* Posts by Tom Paine

1111 posts • joined 19 Aug 2008

Page:

'Major incident' at Capita data centre: Multiple services still knackered

Tom Paine
Silver badge

It's not hard, but...

...it does cost money. Twice the money, in fact, plus the design overhead.

1
0

What's got a vast attack surface and runs on Linux? Windows Defender, of course

Tom Paine
Silver badge
Coat

As ol; blue eyes sang -

Pun for my baby

And pun more for the road

(I'm so very, very sorry)

4
0

'Tabby's Star' intrigues astro-boffins with brief 'dimming event'

Tom Paine
Silver badge

Re: Wow ! BBC "Horizon" managed to inform ...

Allow me a shout out to the superb "The Life Scientific", presented by Jim Al-Khalili, Well worth seeking out on ListenAgain if you're overseas, have an interest in science and didn't know the programme existed.

http://www.bbc.co.uk/programmes/b015sqc7

3
0
Tom Paine
Silver badge

Re: Broken Planet

Apart from the lack of a realistic mechanism that could "break up" any planet, let alone a large one, I've got one word for you: gravity. if you split the earth into, say, 500 equally sized lumps, they'd remain clumped together, hence you'd see a standard planetary transit light curve.

0
0

Quick, better lock down that CISO role. Salaries have apparently hit €1m

Tom Paine
Silver badge

Re: > After all you paid more for it.

You're home by 18:00 and don't do out of hours reading? How do you keep up with threat intel, new vulns, new tools, changes in management frameworks, etc etc?

0
0
Tom Paine
Silver badge

Re: > After all you paid more for it.

I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.

Like these, the first three hits for "Harvard Business review directors remuneration" ?

https://hbr.org/2016/07/improving-the-way-boards-ceos-and-shareholders-interact

https://hbr.org/1999/03/new-thinking-on-how-to-link-executive-pay-with-performance

https://hbr.org/1990/05/ceo-incentives-its-not-how-much-you-pay-but-how

0
0
Tom Paine
Silver badge

Re: Meaningless if...

In my experience, having a CSO is a good proxy for being prepared to spend time and money on security. It certainly doesn't guarantee good security practices, but NOT having a CSO is IME usually a sign of an organisation that really doesn't get it.

0
0
Tom Paine
Silver badge
Thumb Up

As a grunt in the trenches

I've always said that my three biggest allies for getting management to pay attention and then do things are:

1. Demanding customers

2. Demanding regulators

3. Well-resourced, skilled and motivated attackers.

0
0

Japan (lightly) regulates high-frequency algorithmic trading

Tom Paine
Silver badge

Re: "stick orders in a queue for xx minutes before they are processed. "

...a timing edge no real trader can afford to buy

Sure you can. Just use the appropriate brokers. If their commissions made trading unaffordable, no-one would be doing it.

1
3
Tom Paine
Silver badge

Re: But mostly it's an automated MiM attack on actual traders.

alternative solution: stick orders in a queue for xx minutes before they are processed. Takes any speculation (aotomated or otherwise) out of the equation

Merciful heavens... *covers eyes

Dear El Reg Editorial: I suspect there'd be a lot of interest in some interviews with tech people in financial services, especially when it comes to issues where tech and trading rulebooks, regulation etc cross over -- things like HFT -- and there's clearly a lot of misapprehension amongst the readership. How about it?

4
0
Tom Paine
Silver badge

Re: But mostly it's an automated MiM attack on actual traders.

And it would not be possible if exchanges did not offer a wide range of bizarre trad types that act as the input to a "trading language" that HFT's can use to prove the exchange for who is buying and selling on a large scale without actually committing their own money.

Read this three times and I still don't understand what it means

0
0
Tom Paine
Silver badge

Re: Tax'um

This issue isn't trades, it's (supposedly) orders.

IDK about equities or other FICC instruments but I believe mowst forex trading venues have a minimum order size of at least $1m, more often $10m or more.

2
0
Tom Paine
Silver badge

Re: Tax'um

There is this thing called "price discovery". It's quite important.

http://www.investopedia.com/terms/s/supply.asp

1
1

Wondering why the office is so productive? Yep, Twitter's knackered

Tom Paine
Silver badge

Jibber-jabber as a service? WHERE DO I SIGN?!

2
0

You think your day was bad? OS X malware hackers just swiped a Mac dev's app source

Tom Paine
Silver badge

...we even half-seriously considered releasing the source code ourselves – and when that idea was floated, and we realized there wouldn't be any fallout (other than a lot of code questions!), that's when we truly felt free."

Do I need to make any further comment? No, I don't think so.

2
3

Bloke charged under UK terror law for refusing to cough up passwords

Tom Paine
Silver badge

Re: Don't give them anything to get you with....

Not this again... sigh.

https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869

3
2

WannaCrypt outbreak contained as hunt for masterminds kicks in

Tom Paine
Silver badge

Re: criminality?

How many people would have died had that money not been spent on their care instead?

Suppose one of them was a relative.

0
0
Tom Paine
Silver badge

Re: Shouldn't that be "have already taken steps"?

Add up the cost of delaying, IDK, say 10,000 ops a few days. let's say there's a 1% mortality increase: That's £100m (by UK standard actuarial stats, as I remember it -- may be more nowadays.) Then the cost of, say, two days of overtime by the outsourced SPs and inhouse IT, if there still are any. Assuming they get paid overtime -- and I don't know about anyone else, but in 21 years in IT and 11 employers, only one has paid IT or security droids overtime) -- but this is the public sector, and they still have unions, so let's make a wild guess and say... 1.5m staff... say... 25,000 IT staff total, only half of who will be junior enough to be dragged in at the weekend. Let's say they did 10h days over the weekend. 12,500 * 20h @ £40 = £10m.So, grand total: £110m.

On the other hand, three years of Windows licenses ... bulk discounts.. say £50 each * 500,000 machines = £25m. Some fraction of those machines will be too old to run W8 or 10; let's say half need forklift upgrades, at £500 each (including boxdropper pay): 250,000 * £500 = £125m.

So we're already at £150m without factoring in the cost of doing all the OTHER security things apart from "apply patches" (you'll recall there's a bit more to it than that, and if it's worth doing, it's worth doing properly, right?) and I'm certain if I thought about it there are many other costs I've neglected.

Now imagine you're running a hospital trust, on a fixed budget allocated by external forces out of your control. People are lined up on trolleys in the corridors, it's a 6h wait to be seen in A&E for everyone except stroke, heart attack or major trauma cases. Meanwhile you have 300 elderly people clogging wards because you can't discharge them because there's no social care available. Oh and you're short of your budgeted complement of nurses to the tune of 12%, and you're facing annual budget cuts of around 5% for the next five years. How would you feel about the suggestion that they spend £150m+ on replacing computers that, to your eyes, appear to be working just fine, just as they have for the last decade?

And that's more or less what happened: £1Bn was raided from the infrastructure and IT budget to pay for opex -- clinical staff, pharmaceuticals, keeping the lights on,

1
0
Tom Paine
Silver badge

Re: Shouldn't that be "have already taken steps"?

They've taken a decision that a couple of days without email (or completely down) once a decade is less expensive that hiring the number of sec analysts and managers needed to implement comprehensive best practices (not to mention the disruption and capex overhead caused by, say, forcing 2fa for desktop access.) All I can tell you is that they're rich and I'm not, so who's the smart guy here?

1
0
Tom Paine
Silver badge

Re: Intel

This is why "vulnerability management" is a thing. It's not rocket science, just slow, tedious, and moderately expensive.

http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

0
0
Tom Paine
Silver badge

Re: Intel

It's the most trivial exploit imaginable, just send an empty password hash. Boom, you're ring -2.

0
0
Tom Paine
Silver badge

Re: Pwnd

The upshot of this that if you were vulnerable to wannacrypt last week then you've been owned by the NSA for years.

What utter, utter, bollocks. If you don't know what you're talking about, might I gently suggest avoiding commenting?

0
1

Vigorous tiny vibrations help our universe swell, say particle boffins

Tom Paine
Silver badge
Alien

The Silastic Armorfiends...

...will be interested

....puts forward the idea that each point in space is yo-yoing between expansion and contraction

Am I so very wrong for speculating about what would happen if those pulsations or oscillations could all be synchronised? It'd be the best bang since the big one!

3
0

Lib Dems pledge to end 'Orwellian' snooping powers in manifesto

Tom Paine
Silver badge

It's what the people want

They want the porn ban. They want ubiquitous surveillance. They want end-to-end encryption to be illegal and for all social media sites throughout the world to have to collect, check and store scans and pics of primary issue governemtn photo ID (but only for British cits.)

They want the NHS privatised through the back door with a budget vut by ~5% a year for the next five years, they want 100,000 missing nurses, they want a 35% fall in export earnings, and above all they want the bloody immigrants (by which they mean black people) sent home.

They must want all these things, because they're about to vote for them in record numbers. They certainly don't want human rights, privacy, a penny on income tax to fund the NHS or dope legalisation.

Sorry, but I've reached the stage that only bitterness and cynicism keep me sane.

32
7

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Tom Paine
Silver badge

Re: Sod cricket bats

Send them where? Crapita, Fujitsu, Cap Gemini?

3
0
Tom Paine
Silver badge

Re: Using Windows?

That's more or less how it's always been since 1947.

7
1
Tom Paine
Silver badge

Re: Using Windows?

Windows can be secured from running rogue .exes, most Malware is JavaScript based, or macro based [...]

Bollocks. Sorry, but it is.

7
6
Tom Paine
Silver badge

Why oh why...

...is it always Friday?

And when will they let us work Wednesday to Sunday so we can rely on having a couple of days a week off?

Currently still sat at my desk when I was hoping to be away 30 mins ago (17:00), waiting to hear we're definitely OK...

2
0

Facebook is abusive. It's time to divorce it

Tom Paine
Silver badge

Re: Well-said, Simon

Photo ID? What what what? They send someone round to check your face matches the picture you submit??

1
0

UK General Election 2017: How EU law will hit British politicians' Facebook fight

Tom Paine
Silver badge

...parties can fall back on the DPA as GDPR will grant similar rights to organisations to store an individual’s data but not to process it any further.

In other words, "none at all", per the Fifith Principle?

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/

0
0

Secure email service builds newsletter bomb defences after attack pummels their inbox

Tom Paine
Silver badge

There are far too many to keep track of.

I worked at a spam filtering place a while back; newsletter "spam" was a major problem, because our customers' end users would frequently report newsletters that they'd actually signed up to as spam. For obvious reasons the newsletter purveyors would be unimpressed to be blacklisted, whether by a single service provider or by lots of RBLs.

A solution was eventually decided on, but it's filed in the same place as the solution to the problem of the Lintilla clones.

0
0

FBI boss James Comey was probing Trump's team for Russia links. You're fired, says Donald

Tom Paine
Silver badge

Re: Comey was caught lying under oath. So Trump fired him. -- opportunely.

...aaaaand the Deputy AG has threatened to resign unless the WH stops blaming him for it.

http://www.bbc.co.uk/news/world-us-canada-39886496

You were saying?

2
0
Tom Paine
Silver badge

Re: Comey was caught lying under oath. So Trump fired him. -- opportunely.

If it's partisan bullshit, why are former IC heads and GOP elders like Lindsay Graham and McCain saying it stinks to high heaven and calling for an independent prosecutor to be appointed immediately?

3
0
Tom Paine
Silver badge

Re: "...there's a big fat nothing behind --

Fire isn't here yet, but it's in the post, I assure you.

2
0
Tom Paine
Silver badge

Re: Comey was caught lying under oath. So Trump fired him. -- opportunely.

Trump fired Comey, but read the BBC article about why: It wasn't Trump deciding to do so as much as agreeing to do so.

And if YOU read it again, you'll notice that that's the White House's version of events. I'd advise against taking what they say on trust as being self-evidently 100% accurate and truthful.

Comey submitted a request for increased resources for the Russia investigation last week to the same Deputy AG who supposedly decided to write Sessions and Trump a letter advising them to fire him (Comey). And we now know about the Grand Jury subpoenas too. They're going to be opened one day, and when they are...

4
0
Tom Paine
Silver badge

Re: Comey was caught lying under oath. So Trump fired him. -- opportunely.

Actually... as it happens... the Nixon Presidential Library had something to say about that.

https://twitter.com/NixonLibrary/status/862083605081862145

0
0
Tom Paine
Silver badge

Re: Be careful what you wish for...

It almost feels like a sort of slow motion coup-d'état.

YA THINK??

0
0
Tom Paine
Silver badge

Re: tee hee

To quote a fictional Secretary of Defense:

Errrrrrr... that's not... entirely.... true.

http://www.telegraph.co.uk/news/2017/03/15/donald-trumps-tax-returns-released-president-earnedmore-150/

Note also that there was considerable speculation that the most likely source of the leak was lardarse himself.

1
0
Tom Paine
Silver badge

Re: tee hee

Mildly surprised El Reg hasn't yet picked up on the aspect that saw the US press barred from (or rather, not invited into) the Oval Office for what they thought was the meeting with Russian FM, Sergei Lavrov. The WH staff only admitted one snapper, a Russian with a large kitbag of gear who they assumed was Lavrov's official snapper but surprise!!! turned out to be working for TASS, Well, I say "working for TASS" -- the pictures showed up there, anyway. So now we know what Trumpy looks like in the company of the hairy Ivans when he thinks no-one's watching...

http://www.telegraph.co.uk/news/2017/05/11/white-house-misled-russian-photographer-oval-office-amid-security/

Oh yeah, and Kislyak, the FSB station chief in Washington was also there. Though the WH absent-mindedly forgot to mention it in any official briefings or press releases... it was only the TASS pics that gave the game away.

It's a diabolically awful situation, but at the same time I can't help but feel some grudging respect for the apparently effortless way the Russians have run rings round the entire US electorate, establishment, and IC, and completely compromised the organs of government.

6
0
Tom Paine
Silver badge

Re: "nothing to see here, really."

Amazing the way that American English has suddenly and spontaneously evolved slavic characteristics, isn't it?

Nothing was made up, just released what the DNC and Podesta actually talked about...

...and started as we know well back in 2016...

.

...it must be some sort of easter egg filter in El Reg's Perl codebase that kicks in whenever someone parrots the Kremlin line word for word:

The whole "Russian Influence" meme is nothing more than a desperate (and surprisingly successful with the entire MSM following their DNC paymasters orders) attempt to defelct attention from the real scandal that needs a Grand Jury/Special Prosecutor - and that's to what extent was the Obama administration spying on the GOP and Trump campaigns.

Well done,Anonushka, extra cabbage soup ration for you tonight!

5
2

Drugs, vodka, Volvo: The Scandinavian answer to Britain's future new border

Tom Paine
Silver badge

Re: Who is going to pay for all this?

Or can we put a penny on income tax for leavers?

We are all leavers now. And the dawning understanding of what a bucket of smashed crabs the whole affair will be just might have something to do with the apparent coyness and reluctance of the Tories to include the same silly "no tax increases, guaranteed " manifesto commitment this time round. Instead they're blustering about being the party of lower taxes. They know perfectly well gov revenues will be falling fast at the same time as spending requirements are rapidly increasing, and as they've had this long term obsession with not running a budget deficit,.. there's only one way this is going to go.

20
2
Tom Paine
Silver badge

Re: Narkotikahunden

Wasn't that an album track by The Fall?

5
0

It's 2017 and Windows PCs are being owned by EPS files, webpages

Tom Paine
Silver badge

Re: Yes, a constant stream of vulns --

Try find one on hp.com, go, try ... tell me, I had a quick look, could not find one ...

I have a (real crap, ridiculously low-end and underpowered, but adequate for web and playing music and the odd but of iPlayer) HP laptop that had Ubuntu pre-installed. Cost me less than £200 (I spent £30 maxxing out the RAM, then discovered that installing it involved disassembling the entire machine - keyboard out, motherboard out -- it was emphatically NOT designed for post-sale upgrades).

Biggest problem is that external monitor support died after a major version upgrade and hasn't been fixed so far.

Ubuntu's site lists 140 HP models "certified" with Ubuntuhttps://certification.ubuntu.com/certification/make/HP/

Here's HP's Linux stuff:

http://www8.hp.com/us/en/workstations/linux.html?jumpid=reg_r1002_usen_c-001_title_r0007

0
0
Tom Paine
Silver badge

Re: Optional

If you have a computer, of any form, and it has an operating system installed, you can guarantee that it has undiscovered bugs and vulnerabilities.

True, but there are bugs, and there are BUGS. I can't see Linus approving a kernel patch adding a Javscript engine to the kernel, for instance.

0
0
Tom Paine
Silver badge

Re: It's 2017 and Microsoft is still the world's largest distributor of security vulnerabilities!

Point of order, Chair: I'm in infosec and I can't afford a mortgage! (I live, or rather exist, in/near London. What's that message broadcast from the Event Horizon again?)

1
0
Tom Paine
Silver badge

Re: Riddled to high heaven

Worth pointing out that one of the recent Shadowbrokers dumps included docs showing CNE tools ported to every platform under the sun, including Free (at least) BSD. If they can target BSD, so can other threat actors -- the sort who are more likely to want to compromise an average Commentard's site than the NSA.

https://forums.freebsd.org/threads/58590/

0
0

CERN ready to test an EVEN BIGGER gun

Tom Paine
Silver badge
Coat

Re: Cern build a manufacturing plant

Delighted to find this is still online, 20 years after I raided it to customise the Windows startup / shutdown sounds...

http://debian.man.ac.uk/.f/pub/misc/blakes7/sounds/

Little known fact: Avon demonstrates what is, in effect, Ssh tunnelling via Orac (on what looks like a beach in Essex) to Zen on board the Liberator at the start of S3E1.

I would get out more, but I'm a sad bastard :)

1
0
Tom Paine
Silver badge

Re: Lineac 4 is tiny at a mere 90 metres long

So, could possibly be mounted in the axis of a naval vessel, the sort with the power already in place for rail guns?

Possibly (though I imagine operations consumes quite a bit of power) but why would you want to do that? Hard to imagine a less effective weapon than a few dozen protons, even if they *are* travelling at relativistic speeds. You wouldn't want to stick your head in the way, but it's not going to be any use as a weapon.

1
0

Palo Alto IDs another C&C-over-DNS attack

Tom Paine
Silver badge

Re: DNS

DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network

...unless you're piping your DNS logs into a halfway decent SIEM backend datastore, of course. I've only seen that in really large enterprises though. Or doing https://uk.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152 . Or if the DNS traffic generation activity is picked up by whatever endpoint protection you have in place. Or if the malware that does it is spotted and blocked by traditional AV, or by next-gen pop-the-attachment-in-a-sandbox malware defence systems. And so on and so forth.

0
0

Just so we're all clear on this: Russia hacked the French elections, US Republicans and Dems

Tom Paine
Silver badge

Just so we're all clear on this: Russia hacked the French elections, US Republicans and Dems , and the EU referendum.

FTFY. No, don't ask for the evidence, as is typical in this country you won't be reading about most of it for another 29 years 3 months (God forbid the Mail / Express/ Telegraph readers should discover they were played like a fiddle by Vladimir!)

2
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017