* Posts by Norman Nescio

272 posts • joined 7 May 2008

Page:

Silent running: Computer sounds are so '90s

Norman Nescio
Bronze badge

One reason for removable batteries...

When the craze for personalised (loud, obnoxious) ringtones was at its height, it was an unfortunately common occurrence for people at my then workplace to wander off to interminable meetings leaving their phone behind on their desk. If someone then tried to get in contact with the wanderer, you got subjected to several bouts of uninterrupted ring-tone. If you were polite enough to answer the phone for them, all you got for your trouble was a request to take down a Dostoyevsky-length message.

The nice beyond the call of duty would take a message.

The next nicest would pick up the phone and go and look for the wanderer.

The next nicest people would set the phone to silent, so the wanderer could see the missed calls.

The next nicest would turn the phone off.

The next nicest would turn the phone off, and place it in a coat pocket or other obscure hiding place belonging to the wanderer.

The next nicest would remove the phone's battery. For some phones, this removed the power to the real time clock, requiring navigating the time and date setup menu to reset it when the battery was put back in. Hiding the battery was optional.

And on one occasion, a colleague who had suffered enough very deliberately fetched a large glass of water, took the noisy phone and placed it in the glass on the wanderer's desk.

18
0

Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage

Norman Nescio
Bronze badge

Re: Some unpatched models have OpenWrt available

>> As ever, OpenWrt might not be appropriate for your needs

>I can't imagine a scenario, where it is less appropriate than a D-Link vondor image.

There can be circumstances where the vendor image is 'better'.

Sometimes OpenWrt only works on specific hardware revisions of the routers, as vendors sometimes change the chips used without changing the model name, and if OpenWrt doesn't have drivers for the new chipset, it won't work. In addition, there are bits of hardware that might not be supported even if the rest of the router works - for example (V)DSL modems or mobile network modems, as again, OpenWRT doesn't have the drivers. Finally, vendors might make use of capabilities that OpenWrt can't (yet) such as hardware offloading for NAT. In the last case, this means a vendor image might have a substantially higher throughput than an OpenWrt image.

This might seem like I have a downer on OpenWrt. I don't, and use it extensively myself on a small flock of carefully chosen routers. But it is as well to be aware of the understandable limitations, as many vendors either won't, or can't (for legal reasons) provide the necessary documentation or drivers to the OpenWrt project for the project to use. A lot of work has to be done by patient reverse-engineering, and I take my hat of to those who do this work. I have nothing but praise for the (mostly) volunteers who do the hard work to provide the OpenWrt images for everyone else to benefit from.

In short, OpenWrt is not a magic panacea for SOHO router woe, but if you know what you are doing, and the limitations are acceptable for your use, it is a very useful tool to have.

9
0
Norman Nescio
Bronze badge

Some unpatched models have OpenWrt available

For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.

A couple of of the above models without patches have OpenWrt images available for them.

DWR-512 hardware version B - https://openwrt.org/toh/d-link/d-link_dwr-512_b

DWR-921 hardware version C1& C3 - https://openwrt.org/toh/d-link/d-link_dwr-921

and for completeness, one of the to be patched models does too

DWR-116 hardware versions A1 & A2 - https://openwrt.org/toh/d-link/d-link_dwr-116

As ever, OpenWrt might not be appropriate for your needs, but it might get you out of a hole.

21
0

Microsoft Windows 10 October update giving HP users BSOD

Norman Nescio
Bronze badge

Re: So who you gonna believe?

Barton Gellman is a little bit more than an average 'newspaper hack'. He led the Washington Post's coverage of the Snowden leaks, interviewing Snowden personally, and quite probably has had to deal with Information Security in an up close and personal way as part of that process - most of which he either can't (or won't) talk about. It's worth reading his Wikipedia profile.

This is not to say his real-word experience trumps Steve Bellovin's knowledge*, but I would say Gellman's background shows signs of at least having relevant knowledge. Purely in journalism terms, he has fairly good credentials:

Gellman has contributed to three Pulitzer Prizes for The Washington Post, winning as an individual, team member and team leader.

I wouldn't characterise him as a hack, and I'd lay good odds on him knowing the difference between Internet Explorer and Windows Explorer.

The actual issue is an interesting one; I suspect a nuanced answer might be appropriate: the average user is best served by applying updates as soon as practicable after they have been applied and found to be good by experts. This allows experts to use their expertise in recovering from unexpected glitches, and the population of average users benefit from across-the-board improvements in security. I suspect Microsoft, in part, moved to forced updates because so many people did not update, exacerbating security vulnerabilities. We all know of devices without firmware updates, even if they are available, because most people don't regard applying updates as important. Microsoft, in theory, should be ensuring that updates go without a hitch (i.e. they are the 'experts' people wait for): and for the most part they do, but failures are, quite rightly, high profile.

I think a good argument can be made for automated updates improving the general level of security, but I would also say that experts should be given the tools to opt out of updates where it is, in their opinion, necessary.

*Steve Bellovin's blog (SMBlog — Steve Bellovin's Blog) is always an interesting read for me. I have learned a great deal from it.

4
0

Russian rocket goes BOOM again – this time with a crew on it

Norman Nescio
Bronze badge

Compare with successful launch video

>>Seems something went wrong even before booster cut-off and staging. See 02:37 min. into this video of the launch, something can be seen detaching from the rocket and spinning around just before the internal shot where the "gravity indicator" suddenly rises and then the bouncing starts. 2 seconds later the debris cloud can be seen.

>According to http://www.russianspaceweb.com/soyuz_launch.html stage 1 is at 117.8 seconds, and the payload fairing is at 157.5 seconds.

> Interestingly, the emergency escape rocket jettisons at 114 seconds. I didn't know it was that early.

Hmm .02:37 min is ...120 plus 37, or pretty much 157 seconds...but before I leap to a conclusion, the video starts rolling before actual launch. Engine ignition is at approximately 0:40, lift off at approximately 0:44, which makes the object seen at about 157 less about 40 seconds after lift off (i.e. about 117 seconds after lift off) which means that it's not the fairing, but most likely the escape rocket jettison caught on camera, followed shortly after by what should be stage 1 separation.

Compare the video with the (normal ) Soyuz Launch video for the launch that carried Tim Peake up to the ISS [ISS] Launch of Soyuz TMA-19M with British Astronaut Tim Peake - look at 2 minutes 50 onwards at quarter speed to see the escape rocket jettisoned (at 2:51) followed by Stage 1 separation (at 2:53 you see the exhaust trail change).

If anything, to my non-specialist eye, the escape rocket jettison looks fine on the failed launch video, then we cut to an interior view of the Soyuz to see the astro/cosmonauts being buffeted around, so we don't see the Stage 1 separation, but we cut back to see the immediate aftermath of the separation, which doesn't look like the nice normal symmetrical Korolev cross.

Many thanks for that link to the Russian Space Web Soyuz Launch timeline.

NN

2
0
Norman Nescio
Bronze badge

Seems something went wrong even before booster cut-off and staging. See 02:37 min. into this video of the launch, something can be seen detaching from the rocket and spinning around just before the internal shot where the "gravity indicator" suddenly rises and then the bouncing starts. 2 seconds later the debris cloud can be seen.

That might be the payload fairing coming off, as planned. You want the fairing near to sea level atmospheric pressure, as you need the aerodynamic shape: but once up high enough, the benefit from the fairing is less than the benefit from dropping it, so you do not need to spend fuel to lift it higher.

I'm not familiar enough with the Soyuz launch timeline to know if the fairing is meant to come off before, during, or after booster separation.

2
0
Norman Nescio
Bronze badge

Ballistic descent

Ballistic descent from the point of failed a failed booster separation has happened before - in 1975:

Soyuz 7K-T No.39 (aka Soyuz 18a).

There's another write-up here: America Space:'Creeping and Unpleasant': The Near-Space Experience of Soyuz 18A

That hit more than 21G. The astro/cosmonauts train in a centrifuge up to 8G. I've no idea what G-force this one hit, but hopefully survivable without permanent injury preventing them from taking part in later missions.

NN

3
0

Microsoft has signed up to the Open Invention Network. We repeat. Microsoft has signed up to the OIN

Norman Nescio
Bronze badge

The Techrights view

The Techrights view on this is here:

Techrights: Open Invention Network is a Proponent of Software Patents — Just Like Microsoft — and Microsoft Keeps Patents It Uses to Blackmail Linux Vendors

and the recent view on Microsoft joining LOT is here, too:

Techrights: Microsoft Uses LOT Network to Spread Lies and Promote Its Protection Racket

I think it is fair to say, it is not unalloyed enthusiasm.

Techrights point out that Microsoft have a history of selling patents to Non-Practising Entities, who then enforce them, and as the NPEs are not members of OIN, such patents will continue to be used in threatened and actual litigation. Also, Microsoft are not including the exFAT patents in the OIN deal.

1
1

If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat

Norman Nescio
Bronze badge

MikroTik Updates

I don't know if it is any use, but it is possible to load OpenWrt on many MikroTik routers.

OpenWrt Table of (supported)Hardware:MikroTik

OpenWrt: Common Procedures for Mikrotik RouterBoard Products

So it might be possible to load OpenWrt it you can't get an updated MikroTik image for an old model. Obviously, I can't tell you if OpenWrt is suitable for your needs. Caveat Emptor and all that.

2
0

Don't make us pay compensation for employee data breach, Morrisons begs UK court

Norman Nescio
Bronze badge

Re: Quis auditdiet ipsos Auditores?

Generally, auditors do not work alone, for reasons that should be obvious, but it seems are not.

Audit teams descend upon you partly because no single member should have access to data without someone else in the team of equal or greater authority signing off on that access. Usually, a senior (internal) auditor (which is what Andrew Skelton was) will be signing off on access by junior members of the team access/collect, and will be unlikely to be 'at the coal-face', as the senior auditor's actions will need to be signed-off by the Head of Internal Audit, or some similar entity.

Now, if he instructs a junior member to grab a copy of the payroll database, he can't then sign off the access - that is an obvious deficient control. What happens is an Audit Plan is made in which taking a copy of the database is a part (but see later about normal practice), and it is signed-off by the Head of Internal Audit (or possibly another, independent, Senior Internal Auditor). He should not be able to waltz in on his own authority and grab a copy of whatever he likes. 'Fishing' expeditions are possible, but everything accessed or taken needs to be recorded and counter-signed, with the log audited by someone else. Audit is all about following a process in painful detail.

External Auditors come and review Internal Audit's working practices every so often.

Obviously, once a copy of data is (legitimately) on an Internal Audit's computer(s)*, you pretty much have to trust that it is not being misused - I would not be surprised to learn that in this case a Payroll Audit had just taken place, although I would understand normal practice would be not to take a copy of the payroll database, but to take a (sufficiently large to be representative) random sample of records to check for problems (for reasons that should be obvious).

Being an internal auditor should not give you 'the keys to the kingdom'. It should give you monitored and audited access to a representative sample of parts of the kingdom, precisely to prevent a disgruntled auditor causing great damage - which is what happened in this case.

I would expect one of the audit findings on the Payroll Audit would have been a deficiency in access controls, unless there was a Very Good Reason that the audit department needed a full copy of the database. Audits generally proceed on a representative sample of data.

Audit departments have to be 'squeaky clean' with regard to their own process controls, as they are the ones telling the rest of the company what best practice should be. It doesn't mean you avoid all risk - but deficiencies need to be recorded and agreed as allowable by the board of directors who have the legal responsibility for the proper running of the company. There is nowhere to hide.

Sorry if I've gone on a bit. My years in Internal Audit are coming back to haunt me and I'm getting flashbacks, even though I was never formally certified.

NN

*Computers used for data analysis by internal audit would generally not have Internet access, and follow the rule that client data can be imported or destroyed, but never exported. The only data that comes off those machines are the results, with the exception of secure backups, which are retained so that the audit can be reviewed, either by a separate internal audit team; or by the external auditors.

2
0

Punkt: A minimalist Android for the paranoid

Norman Nescio
Bronze badge

Re: IP52

I share your reservations about KaiOS.

That said, the JioPhone 2 looks interesting, with the Qwerty-keyboard, but since it is only available in India, locked to Reliance's network, it's not something I could play with. As it also seems to be locked to Reliance's walled garden (Jio Store), I suspect KaiOS is aimed at network operators wanting to maintain or increase their ARPU and not paranoid FLOSS junkies like me.

0
0
Norman Nescio
Bronze badge

Re: Why android?

There is the Nokia 8110 4G, which is an HMD Global 'feature phone', with 4G and tethering. It runs a derivative of KaiOS. It is considerably cheaper than the Punkt.

Having got one with the express intention of avoiding Android and iOS, and using tethering to give on-the-go Internet access to other devices, I'll say it is very much a curate's egg.

The derivative of KaiOS ain't open, and it is very restrictive. The UI is very unpolished, and the keyboard is nowhere near as good/ergonomic as the original Nokia 8110. If you can, I would strongly recommend trying one out for a few days before deciding whether to buy one for yourself.

I'm waiting for Sailfish OS 3.0 to be released, hopefully this month, and will likely get a compatible Sony phone, although I'm not over-keen on buying a SONY-branded product ever since the 'CD' rootkit debacle. I console myself with the sophistry that Sony Mobile are a pretty much separate company to Sony BMG - even so, for some people (including me) SONY is a toxic brand.

Assuming Sailfish 3.0 lives up to expectations, the Nokia 8810 4G will become my reserve phone - still useful, but not the daily driver.

0
0

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Norman Nescio
Bronze badge

Taiwanese foundries

I imagine some people may decide it is beneficial to source hardware from Taiwanese foundries, given that politically, that area is not mainland Chinese, Russian, or American/5-9-14-eyes controlled. Of course, you would still need to ensure that your supply chain has not been subverted in some way, given the example of the NSA and Cisco.

Assuring that your hardware has not been Trojanned is a hard problem, which the vast majority of people don't need to worry about. I have every sympathy for those whose job such assurance is.

5
0

China's going to make a mobile OS and everyone will love it, predict ball-gazing analysts

Norman Nescio
Bronze badge

Russia already has an alternative phone OS

Russia has licenced Jolla's Sailfish OS for domestic use.

TechCrunch: Jolla’s Sailfish OS now certified as Russian government’s first ‘Android alternative’

And, although Jolla Oy is a Finnish Limited Company, I believe Rostelecom are what Jolla delicately call a 'strategic investor'. More details here: [Jolla Blog] Rostelecom is new strategic investor.

After the investment, Rostelecom is the largest individual shareholder in the investment company Sailfish Holding Ltd. (Hong Kong) but does not own majority in Jolla Ltd. (Finland). The development of Sailfish OS has always been an international project and the company has an international shareholder base. The Sailfish family includes significant shareholders e.g. from China, and developing the company’s regional licensing strategy requires international ownership.

I don't think it has exactly taken Russia by storm, but it appears at least one phone is (or has been) available: the INOI R7.

2
0

Boffin: Dump hardware number generators for encryption and instead look within

Norman Nescio
Bronze badge

Re: Round and round we go

Whilst technically possible it's not an attack vector you need to worry about. If someone wants to target you that seriously we know from the Snowden disclosures there are easier ways to steal everything you type and everything sent to your screen.

I agree that most people don't need to worry about it...however, some people do, and those that are not targetted can be caught in the crossfire*. As it is a dopant level Trojan, there is nothing to stop this (or something very much like it) having been rolled out across all cpus of a particular type, and it is possible that it could have been done without the manufacturer's explicit knowledge (serve an NSL on a few key technicians). Much like Intel's Management Engine or AMD's 'Secure Processor' (formerly known as PSP) is present in pretty much all commercially available x86 cpu you can buy, it may not be possible to avoid a Trojanned RNG. Unless you find a statistical test that demonstrates the RNG has been Trojanned, it passes standard statistical tests, too.

Until the Dual-EC-DRBG malarky, most people would think such a thing was pure 'tinfoil hat' territory.

Most people and companies are not specific targets of interest to the security and intelligence services, and as you say, don't need to worry about this. Some entirely legitimate commercial organisations do have to worry about such things - for example, if your activities are covered by the Wassenaar arrangement, you do.

It's certainly not a bad idea to run as many statistical test suites as possible, but they never prove that the output is truly random, whereas a failure demonstrates the output is definitely not random.

*Not least, if a malicious entity gains the knowledge of the vulnerability and uses the knowledge to exfiltrate and/or change data for monetary gain.

Further reading:

Stack Exchange:Cryptography - What tests can I do to ensure my random number generator is working correctly?"

MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection

International Journal of Open Information Technologies vol. 3, no. 5, 2015: Performance analysis of Hardware Trojan detection methods

1
0
Norman Nescio
Bronze badge

Re: Round and round we go

I prefer to trust a simple hardware random number generator that uses something like diode noise which is random down at the physics level.

You can only trust it if you built it yourself.

Becker, Regazzoni, Paar, Burleson: Stealthy Dopant-Level Hardware Trojans

the Trojan passes the functional testing procedure recommended by Intel for its RNG design as well as the NIST random number test suite. This shows that the dopant Trojan can be used to compromise the security of a meaningful real-world target while avoiding detection by functional testing as well as Trojan detection mechanisms.

3
0

Why are sat-nav walking directions always so hopeless?

Norman Nescio
Bronze badge

Re: Too many apps

Satellite dishes point south (north in the antipodes natch)

Up to a point. Your average satellite TV dish in the UK will point sort-of southwards, but as the geostationary satellites used to cover the UK are not precisely at 0° longitude, you'll be off by a bit. For 'broad brush' navigation, that doesn't matter, but it definitely isn't precisely south.

If you take the example of the Astra 28.2° E satellites, if you are setting up a satellite dish in the UK, you won't point it directly south (180°), but somewhere between 139° and 147° degrees, depending on where you are.

If you put your location into DishPointer, and select the Astra satellites at 28.2E it'll draw a nice map showing where the satellite dish will point. It's fairly clear that it is not directly south.

9
0
Norman Nescio
Bronze badge

Re: Determining South (in the Northern hemisphere) from a clock

Ooops, sorry - that should be Полярные (Polyarnyye), not Полярная (Polyarnaya) - both mean 'Polar', but it is the first written on the watch dial. Russian is full of hazardous word endings just waiting to trip up English speakers.

4
0
Norman Nescio
Bronze badge

Re: Determining South (in the Northern hemisphere) from a clock

24-hour wristwatches are a thing, most are 'military' designs, and have 24 at the top of the dial.

I have an Aristo Messerschmitt watch - 24 hour dial, 12 at top, counts up to 24. Few 24 hour watches have the 12 at the top of the dial - most have it at the bottom, and even fewer have a zero instead of 24 - the Russian Brand 'Raketa' (РАКЕТА) has a lot of 24-hour models (put: 'Raketa 24-hour' into your Internet search engine of choice), which include the Polyarnaya (Полярная) watch that has a zero instead of a 24 - but still at the top of the dial (Ebay example here).

I don't collect watches, but if it looks like there's a pretty large culture of watch collectors, judging by the number of forums and 'interesting' prices one can find looking around the Internet.

4
0
Norman Nescio
Bronze badge

Determining South (in the Northern hemisphere) from a clock

The only time I've used my phone for navigation while walking was to check what time it was so I could work out which direction was north.

Hmm, I wonder if there is an app for that? Point arrow on screen in heading of the sun, and in combination with (GPS or other time source) time, get second arrow pointing due South (in Northern hemisphere), and due North (in Southern hemisphere). GPS or external knowledge could be used to work out which hemisphere you are in.

Note: GPS (with a single antenna) will not tell you which way is North. It determines your position on the geoid only, not heading. You need two points, either by having two antennas, or by moving and taking a second reading before GPS can then calculate and tell you which direction is North relative to the course between the points. Hence the need for a compass of some type (magnetic/gyro/inertial) in combination with GPS for some applications.

Of course, many smartphones have magnetometers in them that can be used to emulate a magnetic compass.

One of my prize possessions is a 24-hour dial wristwatch with mid-day at the top of the dial, which allows you to determine South (in the Northern hemisphere) directly (point hour-hand at sun, mid-day marker points due South). The irritation is that the mid-night marker is labelled 24, rather than 0.

8
0

Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Norman Nescio
Bronze badge

Serial number story

If you want a nice story linking serial numbers and security, the 'German tank problem' makes a nice aside. For those unwilling to follow the link, the tl;dr summary is that statistical analysis of serial numbers on captured German tank equipment allowed the Allies to estimate the production rate of the tanks surprisingly accurately. Allotting identification numbers from a large (compared to the number of items manufactured) set of random numbers is advisable if you wish to keep your production rate secret.

5
0

Bug? Feature? Power users baffled as BitLocker update switch-off continues

Norman Nescio
Bronze badge

Re: Sh*tLocker...

That one-liner is deconstructed here:

Change password on a LUKS filesystem without knowing the password

I'm not sure that works if all 8 keyslots are already occupied; and luksKillSlot needs an existing passphrase to do its job; so you can't simply delete the contents of a keyslot to free it up. You might, in that case, need to get creative with over-writing the luks header directly with dd and a carefully formatted input.

If an adversary has root on a running system, you can argue it is 'game over' in any case. luks is there to protect data at rest - protecting the disk decryption key when it is in use is a different problem.

3
0
Norman Nescio
Bronze badge

Re: Decrypt-recrypt?

So are Microsoft saying is specific circumstances they decrypt the entire drive for just one reboot to install a security update then re-encrypt it again after it has rebooted?

No, that would take far too long and be susceptible to breaking in less than useful ways if the power fails in the middle.

I expect the way that it works is similar to LUKS. Almost all* of the data on the disk is encrypted using a strong key (call it the 'data-encryption key'). The data-encryption key is then encrypted by a user-chosen password and stored somewhere (either on the disk, or in the TPM, or an external USB drive, or all three). When you unlock the drive, your user password is used to decrypt the actual data encryption key used for encryption of the data, which can then be used to read the data on the disk.

What Microsoft appear to be doing is temporarily storing the data-encryption key in plain text on the hard drive so that a firmware/security update can be done that messes with the other key storage possibilities. One the update is complete, it should tidy up after itself, removing the plain-text copy of the data encryption key, and you go back to using your password to decrypt the data-encryption key.

In the case of LUKS, it is possible to have up to 8 different user passwords, BitLocker has a slightly different implementation. If you know the data encryption key, you can access LUKS data without using any of the 8 user passwords. I suspect the BitLocker 'recovery key' is just the data encryption key, but I could be wrong, as I don't use BitLocker.

If I'm wrong, hopefully a fully qualified BitLocker expert will be along to put me right.

*If you are using UEFI boot, then I think the EFI System Partition (ESP) has to be** an unencrypted FAT partition. So assuming the ESP is on the same disk as your data, at least part of the disk is likely to be non-encrypted. That's most likely the place where the 'security' update will temporarily stash the plain-text copy of the drive encryption key. There are other possibilities.

**The standard allows other file-system types, but to be standards compliant, even if not used, the system has to support the use of the FAT partition. There's nothing to stop an ESP using another file system type, so long as there is a UEFI driver for it, and the UEFI boot firmware is capable of using the driver. At least, that's my understanding.

5
0

I want to buy a coffee with an app – how hard can it be?

Norman Nescio
Bronze badge

Once you have swiped in frustration about 20 times, it goes nuts and the interface flies from screen to screen completely out of control and then collapses in exhaustion...

...so I pressed the button on the screen ... nothing happened so I pressed it again ... nothing happened ... so I pressed it again ... and the machine sprang to life, quickly flicked through 3 pages of GUIs applying my 3 key presses to select first "withdraw cash", followed by "other amount", followed by "500 Euros" which it then proceeded to give me!

Ahh yes, that old stalwart of badly implemented GUIs, the equivalent of the type-ahead buffer, without the equivalent of an interrupt key to discard currently buffered input, or the idea of discarding input until a display checkpoint is reached. There is a special circle of hell reserved for people who place the cursor over the most damaging button (often 'OK') automatically.

I used to have a old and slow Windows machine where I learned to place the cursor at the point on the screen where a menu item would eventually appear, then wait until it was actually drawn before I could click it. My muscle memory learned it, and in a way, it felt like dancing through the application. Try to go too quickly, and everything fell in a heap. Just like me on the dance-floor.

If the device you are working with has a keyboard, and suffers from terminal GUI slowness, it can be worthwhile to learn the relevant keyboard shortcuts (if they exist), but your average smartphone or tablet doesn't offer such fripperies.

35
0

Congrats on keeping out the hackers. Now, you've taken care of rogue insiders, right? Hello?

Norman Nescio
Bronze badge

If you don't need to know...

...you need not to know.

While it can be convenient, or even fun (in a a sense of curiosity) to have blanket access to data, if you simply don't have access, you can't be accused of mishandling it.

However...The problem I have often found is that the processes for allowing only the necessary access to data are usually poor to the point of being unusable, and it is often not only expediency, but simply having the ability to do the job you are asked to that ends up with you having much more access than should actually be required.

A case in point: the official way to get product information in a company I worked for was to use an appallingly clunky web-application. If, however, you were on good terms with the product management team, you could get a copy of the Excel spreadsheet which was used to populate the web-application's database. This meant you could get the necessary information extremely efficiently, but had the side effect of being exactly the document that could be saved to a USB drive and 'shared' with a competitor. Of course, no disgruntled salesman ever did that.

As ever, a process that is easier to follow than avoid will get used. Make things too difficult, and people will find workarounds.

2
0

First it was hashtags – now Amber Rudd gives us Brits knowledge on national ID cards

Norman Nescio
Bronze badge
Thumb Up

Re: Joined-up databases

@ Lee D

I wish I could give you more than one upvote.

14
0

British Airways hack: Infosec experts finger third-party scripts on payment pages

Norman Nescio
Bronze badge

Green Locked Padlock icon

I suspect there is a general problem with the interpretation of the green locked-padlock icon.

The average user, if they think about it at all, assumes that it means that the transaction is secure, whereas https is designed to make the communications channel relatively secure, in that it is (relatively) difficult to decrypt the information in transit. Few people actually check the provenance of the certificate attesting that the site they are connecting to is indeed who it says it is - the SSL cert for baways.com might have tipped a few people off if they had.

This confusion leads to exploits, where, as in this case, malware is delivered over 'secure' channels.

There is no simple way for an end-user to confirm the the authenticity of the scripts that their browser is running. There are tools available to assure that you run only signed code, but they are not always used e.g. Subresource Integrity and Content Security Policies.

A green padlock does not tell you whether the site you are connecting to is sending you a script over https that contains non-authenticated javascript from elsewhere. As BA have found out, that is a problem.

See also: "The Green Padlock is not enough"

Scott Helme has some good reading on CSP and SRI -

Scott Helme: Articles tagged with CSP

Scott Helme: Articles tagged with SRI

This article of his basically tells you why CSP + SRI really ought to be the default...Protect your site from Cryptojacking with CSP + SRI

3
0

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

Norman Nescio
Bronze badge

Re: We take the protection of our customers’ data very seriously.

Just to reply to my own posting, the writer of the PPRuNe posting has their own blog which goes into more detail, posted in May this year.

KristoferA's blog:Things you probably don't want to do on your [airline] website's payment pages

I have no connection with KristoferA, but thought it might make an interesting, if sobering, read, especially for anyone involved in PCI-DSS compliance.

2
0
Norman Nescio
Bronze badge

Re: We take the protection of our customers’ data very seriously.

There's a very interesting post on PPRuNe which appears to challenge the idea of BA taking the protection of their customer's data seriously.

PPrune: Thread: BA hacked but they're 'deeply sorry' Posting: website security

To summarise with some quotations taken from the above post on PPRuNe by 'kristofera':

1) Boatloads of 3rd party JS loaded from external sources

2) No SRI signatures to ensure scripts have not been tampered with

3) No CSP header to block script from "other" sources to be injected...

I'm not an expert in any way shape or form in this area, but it doesn't sound good.

6
0

No, no, you're all wrong. That's not a Kremlin agent. It's someone with 'inauthentic behavior'

Norman Nescio
Bronze badge

Re: 'misinformation' and 'divisive content'

You replied while I was composing my reply. Thanks for finding that confirmation. Upvoted.

NN

1
0
Norman Nescio
Bronze badge

Re: 'misinformation' and 'divisive content'

Assume, for the purposes of argument, that the pictures are taken from one, or several, fixed security cameras, which seems likely. Look carefully at the fields of view. The verticals are in different places. This indicates that the either they are pictures taken from different cameras, the camera moved or zoomed, or the pictures are doctored.

The location appears to be the exit from the luggage collection area in the South Terminal, just after you pass through the ersatz duty-free area before coming out into the public concourse. At that point, there are several parallel channels which are constructed in the same manner.

I suggest the two people in question were travelling together, and went through two different exit channels near-enough simultaneously, which is not difficult.

I'll remember to look up and smile and wave next time I go through.

10
0

I've seen the future of consumer AI, and it doesn't have one

Norman Nescio
Bronze badge

AI livestreaming your life.

'AI' will really take off when somebody works out how to get their AI assistant to make postings/updates to social media for them; and somebody else figures out how to get AI assistants to summarise the firehose of updates on social media for them. A perfect circle. Predicted, as ever, by Douglas Adams, who made the throwaway observation that people buy video recorders to watch TV for them, so they don't have to do it themselves* (Do an Internet search for "Electric Monk" if you don't understand.).

As far as I can see, social media has transformed people into performance artists, so cooking a meal could well involve a couple of hours doing make-up and setting up the cameras for streaming, followed by the performance of 'cooking a meal' with the aim of getting as many likes as possible. No wonder people find social media stressful. An AI that livestreams your life, deepfaking flawless make-up and an uncluttered house would be insanely popular.

*I was discomfited to recognise myself there, having recorded programmes to watch later, then purposefully re-recorded over them later without watching the recording. The march of time and technology has made video recorders unfamiliar to younger readers, which is sobering,

6
0

Microsoft gives Windows 10 a name, throws folks a bone

Norman Nescio
Bronze badge

Re: Huh?

Though... Office abandoned the Menu system for the ribbon in 2007 and then they patented it. So I assume you are mean the ribbon and then, while I do not know about whether the ribbon in Libreoffice can be customised, there is the problem of the Ribbon patent so I guess Libreoffice CANNOT reproduce the Office ribbon exactly.

In sensible jurisdictions, software is not patentable. Copyrightable, yes, patentable, no.

The USA, since the 2014 Supreme Court decision in Alice Corp. v. CLS Bank International, has effectively made software ineligible for patenting, under section 101 of the U.S. patent laws. This hasn't stopped lots of people still applying for software patents, and getting patents issued, but they will almost certainly be found ineligible on review, as will lots of previously issued patents. In principle software is not patentable in the EU, but that hasn't stopped the European Patent Office from issuing patents for software, even though their own web-pages make it clear that "a computer program claimed 'as such' is not a patentable invention".

India does not issue software patents. Section 3(k) of the Patent Act, 1970 lists "a mathematical or business method or a computer programme per se or algorithms" as 'Inventions Not Patentable".

Obviously, a great deal of lobbying goes on to get this changed, as making software patentable could be quite a money generator for some people. Whether LibreOffice falls foul of patent laws in your jurisdiction is only something you can determine.

2
0
Norman Nescio
Bronze badge

Re: What's this Silverlight thing?

On a related note, I've recently had to deal with people sending me proofs of payment... as XPS files. Which would be fine except none of the Windows 10 apps can read the damn things anymore.

Whoever decided that deprecated apps (Reader) are going to be unable to work at all ("Reader is no longer supported. Go screw yourself."), rather than just no longer updated needs shooting with something very pointy.

I have to send them to our one remaining W7 machine to convert them to PDF.

XPS files are a Microsoft equivalent of PDF files, and are not intended to be editable, so it's not in LibreOffice's primary mission to 'edit the uneditable' - however, all is not lost, there are several third party document viewer applications that will accept xps and oxps files. The Third Party Support section of the Wikipedia article gives a list. The ones for Linux platforms should be able to read the XPS and OXPS documents sent to you.

However, this guide: How to access XPS Viewer in the Windows 10 April 2018 Update might solve your problem without resorting to third party software if you are using Windows 10.

1
0
Norman Nescio
Bronze badge

Re: Implicit typing of variables

Because I, J, K, L, M, O and P, and any variable with a name beginning with those, is an integer in Fortran, and we all learned Fortran in College before BASIC was invented.

I gave you an upvote, but FORTRAN implicit variable name rules were that variables starting with I-N were integers, everything else, reals, unless, of course, you declared IMPLICIT NONE at the start.

The problem with implicit typing of variables is that if you misspell a variable name, it won't be caught by a compiler, so you can get quite subtle errors. As FORTRAN is case insensitive in the source, you can inadvertently substitute a lower-case L for a capital i and <vice versa>, so a variable named "loopcounter" can be confused with "Ioopcounter". If you couple this with the undefined value of an uninitialised variable - some systems set such undeclared variables to zero, others provide you with any old junk, you can get some pretty nasty behaviour.

I've had to debug some pretty gnarly FORTRAN code in my time. Modern tools make this easier, but a lot of code used in academia is not written by expert programmers, but by experts in whatever field that happened to need to do some data processing. FORTRAN made it easy to write code, but unfortunately left the door open to writing nearly unmaintainable bad code.

2
0
Norman Nescio
Bronze badge

Re: Obviously...

I making a point of immediately binning any CVs submitted as a .odt file, the last thing we need are hippy's and Linux fanbois!

Idiot. Everyone knows Linux Fanbois would be using LaTeX

The bearded sandal wearers from the old days of UNIX (I am one) would use troff.

.

..

...

....

.....

......

.......

........

It is not easy to find bearded sandals.

8
1

BT scoops Home Counties chunk of new NHS IT contract

Norman Nescio
Bronze badge

Just wondering what a high bandwidth non-digital connection looks like...

Probably coaxial cable. In the days of analogue cable-TV coax would carry the channels from roughly 50 MHz to 850 MHz, giving a bandwidth of about 800 MHz.

2
0

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Norman Nescio
Bronze badge

Check your tracking status

The EFF offer a web-page that does some simple tests to see if you are being tracked through your browser.

EFF:Panopticlick

Note that, as well as cookies, your browser fingerprint is pretty stable over time, and therefore could act as an identifier used to track you. In combination with HTML5 local storage and other 'super cookie' techniques people who want to track you have many tools at their disposal. This article gives a quick overview:

The Chromium Projects: Technical analysis of client identification mechanisms

As Sgt. Phil Esterhaus said: "Hey, let's be careful out there.".

24
0

We've found another problem with IPv6: It's sparked a punch-up between top networks

Norman Nescio
Bronze badge

The article makes the point that this peering problem is nothing to do with the IPv6 protocol, so why doesn't this happen with IPv4, in that case?

Perhaps because the sources, destinations, and volumes of IPv6 traffic differ from IPv4 traffic? An otherwise nondescript IPv4 ISP might, through circumstance, have a significant sink for IPv6 traffic in its customer base. While it will not be able to use its IPv4 presence to broker peering deals, it may be able to argue that the imbalance in IPv6 traffic justifies that it either charges other ISPs for IPv6 connectivity, or comes to a peering agreement which it would not otherwise be able to negotiate on its IPv4 traffic statistics alone.

11
0

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Norman Nescio
Bronze badge

DeWitt clause

The benchmark prohibition clause is also known as the "DeWitt Clause", after David DeWitt, an academic who got on the wrong side of Larry Ellison of Oracle.

Putting "DeWitt Clause" into the Internet search engine of your choice will give links to the full history, and some discussion around the reasons for and against.

Properly executed benchmarks can be very informative, but it is remarkably difficult to do benchmarks that all parties concerned will agree to have been properly executed. Losers can usually find nits to pick, as anyone who has been involved with benchmarking in any serious way will attest.

11
0
Norman Nescio
Bronze badge
Pint

Re: What's wrong with "contacted"?

Emphasis on "look visualisation optics".

FTFFY

(No, I'm not being serious. I've just noticed the trend, that's all. I come from an era when optics meant the plural of a spirit measure/dispenser behind a bar.)

17
0

'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

Norman Nescio
Bronze badge

Default Passwords

Changing a default password is not difficult. As you say, it can even be enforced* on 'first boot'.

However, ensuring the new password is recorded properly and securely, and available to all those authorised to use it is rather more tricky. It certainly isn't right, but many take the view that having the password recorded in the documentation is positive, and changing it from the default is a disbenefit. You then also have the fun of deciding who should know the password: is it role-based, so any sysdamin for that system should know it, or should it be account based, so everyone who needs access should have their own account and password (which brings in a whole new level of pain and bureaucracy). Throw in a requirement for accounts to have 2FA, or single sign on, or conform to some other corporate standard or other, and you can understand why some people just keep quiet. It might not be right, but choosing the option that is most likely to give you and easy life here and now, rather than looking for bureaucratic trouble is, not unpredictably, a popular option.

Password and account management is not standard across (IoT) hardware. There may not even be an applicable international standard.

*Unless you do something like break out to a command prompt and bypass the 'first run' script. Not that I have ever done such a thing.

4
0

Google shaves half a gig off Android Poundland Edition

Norman Nescio
Bronze badge

Re: Old Linux ?

1K?

(You attempted to end too early, which puts you in Nid.)

You were lucky. I 'ad 256 bytes and a 20 key keyboard. Being sliced in two wit' bread knife was optional.

4
0

EU wants one phone plug to rule them all. But we've got a better idea.

Norman Nescio
Bronze badge

Laptop Power bricks

A standard for power supplies for notebook-PCs would be beneficial in my home.

For various reasons, I have Lenovo, Dell, Fujitsu-Siemens, HP, and Acer laptops, all with mutually incompatible power supplies. Add in the wish to have a power-brick at home and in the office to avoid the need to carry one about and it gets beyond the joke. Standardising on 12V (or 24V) DC means you could quite happily power from a standard car battery or two if it became necessary.

I know not everyone has more portable PCs than mobile phones in their home, but it still rankles.

(Don't get me started on the idiotic sense pin designs that die as soon as you look at them, so the laptop refuses to charge because the id mechanism on a perfectly serviceable power supply has been zapped)

19
1

If you drop a tablet in a forest of smartphones, will anyone hear it fall?

Norman Nescio
Bronze badge

O/S?

I'm in the market to replace some old (landfill) tablets, which continue to work well, but have been abandoned by the retailer with locked firmware so I can't even load LineageOS or Linux, and as a consequence are on very old (and definitely not secure) revisions of Android (Android K)

Try finding a reasonably priced new tablet running Android O (8.0 or 8.1). And now, Android P is here.

Of course tablet sales will be dismal if you offer only kack.

7
0

BlackBerry claims it can do to ransomware what Apple did to its phones

Norman Nescio
Bronze badge

NILFS2

It could also be NILFS2 snapshots. NILFS2 implements an approach where each file system change (checkpoint) can be (but does not have to be) treated as a snapshot, which allows a very fine-grained approach. If you combine this with sufficient LVM snapshots*, you would be able to roll back any file to any point in its history.

*Take an LVM snapshot before the NILFS2 circular buffer overwrites itself, back it up, then repeat as necessary ad infinitum.

3
0

Boffin botheration as IET lifts axe on 20-year-old email alias service

Norman Nescio
Bronze badge

Re: Email forwarding services are passé

Just to add to my previous posting, there is an informational RFC: RFC 7960, which goes into the problems of using DMARC with indirect email flows, such as mailing lists and email forwarders.

ARC is not (yet) an adopted RFC, it is a draft, available here: Authenticated Received Chain (ARC) Protocol: draft-ietf-dmarc-arc-protocol-15

3
0
Norman Nescio
Bronze badge

Re: Email forwarding services are passé

If Authenticated Received Chain (ARC)* is implemented correctly, then forwarding agents should work just fine.

...not all mail passes directly from sender to recipient. Some services like mailing lists or account forwarding—also known as intermediaries—receive a legitimate message and might make changes to it before sending it on, potentially resulting in SPF, DKIM, and/or DMARC alignment failure. Thus, the message, despite its legitimacy, may not get delivered.

What is ARC?

ARC helps preserve email authentication results and verifies the identity of email intermediaries that forward a message on to its final destination.

However, since it requires people to understand what they are doing, and care whether their spam filters have false positives, I don't hold out a great deal of hope.

1
2

Sysadmin cracked military PC’s security by reading the manual

Norman Nescio
Bronze badge

Re: Compaq 'security'?

It'd take a hell of a setup to stop a half decent techie armed with boot disks , drive caddy , dipswitches , screwdriver , downtime , permission to tinker etc etc .

Encryption is probly the only way.

Which is why I use LUKS to give my data (at rest) a modicum of privacy.

As far as I know, I'm not trying to protect myself against 'state actors', so 'Evil Maid' attacks, or custom hard-drive and/or network device firmware is not something I need to protect myself against, yet. No doubt some enterprising malware author is working on changing that. Systems really ought to have the option of a physical write protect/enable switch on the UEFI firmware.

2
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018