* Posts by Tom Paine

2255 publicly visible posts • joined 19 Aug 2008

Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters

Tom Paine

I can't begin to tell you...

...what fun responding to this one has been. The well-known mail filtering service that, when I pulled them to see when they'd be adding detections, seeing as 11/14 test mails using variants (available at http://mailsploit.com), responded with a ouzzled-sounding request for samples... First line eventually responded that he'd be escalating it to "security engineers".

These days, there seem to be quite a lot of young, startuppy firms who, despite pedalling some sort of of buzzword laden hipster magnet nonsense (that The Business insists it needs to use), really do seem to properly Get It about security. They respond quickly to news about vulnerabilities, researches mailing security@bizzystartup.com get a reply from someone with clue within an hour or two, they have immediate answers to questions about their security practices. When they inevitably suffer some kind of incident, hey go public very quickly and share info openly and transparently as possible. They give researchers public credit. They have people's they spend money,.. they are, in short, everything my employer is not.

And yet my employer is knocking on the door of a billion (sterling) profit a year, and startups that get it are acquired by clueless multinationals or bought out to be shut down.

The wheels grind slowly, slowly. I hope they do grind small, even if I don't live to see the day. The karma is in the post - right, kids?

Right?

Mine's a double....

Expert gives Congress solution to vote machine cyber-security fears: Keep a paper backup

Tom Paine

Pencil and paper

Talk about over-thinking. If ever there was a problem for which "computers" was the wrong answer, this is it.

Report: Women make up just 17% of IT workforce, paid 15% less than men

Tom Paine

Re: Just throwing this out there.

"gender bias" does not mean evil cigar puffing men consciously scheming to keep women out of the office.

Tom Paine

Re: The question is more "are things changing"?

They've changed dramatically, for the worse. Go look up time series the gender ratio in CS degrees over the last 40 years.

Tom Paine

Re: As an employer who hired equal numbers of male/femail programmers

No-one here will get this, but what you're describing in fact has everything to do with gender bias.

Tom Paine

Follow the money

Men in IT have a strong incentive to make it a hostile environment for women. Keeping the supply of, say, Oracle DBAs or .NET programmers artificially low keeps wages artificially high.

Please don't vote me down unless you can explain the error in the above statement.

High Court judge finds Morrisons supermarket liable for 2014 data leak

Tom Paine

As a security grunt what concerns me

Had the data leak not been traced to Mr Skelton, would Morrison's still be on the hook for vicarious liability?

Stick to the script, kiddies: Some dos and don'ts for the workplace

Tom Paine

Re: I use scripts all the time

Part of the problem I have with DevOps is that there is no "preview" mode

Say what? CI should give you a preview of what to expect. If it doesn't, you're doing it wrong.

Tom Paine

Re: Something missing?

Alright. Look. They're ALL the most important. Alright?

A certain millennial turned 30 recently: Welcome to middle age, Microsoft Excel v2

Tom Paine

I cut my teeth in C++ then taught myself VBA

My god, how bad must VS C++ be that VBA is a pleasant change?!

I shouldn't complain - it was the 20 months grinding out VBA that brought home to me just how fantabulous Perl is.

'Treat infosec fails like plane crashes' – but hopefully with less death and twisted metal

Tom Paine

Re: Plane accidents vs Infosec fails

No. Consider the history of electrical safety during the first century or so of widespread deployment of electricity supplies.

Tom Paine

Zero interest

It'll be a cold day in hell when a statutory body is established with the power to shut down organisations, mandate strict training standards or ground a particular OS or application -- right up until the day a cybercybercyber incident leads to a pile of corpses.

As I happened to mention in a comment a few hours ago, compare regulation in industries that can kill people when they screw up (civil engineering, aviation, mining, medicine,..) with,

say, banks and financial services. (Full disc, I work in fin servs).

EU's data protection bods join the party to investigate Uber breach

Tom Paine

Re: UK.gov told to sever ties with 'grubby, unethical' company

....BAE?

...just kidding.

Tom Paine
Megaphone

Re: They need to hit Uber hard, and where it hurts, in the wallet

The issue seems to be that they don't think they really /are/ regulated -- not if that means "doing what the regulators and legislators say you must do". This is the big problem with regulation of all sorts - it's all very well having a big book (or books) of rules, but how'd you check whether the rules are having the desired effect? How'd you know people are obeying them? If you ARE lucky enough to catch someone flouting them, are the penalties commensurate with the harms suffered? It's the same from hardcore financial trading to retail banks to normal company accounts to the actions of the Big Four consultancies. It's there in infosec and in fire safety, as seen in W11 a few months ago (have a look online for the datasheets for ReynoBond PE, the cladding from Grenfell Tower that went up like a Victorian nightdress -- see all those fire safety certifications from around the world?) It turns up in healthcare and education, too, it's not a purely private sector problem. Come to that, it turns up in the context of government, law enforcement and the Intel Community, too.

No, I don''t have a strong opinion on the answer. "spend more on monitoring compliance and make the penalties for wilful flouting include disbarring Directors and *real* fines" sounds good, but where do those regulators come from? As with the FCA monitoring of financial trading, they have to employ people who know the business inside out and who know the tricks and sleight-of-hands, which means you have to pay 'em Desk Head or MD level salaries - and those are pretty chunky; you won't get many takers for less than £250k. Not until the next massive round of redundo, anyway... OK infosec people are much cheaper than that, but here the problem is that even if you paid them a million quid a year, there simply aren't enough good experienced professionals to go round. You'd end up hiring half the security people in the country, leaving no-one to actually secure the regualated organisations·

And so on and so forth.

. (I only just discovered the much heralded GDPR fines, originally 5% of turnover but now down to 4%, are capped at £18m. Uber turned over $6.5Bn last year. You can bet a $260m fine would get Uber's attention, and that £18m will be lost under "misc. operating expenses, stationary, sundries" in next years Annual Report. So scrapping the cap would be a good start. We need to put a few firms out of business.)

Shouty icon, because who doesn't feel better after an hour or so's bulgy-eyed bellowing about the inequity of it all?

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Tom Paine
Thumb Up

me too

That my guess about what happened. When the malware samples suddenly started turning protectively marked classified information -- well, would YOU want to explain to Mr President why you destroyed top secret data relating to a reasonably hostile foreign state? Russian prisons have a reputation not dissimilar to that of the psycho-redneck racist sheriff or judge or whatever he was. whose prisons had a mysteriously very high mortality rate (spoiler alert; because sick people were left screaming in agony until they died, and because the guards were - are - very, VERY enthusiastic and keen.)

Anyway so i don;t think you can really condemn Kaspersky for doing that. That doesn't mean that, if you have confidential data or code that would be of interest to the RU gov, you should run their product.

The idea that KAV could be in effect a RAT, allowing searches for and exfiltration of data for any other reason than 'it looks like malware and we want to analyse it' is for the birds; as soon as a single researcher got pcaps of it in action, the entire firm would be out of business.

Tom Paine

Re: So, after all, Kaspersky actively lifted files from a machine and transferred them to Russia...

Anyway NSA should really start to hire competent people, not clueless one that want to play with secret malware at home on an internet connected machine full of pirated software and with an AV fully active...

You've never tried recruiting for infosec roles, have you.

(See this big flat patch at the top of my forehead?)

Tom Paine
FAIL

Re: Perfect timing ...

it was perfectly timed to support the whole "Russians did it" narrative being pushed by the US Government

So, the more evidence of Russian AM around the election emerges, and the more solid and reliable it seems, the LESS it should be trusted. Gotcha.

BTW, I think you'll find the US government has been fairly consistently rejecting the considered opinion of the entire US Intel Community. Last i heard, it was calling the former directors of the NSA and CIA "political hacks".

(Unless by 'government' you meant that Sputnik / RT "deep state' meme, in which case: yeah,. clever wording, cheers)

Tom Paine
Black Helicopters

Re: Who to trust? NSA or Kaspersky?

Russian police are unlikely to show up at my door because I committed a crime

But they'd be very happy to use that recruit you into helping them out, if you were in a position with any influence, power, or access to interesting data.

Thank goodness no-one in government today has any sort of record that might suggest they're susceptible to being, shall we say, influenced. And certainly not the Foreign Secretary, with his gleaming unblemished record and well-known propinquity for propriety at all times.

https://www.newsmax.com/Newsmax/files/19/19f92cad-4e7b-4fb2-84d1-b61c3ff6c0b6.JPG

Tom Paine

Re: Mocus! Found on the PC of Bickus Dickus!

One wonders why the NSA both is incapable of delivering a 100% top notch open-source antivirus program to US folks

Because it's not something they're set up or resourced to do, and because it would be disrupting commerce with illegal government subsidies?

Brace yourselves, fanboys. Winter is coming. And the iPhone X can't handle the cold

Tom Paine

Re: Diversity figures are meaningless without context

Only 0.3% of qualified midwives are male so a 10% figure would be far too high and indicative of rampant sex discrimination against women.

Nope.

Enumerating the mistaken assumptions in your comment is left as an exercise for the reader.

Tom Paine

Re: Diversity figures are meaningless without context

I'm afraid you have completely missed the point of diversity targets.

Make of that what you will.

Tom Paine

Re: Reparative actions - breaking news?

...and?

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

Tom Paine
FAIL

a standard mechanism for securely passing data through middleboxes without having to screw around with custom root certificate authorities...

...stops reading.

UK Home Sec thinks a Minority Report-style AI will prevent people posting bad things

Tom Paine

Re: The only viable explanation for going off the straight and narrow and onto a bender.

No idea how well or badly it works, but there IS a commercial product out there that claims to do this, pitched at the enterprise "don't frighten the horses" market: http://www.safescribe.com .

Anyone got first hand experience with that thing?

NASA reconfirms 2019 will see first launch of Space Launch System

Tom Paine

#NASA reckons the EM-1 costs are still within 15 per cent of budget,

So, running 15% over budget already with less than 30 months to blue touchpaper day. Hey, perhaps that number will go down as the deadline approaches! Right, kids?

Evil pixels: Researcher demos data-theft over screen-share protocols

Tom Paine

Re: I wonder

The fine article says the victim doesn't see the data screens, they're only displayed on the attacker's end. I don't understand why not, though. Don't know enough about the plumbing of GUIs (like, anything at all, really) but how can the standard Windows RDP server be tricked into inserting pixels into the bytestream going to the attacker, if they're not in the frame being displayed to the user on the console?

Boffins: Sun's red dwarf neighbour is looking a little thick around the middle

Tom Paine

I hate to be "that guy", but...

...nah, actually I've just learned to live with the burden.

Normally, when mass is heated by a star it emits radiation. When it's cool enough, though, it emits radio waves.

Ahem..!!

Those IT gadget freebies you picked up this year? They make AWFUL Christmas presents

Tom Paine
Unhappy

Time... time...

Working 60h+ weeks, I don't really have the luxury of being able to take a day off to visit a trade show. If I got the time off I'd be spending it catching up the housework backlog that's accumulated over the past four months of deathmarch :(

US says it's identified six Russian officials as DNC hack suspects

Tom Paine

Re: Hacking 101

This is utter, UTTER bollocks, as anyone with the slightest knowledge of IP networking, "hacking", ethernet and such will confirm.

Tom Paine

Re: Incident response firm Mandiant ..

The most depressing thing is that you morons are real humans, and have accounts and posting histories showing you're not software or being paid by Putin. You're just exceptionally dimwitted. God help us when the war comes.

Tom Paine

Re: Crack teams

ROFL!!

Why yes, randomised IP addresses are essential when setting the src IP in the packets you send at your target to set up a TCP connection. That way it has no idea where to route it's responses and errrrr oh wait.

Tom Paine

So how do they know it's these 6 members of Russian government?

Gee, I dunno,... maybe that's because the indictments haven't been filed or opened yet. But no, they're not open yet, therefore there IS no evidence and never will be.

D'you ever listen to The News Quiz on Radio 4? D'you remember Miles Jupp's description of the F.A. management who appeared before the DCMS Select Committee the other week? Cos it's an arsewit carnival here today, too.

Tom Paine

What about Seth Rich's murder?

Jesus, what's happened? Since when were there InfoWars nutters on El Reg??

Tom Paine

Are the Russians meant to have helped Trump win or were they trying to help Clinton? It seems to vary every time I read about this.

What on earth are you reading, RT? Sputnik? Breitbart?

Tom Paine

Well, then, there won't be any evidence that will stand up in court, will there, and you - uh, /they/ won't have anything to worry about. Goodness, how silly the Feds are going to look when they have to stand there in court, red-faced, and confess that they just made it all up.

Tesla share crash amid Republican bid to kill off electric car tax break

Tom Paine

Yep! Just as well!

Europe's EV manufacturers will be delighted to see the tech industry's attempt to eat their lunch go up in a puff of Trumpery. How're Apple's shares doing? What about Google?

Official: Perl the most hated programming language, say devs

Tom Paine

I was a n00b developer struggling to convert rusty memories of Sinclair Basic into working VBA code when someone lent me the Llama book. I have a vivid memory of standing reading the first chapter, the 'secret words' program, on a rush hour tube train in about 1995/96. I stared at one of the quintessential Perl contructs - something like this:

while ($foo=<f>) {

if ($foo = /^[a-zA-Z]+$/) {

&do_stuff;

}

..when I realised it would replace two pages of code I'd been strugglng to write for days and days in VBA. It really was a road to Damascus moment - it was dizzying. Suffice to say I got the hell out of VBA at the first opportunity. I'm now head of security at a city firm, and still regularly reach for #!/usr/bin/perl for small scripting jobs - auditing AD accounts, munging data copy-and-pasted from our ghastly proprietary SIEM, making the tea... hard things are easy and possible things are possible.

Perl 4 life!

Red Hat banishes Btrfs from RHEL

Tom Paine

Er. Isn't that exactly how it works today in POSIX land?

*Confoosed

Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system

Tom Paine

Re: Problem?

If whois had never been invented, then (all other things being unchanged) DNS would work exactly as it does today.

iPhone 8: Apple has CPU cycles to burn

Tom Paine

What's the point?

Can anyone explain what on earth is the point of 240 FPS video? Says here the human eye / visual cortex can only see the difference up to 45 FPS. Our brains aren't fast enough. (Flies have much faster clock speed. apparently, so can see, process and react to an approaching rolled up newspaper 10x faster than we could. There's a fascinating piece on the BBC news website about it.)

FWIW I've a 150 quid Motorola G4 here that's indistinguishable to me from any other smartphone in terms of functionality, quality of display, memory, blah blah. No doubt the kids in the playground get as excited about Samsung vs Apple as I did about Acorn vs Commodore, but I'm a grownup now with less need for willywaving. Saves a fortune, too ;>

National Audit Office: We'll be in a world of pain with '90s border tech post-Brexit

Tom Paine

Re: How hard can it be?

Actually that's one of the first things about Brexit that was clearly defined, but the EU won't let its negotiators even discuss it until they've settled the "brexit bill" issue.

You are mistaken. There are three issues that they have said they want to see progress towards an agreement on before moving on to trade terms: status of citizens, the NI border and the size of the remaining financial commitments. These are literally all that Davis clown show and Barnier have have been negotiating about so far. As such, your statement could not be more wrong. By a process of inductive reasoning, I have reached a conclusion about the value of the remainder of your comment and decided not to read it.

Tom Paine

Re: How hard can it be?

Just as one example of the myriad of factors you're unaware of, there's not just a single database query "01983475r93/B : Paine, T.: admit or refuse?" That's the question the narrow-eyed guardian of the nation peering suspiciously at your passport is asking, but have you any idea how many different terror blacklists, no-fly lists, money-laundering blacklists, Interpol alerts, UK police "stop and detain" alerts, etc there are? As a simple-minded IT sales person you may be assuming that surely all those disparate data sources feed into a single back-end system somewhere in teh home office's DC that synthesises all that into a single unified yes/no decision; to which I can only ask whether you've ever sold into the public sector?

The next thing to consider is that N.E.G.o.t.N. doesn't make that decision purely on the basis of the passport.

And so on and so forth.

Tom Paine

Re: How hard can it be?

To be fair, passports meet an international standard. That little biometric symbol on the front of the standard maroon passport leavers affect to hate so much isn't just on EU passports. LIkewise the machine-readable data section inside the back cover.

A system to read a passport and check it's validity, look it up against various databases, blacklists, alert lists, etc etc already exists and is in use. The problem is that business logic will be changing. Not only are the rules going to be different for the EU27, but (surprise!) the relationship between us and the rest of the world will, in many cases, change at the same time -- in an exciting variety of ways, depending which country you;re considering. Sticking a pin in at random, let's take Switzerland. We don't have any particular arrangements for UK cits visiting Switzerland, or for Swiss citizens visiting the UK: we have agreements on those things /AS AN EU MEMBER STATE/. Those agreements are all null and void at midnight on 2019-03-29.

Hint: there are other countries apart from Switzerland.

Get it now?

Tom Paine

Re: How hard can it be?

Not a troll question, but a genuine one for those that understand these things on a proper level.

Fair enough!

As I see it, [...]

What is most likely:

(1) that it's actually a fairly straightforward, routine system - fairly large and distributed, but nothing like as complicated as, say, a supermarket's logistics system, but it just can't be delivered because contractors are crap developers; or

(2) that the problem space is actually a little larger and more complex than you imagine?

Tom Paine

Re: Brexit?

Irish soft border solution (this isnt even our problem the EU demands we solve but theirs

I think you'll find that if there's anything that requires cars to stop and answer questions from a human will mean the end of the Peace Process, and that will be very much our problem, even those of us who don't live in Ulster.

The psychopaths haven't gone away, you know; they've just lost popular support and, ahem, colleagues who blew up and shot people for purely political reasons, rather than because that's how they got their jollies. As an Irish MP pointed out: put up an ANPR camera on a tower and someone will come along with a tractor and pull it down. Now you have to replace the tower and have a guy with a gun standing next to it. Some of us are old enough to remember how that ends. Do yourself a favour, take a trip down memory lane and check out, say, images of the Bishopsgate bomb.

https://www.google.com/search?tbm=isch&source=hp&biw=905&bih=608&q=bishopsgate+bomb&oq=bishopsgate+bomb&gs_l=img.3...782.4471.0.4945.17.12.0.0.0.0.365.639.2-1j1.2.0....0...1.1.64.img..15.2.636.0..0.0.Vj3LdBpa5cI#imgrc=_

Funny enough, this is a five minute stroll from where I work today. It's a mass of tower cranes and concrete cores as yet more glass and steel towers go up - - projects that had broken ground before the vote, buildings that I suspect are going to be mostly empty for a good few years.

Tom Paine

Re: Brexit?

We may have a shrewd suspicion but we don't know if the headlines will be "drugs and terrorists flood into Britain as border controls give up and open the gates" or "unemployment hits five millions as 70% of firms exporting to the EU go bust" or "millions of pounds worth of goods stuck in the longest tailback traffic jam of all time from Dover to the M25" or "inflation hits 25% for the first time since I was a lad". Or possibly "sanity prevails and transition deal means everything continues as before on B-day +1, final Brexit postponed indefinintely". Who knows? Your guess is as good as mine. It's going to be a GCF either way.

Tom Paine

Border operations in the UK still rely on '90s technology that lacks modern functionality.

Not entirely convinced passport control needs wifi, bluetooth and a "Share" button...

The case of the disappearing insect. Boffin tells Reg: We don't know why... but we must act

Tom Paine

Re: Maybe if they collected less insects, there would be more around...

I grow lupins. I like bees and such and use chemicals as little as I can get away with. This is not a good combination (but it's great news for purveyors of washing-up liquid)

Tom Paine

Re: @Vorland's right hand Maybe if they collected less insects, there would be more around...

I'm sure I'm not alone to find my corner of London suburbia infested with the disease of concreting over the front garden and parking a car on it. That certainly doesn't help. (OK sometimes they use geotextile and some low grade stone chippings; that's slightly less unsustainable urban drainage system but still .)