right out of college--only to watch them leave after 4 years.

Boffin: Dump hardware number generators for encryption and instead look within

Aodhhan Bronze badge

Re: Interesting effect, wrong explanation

Apparently you didn't read the paper, and/or you don't understand it. It isn't about clock cycles. It's about side channel measurement of fine performance benchmarks and the differences noticed in these benchmarks between like CPUs.

Consider, the variation in performance affecting entropy if one processor's temperature is 7 degrees cooler than another--among other performance changing variables; such as workload.

Don't you love people who make crazy claims without at least trying to understand what is being said?

Trump's axing of cyber czar role has left gaping holes in US defence

Aodhhan Bronze badge

Trump did the correct thing here. The cybersecurity tsar position didn't wield much authority; and therefore, not very effective at getting some things accomplished. It's not a position requiring congressional approval.

The job now falls on Homeland Security, which wields a lot more authority when it comes to auditing and review. Homeland Security can now put the entire network infrastructure and operations along side many other critical systems in order to hand down major penalties to government agencies and their management.

So before Trump bashers start repeating the idiocy of politics--and you really should be smarter than this. You should look at the entire picture, and not just the rants and raves of a few politicians from the DNC (who need to call on their assistants to log themselves in to their computers).

The cyber tsar position was just another one of these "I'm doing something about it" jobs, without any teeth. They weren't in charge of anything but charts and PowerPoint. It is a job which costs taxpayers money, and does little. Even USCERT didn't fall within the grasp of the job, if this tells you anything.

Hacky hack on whack 'Hacky Hack Hack' Mac chaps hack attack rap cut some slack

Aodhhan Bronze badge

Since he used Ubuntu to break into Apple, there will be no job waiting. However, the magistrate appears to be a UNIX geek; lucky for him!

MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

Aodhhan Bronze badge

Yeesh

Did the UK hire Hillary and Obama to ensure MI5 was staffed by the same type of people hired to run the intelligence agencies in the USA?

Canadian security boss ain't afraid of no Huawei, sees no reason for ban

Aodhhan Bronze badge

Keep an eye on the bank account

What do you want to bet, Mr. Jones will be moving into a larger house an purchasing a couple of cars within the next 6 months.

Sounds like another individual who is getting paid by companies to endorse them, and/or being forced by the Canadian government not to offend China--since China is the second largest trade partner it has.

If you wish to purchase Chinese electronic products--which have a history of poor security and monitoring customers-- then go for it. I wouldn't want to be the individual who approved taking on this risk.

Have I been pwned, Firefox? OK, let's ask its Have I Been Pwned tool

Aodhhan Bronze badge

Oh no.

Just another product to monitor us and collect data, which can then be stolen and given to the entire word--and then used against us.

Only the foolish trust Google.

While the UN laughed at Trump, hackers chortled at the UN's lousy web application security

Aodhhan Bronze badge

Stop mirroring the media

While I don't think Trump has done more than any other president, he has definitely accomplished more than any other president since Reagan. Especially for the common workers in the USA.

Most outside of the USA only hear bad, made up, and malicious things about Trump so they immediately believe it all. When in reality, his approval within the USA is steadily rising.

The taxpayers in the USA are tired of funding everything without help from allies, and are tired of being on the bad end of trade deals--especially tariffs. In the USA, you can buy European made jeans for about the same price as American made jeans. However, in Europe, you'll pay many times more for American jeans than the European jeans. Also, there will be a limit on the amount of goods the USA can send to another country, but there is no limit on the number of goods sent to the USA.

It's just about being fair. Imagine if your taxes were raised 10% to pay for something in another country.

Then you have to call out things like the Paris Climate agreement crap. To make sure Germany can meet this, they fund companies within their borders to move to a lesser country which doesn't have pollution controls. Germany didn't do anything to limit the overall global pollution, they just diverted the pollution to another country. Then hypocritically yell at other countries for not signing onto the pollution standards, and proclaim how environmentally friendly Germany is.

Here is the real funny part... people in the USA have begun to pay closer attention to the goods they purchase, and have stopped purchasing products from unfair countries. This is why many countries have decided to renegotiate trade deals with the USA without making too much fuss. Right now, America's economy is very strong, and companies are rewarding workers with higher wages and better benefits. If you're another country, do you really want to discourage Americans spending their money on goods from your country?

The ones you should really be kicking in the teeth is the media who freak out for no real reason and make up false stories and accusations on a president who is gaining in popularity within his own country, especially with the common working people.

Page:

Biting the hand that feeds IT © 1998–2019