* Posts by Aodhhan

626 posts • joined 25 Apr 2008

Page:

EDGAR Wrong: Ukrainians hacked SEC, stole docs for inside trading, says Uncle Sam

Aodhhan Bronze badge

This does burn me a bit.

This is the same information government politicians are allowed to look at and make investments on, but the every day person gets racked and quartered if they see the report and then act on it.

About 2 years ago. The US Congress passed a law saying they could no longer do this or other things often considered 'insider trading'. They made a big thing about it--and praised themselves for it.

Then six months later they very VERY quietly removed the law so they could once again do this.

Don't you just love politicians?

Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

Aodhhan Bronze badge

Re: GDPR?

It's not a backlog of fines needing to be issued.

...it's a delay from Belgium, to see if the guilty companies are willing to pay big $$$$ to the fat-cats in charge of the EU.

This is why BREXIT is a good idea. EU isn't there to protect the people, it's to protect the privilege.

It's 2019, and from Beijing to Blighty folk are still worried about slurp-happy apps

Aodhhan Bronze badge

Re: I'm a bit surprised . . .

They really don't have to.

Encryption is pretty much outlawed unless you have permission from the government.

The government owns all ISPs and routers.

So they just happily sniff away and get the entire picture. Not to mention, they likely require ISPs to install hidden monitoring applications on each device.

Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Aodhhan Bronze badge

You're correct--in what you say; but what you're saying doesn't really apply in this case. So I present you with an 'epic fail', in attempting to show off and belittle others.

The vulnerability doesn't apply to the application--as a matter of having privileged access to the Skype application.

The vulnerability is due to the privileges the application is provided on top of the O/S along with other applications, and when these privileges are allowed/provided to the application; and/or when the application is available while the operating system is 'locked'.

2018 ain't done yet... Amazon sent Alexa recordings of man and girlfriend to stranger

Aodhhan Bronze badge

Too many missing the point

I expect this technology to record any transactions I make using the device. However, I don't expect it to record local information, such as when I ask it to turn off the lights or change the thermostat.

Moreover, I don't expect it to record casual conversations and noises. This is absolutely an invasion of privacy.

Furthermore... if any device is recording, and this recording exceeds 30 seconds, the device should beep or provide another alert to let me know it is recording.

It's time our lawmakers step up and begin to tighten controls on what technology can do.

This includes the capturing of day-to-day information on us. Such as, purchasing merchandise using a credit card--and what I purchased--and then selling this information.

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

Aodhhan Bronze badge

Re: "MSPs are firms that other companies trust to store, process, and protect commercial data"

They likely were using perimeter and local defenses; however, if you were a bit more experienced in security, you'd know THERE ARE WAYS AROUND THESE DEFENSES.

Stop thinking every new security hardware/software will protect your IP. I've been pen testing and conducting breach investigations for more than 20 years. While it's nice to have all the latest gadgets, and build a robust and in-depth security infrastructure... these things aren't worth crap if you don't invest heavily in well trained and experienced security personnel.

Too many corporations hire inexperienced individuals to handle security, and they have no idea how to interpret and/or investigate breaches. It's not funny when I ask for logs and a timeline--and the hired security personnel haven't gathered this info.

You also need to understand, no network is un-hackable.

Influential cypherpunk and crypto-anarchist Tim May dies aged 67

Aodhhan Bronze badge

RE: Influential cypherpunk and crypto-anarchist Tim May dies aged 67

Apparently, you're young and not very well traveled.

Google / Facebook aren't even close to being more powerful than MOST governments. Both Google/Facebook can be silenced by simply denying them electricity; or they can be hijacked which will call into question their credibility. There are a couple of other things, but you get the point.

Both Google and Facebook have assisted in ADDING BARBED WIRE. Look at how they assist China and the fact they are quicker to remove harmless pages/links regarding rants against Hillary Clinton than they are to remove terrorist pages/links. The fact is, BOTH take whatever side is paying them. If you have gold, then they are happy to assist your cause.

Laws DO NOT embrace what the public deems acceptable. If you use your brain for just 5 minutes you will see this is true. I find it unacceptable how high the tax rate is in Europe compared to the USA. In fact, most people do. I find it unacceptable the laws in China and other countries muffle free speech. I find it unacceptable how Australia has decided to squash encryption.

LAWS embrace MONEY and or POWER for those running governments. Many laws regarding public safety and other concerns only appease citizens. However, don't think for a moment the government doesn't put their own purse and stick above your needs. Even in the western hemisphere.

The bigger government is, the more power people are giving up.

Many people are starting to see this, and are leaving left wing political parties. Right now, the biggest show of this is in France. A year ago it was in Germany. 2 years ago it was in the USA.

Taylor's gonna spy, spy, spy, spy, spy... fans can't shake cam off, shake cam off

Aodhhan Bronze badge

So many security people who are saying--instead of asking.

This isn't about capturing people's facial data...

...it's about what is being done with it?

Of course we know the obvious, but is the data being wiped as soon as the concert is over, or is it being saved? Is it being sold? Who is given access to it? Are the methods used for collection secure?

As horrible as it is for the USA to regress and become England, it's bound to happen--the gov't spying on us all; everywhere. Eventually Democrats will find a silent way around the 4th and 5th amendments. Likely saying one thing and doing another.

US elections watchdog says it's OK to spend surplus campaign cash on cybersecurity gear

Aodhhan Bronze badge

Another Investment Opportunity for Congress

Love it when Europeans think they have a handle on how politics work in the USA.

What this means is: now every member of Congress will have one of their buddies start up a cybersecurity firm (which of course, they themselves will heavily invest in). Then the senator or representative will hire this firm and funnel excess cash to their friends.

They really don't care if their website or network gets pwned or not. They just want to be able to funnel money so they can make money.

Salesforce has named a chief ethics officer and yes, the job description is appropriately woolly

Aodhhan Bronze badge

How Left Sided

They will appoint someone, who has no idea what it's like to be poor--or know first hand any hardship an individual may face.

Like most moronic decisions which lean to the left, they will side and promote any idea being touted by the loudest squeaky wheel... which of course, will be the whacked out media.

In short, it's just a round-about way of still selling out. You're just ensuring you have more options and choices while doing so.

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

Aodhhan Bronze badge

What's next.

For safety's sake... we will now torture you, to ensure we find all narcotics and any chemical which can be used to make explosives.

US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That'd be the UK

Aodhhan Bronze badge

When someone bad mouths you--what do you think?

Why is it, people in England always try to compare/contrast themselves to the USA? Having lived in both countries, I know very well... they are two very different cultures and have many differing ideals.

One thing I always thought was funny, is how many English think they know anything about America. Fact is, they only know what their press tells them. It's interesting, the English know how inaccurate their press is when it comes to stories about their own people and have little trust for the press--except when it comes to information about the USA. Then of course, their press is perfect. Ludicrous, right?

Take Trump stories. English press only present to the people bad things without saying one of the many good things he's done. Does it occur to you why Trumps favorability numbers are increasing in the USA?

Most American's get why the English keep odd scores on things, like it's some sort of competition--but the fact is, most American's don't really care what people in England think, but American's do take note of the constant bad mouthing from England.

For those who think America believes it pushes their will upon other nations and has double standards:

American's are more than happy to keep their money at home and let another country take over the leadership of the world--but nobody else steps up. Not even the UK. Seems the UK would rather be a critic than a leader. Any moron can take this position on things, right? France's President Macron proves this point well.

Step up or shut up. Otherwise, all you appear to be is an under achieving loud mouth with an inferiority complex.

Oracle's JEDI mind-meld doesn't work on Uncle Sam's auditors: These are not the govt droids you are looking for

Aodhhan Bronze badge

DoD's opinion is sound

Less cooks in the kitchen working on the same pudding. Especially in the upper management tiers.

It is only unsound, if there happens to be a catastrophic vulnerability which cannot be monitored for and cannot be mitigated, which is very rare these days.

Not to mention, it's a lot easier to monitor one set of products, instead of many; where, when there is a problem--everyone points blame on everyone else. In the case of one vendor, the buck/responsibility is easily attributed to... and quickly rectified.

The DoD has been the InfoSec model for the USGov't. InfoSec w/n the DoD began to lock down things in 2007 (DIACAP) with increased responsibility laid on IASE/DISA and then more in 2014. After the 2016 elections, the rest of the Gov't was made to come on board with the additions to the CSA.

While most of the US Govt has been a laughing stock for InfoSec, the DoD--with some exceptions--has been doing it right for a while. Not to mention, the requirements the DoD laid out over the past 15 years when bidding out contracts, has arguably been the biggest drivers to InfoSec infrastructure development covering the entire stack. Especially in high speed, low frequency wireless security.

Oracle, careful what you ask for. Ask Cisco what happened when they began to demand and attempt to pin the DoD into a corner. Suddenly, they were losing contracts (and good engineers) they sat on for years to minority, female veteran owned companies.

Don't ever think you're the only game in town, especially with DoD contracts. The blue collar personnel working on them, just move to the company who wins the contract, and business goes on as normal...well, except for your stock holders.

Aodhhan Bronze badge

Oracle, you should be happy.

Now perhaps, you'll have extra time to look into plugging up all the friggen holes in your databases and other products.

Thankfully, more and more companies have stopped purchasing Oracle products.

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Aodhhan Bronze badge

The ignorant has so much to say, but a helluva lot more to learn.

The words from the world of the non-coders--ignorant as ever.

An intelligent individual recommends thoughtful solutions.

A fool talks down to others without any conscious thought or insight--obviously, because they have none.

You did accomplish something; since we can now say, we know more about you than you know about compilers.

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

Aodhhan Bronze badge

Apparently not responses from real Security Professionals

I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.

If you believe this looks phishy, then you're a ripe target for a well built phishing email.

You're basically stating, if it looks professional and is well written, then the email is legit.

Going off grammar or spelling is an method. Just look at the responses to this forum!

In fact, you should treat all unsigned external emails the same. No matter how they look or are written.

At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.

If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.

Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.

In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.

MIT to Oz: Crypto-busting laws risk banning security tests

Aodhhan Bronze badge

Politicians.

It appears even politicians down under are moronic.

Legislating against free speech (which this law will obviously do), doesn't mean someone won't tell someone, who tells another... and so on. Things slip out, mistakes are made... and others make the conscience effort to be jerks.

Unfortunately, as long as we keep electing officials without technical and computer expertise backgrounds... politicians are going to keep creating laws--which initially sound good--but have unintended consequences in the end, because of things they cannot see nor comprehend.

Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff

Aodhhan Bronze badge

Olaf... I see you've never worked at a large company where many individuals work together to design and build a product.

To say you must do more to secure information is a pretty obvious statement. Do you think companies don't know this? C'mon, you're smarter than this.

When you have 500+ people working on a project--some at other locations, to simply secure it on a private network isn't as easy as it sounds. Even if you employ best practices and proper security devices, there are many attack points. Even a novice InfoSec professional knows this and can point many out.

I've been a red team professional for nearly 10 years--even when companies do everything right to secure their systems, we manage to find a weak point to exploit within 30 days. A nation state has all the time in the world to do this, along with employing a workforce dedicated to working on zero days; on a variety of different and popular software. If you don't understand there are thousands of zero days available to nation states (which they keep secret), then you probably should consider working in another field.

All of this is pretty obvious to an experienced InfoSec professional. Especially those who keep up with the latest offensive security attack methods/techniques. Along with understanding you have a lot to learn--and should begin to consider not the obvious, but the unique and ambiguous.

You may also want to consider withholding judgement until you have a lot more experience.

Aodhhan Bronze badge

Re: Hypocritic US

Gathering information from a network in order to ensure national security is a lot different than theft of intellectual property. This shouldn't be too difficult to comprehend.

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Aodhhan Bronze badge

Put away emotion and rethink

In the USA, you can't just force an individual or an organization to do something unless national security or public safety is at risk. American's have every right to be as ignorant as they want to be.

To say security will not get better without government interaction is ignorant in itself. Security has gotten much better without government interaction. Corporations have also moved to be a lot more secure--again, without government interaction. Most companies want to become more secure faster, but the costs outweigh the risk in many cases. Don't forget the risk management aspect.

So if this is the case, why is IoT so insecure? Well, consider where many of these products are made, then ask yourself if these countries have an interest in secure IoT; as well as if they have something to gain if there are a great deal of IoT devices in western countries.

Another aspect is how new IoT is. Companies kick out IoT devices fast to make money and ignorant consumers rapidly purchase them so they can boss around Alexa and brag about it. Security is an after thought, and will be until consumers begin to demand it. A company has to compete with many others, adding security costs money--they can't sell a product which costs $20 more than competitor products.

The answer isn't government involvement. In fact, the last thing you should want is the government sticking their hands into my or anyone's business. Taxes are high enough.

The answer is educating consumers so secure products are what begin to sell, and becomes in demand. You know... this whole free enterprise thing.

It drives me crazy anytime people start expecting the government to step in and make changes. If you're intelligent enough... get up and make a difference yourself--else your taxes will increase and minimum wage will stay low. When is the last time you've asked a company for a more secure IoT device? Do you educate friends, family coworkers about the dangers and risk of IoT--in a manner they can understand? How does insecure IoT negatively affect their family?

Start educating people on the risks associated with IoT, and how it can negatively affect their family. Do this and you'll see people forcing change. Without additional taxes and/or politicians finding a way to corrupt it.

Morrisons supermarket: We're taking payroll leak liability fight to UK Supreme Court

Aodhhan Bronze badge

Poor article--Where is the information on due care

Horrible investigation by the author. It leaves far too many questions unanswered.

No mention of whether or not the company has policies in place regarding data--or if the company practices proper due care and due diligence. Which is going to be the center piece.

Due care is often the primary checkbox item regarding negligence and liability. The article should have really pursued this aspect--and failed to do so.

Did the employee have to circumvent policies/procedures... or was the data just handed to him?

When and how did the company find out about this?

Was a background investigation required for certain employees? ...on and on.

If a company doesn't do anything to protect data--especially regulated data--then it is negligent. Data must be protected logically as well as administratively. A person shouldn't be able to just ask for or have access to all data without controls.

Companies all over the globe are learning the hard way about due care.

Ex spy bosses: Cyber-warfare needs rules of engagement for nations to promptly ignore

Aodhhan Bronze badge

More Oracle Crap

Every year Oracle touts how wonderful their technology is, and how they've jumped light years ahead of competition when it comes to security.

This year is no different.

I'm willing to bet nothing will change this year. Oracle will still over charge for its products, will still have more vulnerabilities than other systems, and will take a ridiculous amount of time to patch these holes.

Fortunately, I work for an organization which has greatly reduced the amount of Oracle products in the enterprise.

Hunt for Red Bugtober: US military's weapon systems riddled with security holes – auditors

Aodhhan Bronze badge

Not shocking

Having worked in the DOD as a civilian--many of us have left the DOD for bigger paychecks. Why work for 90K when you can get nearly twice as much working for civilian companies. All who are now heavily investing in InfoSec. Another up-side, is I don't have to live life like an angel...worrying about losing my security clearance... and/or having my life turned upside down every 5 years dealing with a clearance investigation.

This is putting the DoD in hard times with InfoSec. Most of the civilians/military leadership O-5/GS-15 and above aren't proficient in technological computer fields--let alone information security. They are pilots, business grads, etc. Almost everything but a computer engineer, MIS, development, etc. education. So they aren't exactly proficient at leading--or understanding the support needs of computer professionals. Such as security hardware, cloud infrastructure, etc. Since they don't understand it... they don't get the right items implemented and make poor decisions.

Until the DoD and defense contractors get in line with civilian salaries, they will only be able to attract professionals right out of college--only to watch them leave after 4 years.

Boffin: Dump hardware number generators for encryption and instead look within

Aodhhan Bronze badge

Re: Interesting effect, wrong explanation

Apparently you didn't read the paper, and/or you don't understand it. It isn't about clock cycles. It's about side channel measurement of fine performance benchmarks and the differences noticed in these benchmarks between like CPUs.

Consider, the variation in performance affecting entropy if one processor's temperature is 7 degrees cooler than another--among other performance changing variables; such as workload.

Don't you love people who make crazy claims without at least trying to understand what is being said?

Trump's axing of cyber czar role has left gaping holes in US defence

Aodhhan Bronze badge

Trump did the correct thing here. The cybersecurity tsar position didn't wield much authority; and therefore, not very effective at getting some things accomplished. It's not a position requiring congressional approval.

The job now falls on Homeland Security, which wields a lot more authority when it comes to auditing and review. Homeland Security can now put the entire network infrastructure and operations along side many other critical systems in order to hand down major penalties to government agencies and their management.

So before Trump bashers start repeating the idiocy of politics--and you really should be smarter than this. You should look at the entire picture, and not just the rants and raves of a few politicians from the DNC (who need to call on their assistants to log themselves in to their computers).

The cyber tsar position was just another one of these "I'm doing something about it" jobs, without any teeth. They weren't in charge of anything but charts and PowerPoint. It is a job which costs taxpayers money, and does little. Even USCERT didn't fall within the grasp of the job, if this tells you anything.

Hacky hack on whack 'Hacky Hack Hack' Mac chaps hack attack rap cut some slack

Aodhhan Bronze badge

Since he used Ubuntu to break into Apple, there will be no job waiting. However, the magistrate appears to be a UNIX geek; lucky for him!

MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

Aodhhan Bronze badge

Yeesh

Did the UK hire Hillary and Obama to ensure MI5 was staffed by the same type of people hired to run the intelligence agencies in the USA?

Canadian security boss ain't afraid of no Huawei, sees no reason for ban

Aodhhan Bronze badge

Keep an eye on the bank account

What do you want to bet, Mr. Jones will be moving into a larger house an purchasing a couple of cars within the next 6 months.

Sounds like another individual who is getting paid by companies to endorse them, and/or being forced by the Canadian government not to offend China--since China is the second largest trade partner it has.

If you wish to purchase Chinese electronic products--which have a history of poor security and monitoring customers-- then go for it. I wouldn't want to be the individual who approved taking on this risk.

Have I been pwned, Firefox? OK, let's ask its Have I Been Pwned tool

Aodhhan Bronze badge

Oh no.

Just another product to monitor us and collect data, which can then be stolen and given to the entire word--and then used against us.

Only the foolish trust Google.

While the UN laughed at Trump, hackers chortled at the UN's lousy web application security

Aodhhan Bronze badge

Stop mirroring the media

While I don't think Trump has done more than any other president, he has definitely accomplished more than any other president since Reagan. Especially for the common workers in the USA.

Most outside of the USA only hear bad, made up, and malicious things about Trump so they immediately believe it all. When in reality, his approval within the USA is steadily rising.

The taxpayers in the USA are tired of funding everything without help from allies, and are tired of being on the bad end of trade deals--especially tariffs. In the USA, you can buy European made jeans for about the same price as American made jeans. However, in Europe, you'll pay many times more for American jeans than the European jeans. Also, there will be a limit on the amount of goods the USA can send to another country, but there is no limit on the number of goods sent to the USA.

It's just about being fair. Imagine if your taxes were raised 10% to pay for something in another country.

Then you have to call out things like the Paris Climate agreement crap. To make sure Germany can meet this, they fund companies within their borders to move to a lesser country which doesn't have pollution controls. Germany didn't do anything to limit the overall global pollution, they just diverted the pollution to another country. Then hypocritically yell at other countries for not signing onto the pollution standards, and proclaim how environmentally friendly Germany is.

Here is the real funny part... people in the USA have begun to pay closer attention to the goods they purchase, and have stopped purchasing products from unfair countries. This is why many countries have decided to renegotiate trade deals with the USA without making too much fuss. Right now, America's economy is very strong, and companies are rewarding workers with higher wages and better benefits. If you're another country, do you really want to discourage Americans spending their money on goods from your country?

The ones you should really be kicking in the teeth is the media who freak out for no real reason and make up false stories and accusations on a president who is gaining in popularity within his own country, especially with the common working people.

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Aodhhan Bronze badge

This is only true, if they leaked what they found. Which of course, they don't do. GL

What's worse is a vendor who knowingly releases a product with vulnerabilities. This happens every day. As a penetration tester, I'm amazed at how many vulnerabilities are in high dollar commercial products. Like the applications which manage systems, your money, or keep data on you and your family. Some of these vulnerabilities were so easy to find, there is no way they didn't know them if they conducted proper due care and due diligence in their QA procedures.

Some credential-stuffing botnets don't care about being noticed any more

Aodhhan Bronze badge

Only a matter of time

Since most organizations don't build a robust network operations center to monitor live security events, nobody will notice these attacks occurring until well after the fact--most likely on some weekly report.

If we've learned anything from recent attacks on large organizations is: it takes a while before anyone notices. So it was only a matter of time before malicious hackers started to take advantage of this.

Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers

Aodhhan Bronze badge

Ironic part is

...the information leaked is the same information political campaigns purchase on all of us so they can better target the public for contributions.

You'll probably never see politicians outlaw the collection of certain data, since they themselves profit from it. Every habit you have, each item you purchase is collected and added to your own little private database for a company to sell. Trends, movements, purchases, etc. Is all bought/sold.

Human metadata is the new gold, and politicians can't get enough of it.

Never mind Brexit. UK must fling more £billions at nuke subs, say MPs

Aodhhan Bronze badge

Hard solutions

First problem is career politicians who want to politicize the military.

Second: Stop worrying about the rest of EU. They don't care. So UK can't depend on them. The EU is so crooked, I wouldn't count on them to deliver diapers to the poor in Brussels.

Third: The bulk of Russia's sub/naval force is housed at Polyarny. meaning, to get to the Atlantic, they are going to traverse the North Sea. So, to protect the UK, there needs to be a strong and stealthy naval defense force. So get it done politicians... or perhaps, we should do better at voting out career politicians.

Fourth: Because UK doesn't have enough subs to do a proper in/out rotation, sub crews are forced to go on longer deployments. Which means you will have retention problems.

Fifth: Dismantling ships and disposal of nuclear propulsion systems. This is a problem because career politicians only worry about themselves at this moment; they'd rather push off things to the next person in office (especially when the opposing political party is likely to be in power in the future). So they aren't forward thinking... and dismantling and disposal isn't typically something they can speak on to get votes.

C'mon, biz: Give white hats a chance to tell you how screwed you are

Aodhhan Bronze badge

LOOL @ Dunn

Once again, Mr. Dunn hasn't done a lot of forward thinking and proper research.

If all of this is true, (about bounties and poor development practices) then why do most software vendors have occasional security updates?

Probably a majority of bugs are reported back to a vendor from customers who conduct tests (including penetration tests) before completely committing to purchasing their product. Most large corporations now, either have penetration testers (or contract this out) to evaluate the application's security.

Usually, a penetration test is outlined in the agreement between vendor and customer. Companies can no longer get away with saying you can't pen test their product before purchasing it.

It's not unusual to find security vulnerabilities. When we do, it's usually taken care of quickly and without fuss from the vendor. Also, customers don't demand money for doing the pen test, since it's part of their due care/due diligence. However, it's not uncommon for a customer to point out the vulnerability and then not release all of the details. I mean, we aren't paid by them to pen test their software. :) ...so the vendor is forced to figure a lot out on their own; which they typically do well, once it's pointed out.

So, to say a software vendor isn't doing a good job securing their application because they don't offer bug bounties, or have a program for the general gray hats to make money on--doesn't mean they aren't focused on security, or that their software development methodology is poor.

Because of all this, why would a company offer a large bug bounty if they have a product which is being used by many? Consider just how many ridiculous claims and false findings you'd have to deal with from this type of program. Many companies who do have bug bounties aren't really doing it for security... they are doing it as a marketing stunt. It's good publicity, usually gets another story or two published... and nobody knows they don't really do much with the program after a couple of months and the marketing boost from it begins to wear down.

...speaking with one Dutch company about bug bounties (who doesn't even have a bug bounty program of their own), isn't exactly proper research. LOL

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

Aodhhan Bronze badge

Igorance

I can tell the author doesn't have a lot of experience in InfoSec. Also, many of the commenters don't as well. I've been penetration testing for over 15 years, so I've noticed many security cock ups, poor risk management, etc. What I see more of though, are people making comments without thinking it through.

First-- Reworking and following the exact steps a hacker does to your system is common place. It's often necessary to ensure you find everything. This is particularly important with databases... where there is a lot of information. Usually too much for the hacker to scrape and copy in full; so you need to figure out exactly what was copied, removed and/or changed. NOT REWALKING THE STEPS is considered negligent. Making fun of it like this author does, is ridiculously stupid.

Second--ANYONE who thinks their system is so secure because they do everything right is a moron. Not ignorant, but a moron. This includes certificate management. I'm willing to bet I can find a bad cert somewhere in your network. I find them about 70% of the time I look. Or I find they aren't bound correctly, etc. Chances are, your network has at least one, and the system using it doesn't fail because of it.

Third--While no doubt Equifax messed up on this; however, if you don't get why a system doesn't quit working due to an expired certificate--then you haven't worked with really large networks. Also remember, this type of risk is often accepted. Probably on your network as well.

Fourth--Speaking of risk acceptance. Chances are your CIO has accepted some risks, and at first glance (since you're ignorant and don't get the entire picture) you would think he's crazy to do so. ALL NETWORKS HAVE ACCEPTED RISKS.

Fifth-- Struts was a particularly nasty beast. Easy to do (even for you script kiddies) remote exploit which was being actively exploited the same day it was published. Many companies decided to wait until Monday to patch it and became victim to it. Many more would have become victim to it, but were saved by proxy systems being correctly configured to stop outbound traffic. Heck, the system you work on may have been hit, exploited, but saved because of a outbound setting. So... be careful what you gripe about.

So before you begin to throw stones (and nobody in InfoSec should), look at your company's network to see how many exceptions to policy and larger network accepted risks there are.

Also, anyone in InfoSec who believes their network is completely secure from malicious activity should give up this career field, because you don't have what it takes to think forward enough to do the job correctly. All large networks are vulnerable in one way or another... ALL OF THEM. The key is how you respond and gracefully recover from an attack... not just how you work to stop it.

Former Detroit IT boss sent down 20 months for bathroom bung bonanza

Aodhhan Bronze badge

Add another

Detroit has been destroyed under poor leadership for the past 40 years.

It's had more than its share of educators and over paid city employees who have done some pretty outrageous crimes. Usually, they don't get very harsh sentences. This doesn't seem to be an exemption.

Whomever stated Detroit isn't a large city should really learn to at least consult the "google' and spend 10 minutes educating themselves. The entire Detroit-Windsor area is quite populated.

Also, most of the "abandoned" buildings and s-hole areas have been demolished and corporations are beginning to move back to Detroit. Don't you just hate people who only 'relay' bad information, instead of having the brain power to do their own fact checking?

Although it's far from being anything spectacular, it's still better than NYC, Chicago, Cleveland and other cities with abandoned, s-hole neighborhoods.

Princely five years in US big house for Nigerian biz email scammer

Aodhhan Bronze badge

The fine may seem small, but the companies who were affected by the scam will file civil suits against the men to get their money back. Not only will the companies be awarded what was taken, but it's likely punitive damages will be awarded as well.

When all is said and done, along with legal fees, these guys will be lucky to have any money left. Even if they had $20 mil in the bank before the scam.

Solid password practice on Capital One's site? Don't bank on it

Aodhhan Bronze badge

Don't forget

...when you use copy/cut and paste, you're leaving behind the information on a notepad which survives reboot; and this notepad is easily retrievable.

Email security crisis... What email security crisis?

Aodhhan Bronze badge

Memo to all Personnel

Attention,

Due to the recent threats and a need to have a system we can store state secrets on, I've ordered our email server to be moved into a towel closet near a bathroom; where it's unlikely any malicious foreign service will find it. We've also instituted an offline backup system to place important files on the laptop computer of my assistant's husband.

Thank you

--Hillary and the DNC--

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

Aodhhan Bronze badge

Re: @Martin Gregorie

If you're going to spill evilness about those on the opposite side of the political spectrum, you may want to at least take a few minutes to look at how imbedded you are.

You should consider how fascist your words are.

A fascist doesn't want to hear the other side. If someone doesn't believe what you believe, then they are wrong... and should be punished. --This is fascism.

A fascist doesn't look at both sides. They are stuck on what they are told (rarely looking for the truth).

A fascist sees faith as a bad thing, and belittles anyone who follows religious beliefs.

Finally, a fascist calls others fascist without proof...often times without knowing what the word actually means--because they've spent so much time just repeating what they've been told to say.

Attempting to apply 'tribalism' to religion is so completely ignorant, it's clear you don't have any original thoughts of your own, and you've never stopped to use the cognitive creative abilities your brain does have. You may want to try critical thinking for once. You'll find your life suddenly becomes a lot more enjoyable and filled with less hate.

Voyager 1 left the planet 41 years ago – and SpaceX hopes to land on Earth this Saturday

Aodhhan Bronze badge

No math outside USA, China and Germany?

Is it only the USA and Germany which bridge mathematics and science in school?

The ISS is moving ~17,500mph because of orbital mechanics. If it was going slower, it will fall back to earth. If it was going a little faster, it would increase it's orbital altitude, if it was going much faster... say 25,000mph, it would escape earth's gravity.

Consider how fast an object must be going to maintain earth orbit, then how fast something needs to go to escape earth's orbit. Finally, work how fast something must go to escape the grasp of the sun. Most objects don't decelerate due to friction, they decelerate from gravitational pull of a large object. Such as a large planet, star, etc.

If you don't believe 35000mph is fast, perhaps you should consider just how fast it really is. If you were watching traffic on a road, in which the speed limit is 35000mph, you wouldn't see the traffic go by, and you couldn't turn your neck fast enough to keep up; even if you were 5000 feet from the road.

Wannabe Supreme Brett Kavanaugh red-faced after leaked emails contradict spy testimony

Aodhhan Bronze badge

ROFLMAO

First off... the emails weren't leaked as first reported. They were approved the evening before by the Senate sub-committee. Senator Booker introducing them was just putting together a grandstanding moment for the crowd, in hopes of becoming a front runner for president.

If you read everything thoroughly, you'll find in each case, it shows how the nominee is actually very UNBIASED in his opinions. (which is why not a lot was really talked about during questioning in the afternoon or making headlines) In protecting freedoms of everyone from all ethnic backgrounds; despite Islamist terrorists attacking the USA a week earlier.

As far as being read into a program. There are items which can come from a program which are declassified or classified releasable outside of it's SCI container. This often happens for certain high ranking government officials, judges, etc. with a need to know.

It's amazing how people immediately disregard facts, when lies or 'spin' is brought up on things they wish to hear.

If you want to make a comment when knowing only 2% of the information, and/or looking at all the facts--instead of looking at everything from all sides--you're free to do so. By now, you're likely used to the taste of toes in your mouth. You will also likely continue to make less than $70K/year.

If you notice, not a lot was brought up in questioning this afternoon... other than grandstanding blah blah questions, and nothing is being made of it today. Well, nothing substantial. I'm sure the far left will still rant and chew on this nothingburger.

Excuse me, but your website's source code appears to be showing

Aodhhan Bronze badge

Re: Not the root problem

Here's a quick run thru of why you're SO VERY WRONG.

Any code live to a hacker is potentially a weakness... if not today, then tomorrow. This goes for encryption as well. Typically, developers are 'too busy' to maintain every part of the code.

The most prevalent weakness in web sites, is in not updating/upgrading code developed in out of date environments. For instance, using jQuery 1.7.x (which I see a lot), when the current version is 3.3x. You can even find old .NET web apps, etc. Yeah, a lot of exploits in there.

Giving me access to code, allows me to scrape the website and go to town. If I don't find a weakness, it sure makes it easy to duplicate and redirect users to it. Because there is so much code, I can get not only authentication credentials, but likely internal information; such as an account number, social security... you get the picture now.

If the directory isn't locked down, what would you do if someone... say, updated the code for you? ...think malicious thoughts.

If you think none of this is possible, then what we can tell from you is--you don't have much experience in the real world. So we think "Bulls Eye"!

Spies still super upset they can't get at your encrypted comms data

Aodhhan Bronze badge

No way.

Look... we voted out the Obama--Clinton power house Dems which abused their powers and continue to slow down progress by throwing false and malicious accusations against innocent people.

We learned from the Obama era, even the FBI, MI6 and CIA can't be trusted... even within these organizations it's possible for people in the highest levels become corrupt and unfair.

As someone who does pen testing and red teaming for a living... those who concentrate too much on encryption, often leave other weaknesses wide open; because people are, for the most part... lazy and forgetful.

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Aodhhan Bronze badge

The brain trust of the sewage department has spoken

Yes, I'm sure the brightest computer scientists and engineers stand outside in the Michigan sunshine...err snow drifts to que for an opportunity to work at the sewage department.

Saving $1Mil is a huge sounding statement, until you realize where they were beforehand.

Since you chose Oracle... you likely would have saved even more money if you decided to use something else. You definitely will find, you will have a more secure database if you went with several different products.

If you had completed a good amount of technical research, you would have found out corporations are moving away from Oracle in favor of 2 to 3 other solutions.

You can't just look at your initial savings, you have to look at savings over the lifecycle of the product... in this case, about 4 years. Not to mention the risk increase/decrease... in the case of Oracle... it's a definite risk increase. Although, who cares if hackers get in to the database and start releasing a bit too much chemical into the wastewater? Especially knowing how well the sewer system drains in the old central part of Detroit, even if it only rains 0.25 of an inch.

What's holding you back from Google Cloud? Oh, OK... it was hoping you'd say 'lack of hardware security modules'

Aodhhan Bronze badge

No doubt they have access to the keys. Which is why I always believe it's better to use a 3rd party.

The biggest item here, is to let us know with their services, how much latency is added to each of the most common cloud configurations--when using their HSM. Also, how much it will cost to decrease the latency. This goes for incoming and outgoing traffic.

The cloud is a great place to reduce time and cost, provided you aren't worried about performance.

ETSI crypto-based access control standards land

Aodhhan Bronze badge

The nanny state kicks in.

Let's make regulations covering every bit of data we can; then, let's make things so convoluted and difficult to interpret we are sure to get people busted; because, finding people educated enough to understand all of these regulations will be difficult.

We must do this because InfoSec professionals are too stupid to figure out how to secure data. Plus, if encryption best practices change, we want to create even tighter regulations to babysit.

...blah blah blah.

-------

I like the GDPR in theory. In practice, we're beginning to see the rich white men in Brussels are trying to over control the industry.

You don't need to make regulations on how encryption is properly done. All you need to do is create laws to hold businesses responsible and punish appropriately. Require businesses have a robust InfoSec organizations within their corporation. Let the professionals who know a lot more about securing data than politicians, do their job.

Then you don't need to stick your noses in at every turn, cost taxpayers more money than needed... and if big industry changes occur... it's easy to adapt without having to rewrite 35 volumes of outdated regulations.

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Aodhhan Bronze badge

You obviously aren't trained in legal matters.

Businesses also have constitutional rights. A business has the right to not do something, and you have the right not to support this business for their decision. Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices.

This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.

SuperProf gets schooled after assigning weak passwords to tutors

Aodhhan Bronze badge

Re: At Superprof we take security seriously and know how key it is to the running of our business

Taking security seriously doesn't mean you have cousin Nigel--educated by the London public school system and flunked out of taxi driving school--audit your security practices.

Taking security seriously, means you've built your security policies and procedures around industry best practices, and annually have an outside agency audit your security and risk management programs. Then you take the audit to heart to make changes as necessary to constantly improve.

Page:

Biting the hand that feeds IT © 1998–2019