* Posts by Tom 13

7611 posts • joined 10 Jun 2009

EBAY... You keep using that word 'ENCRYPTION' – it does not mean what you think it means

Tom 13

Re: isn't spending much on security?

Probably but not necessarily.

They could be spending boatloads on security but it is still crap because they aren't using the right concepts or focused on the wrong areas.

Look, Ebay have been compromised for at least 2 months, probably with employee credentials. Once you have a copy of legitimate employee credentials the system is much more vulnerable to escalation attacks. If you've got a month to trawl around, you can probably find the salt and the hash algorithm even if programmers followed the best theoretical practices possible. Hell at that you might just do what they did with Target: install a logger that captures credentials as they are being passed for authentication.

Tom 13


That only works for the current password. Sometimes the bozos writing the security rules want you to set a password unlike any of the last 48 you've used, with at least one from each of the 4 standard categories except no database field delimiter characters, plus you can't use an dictionary words, reversed dictionary words, frequently used passwords from security studies, reversed frequently used password from security studies, simple number patterns or common keyboard patterns.

I'll confess as someone who creates new accounts and reset passwords on a daily basis I've gotten pretty good at throwing together crap that usually meets the requirements. But there was one site where the rules were so arcane I finally said 'fuck it. generate one for me that meets you goddamn rules.'

eBay faces multiple probes into mega-breach

Tom 13

@ Tom Paris

Nah. Stick with the easy ones:





Senate decides patent reform is just too much work, waves white flag

Tom 13

So once again work done by the House

dies in the Senate.

Oregon hit with federal subpoena over failed healthcare website launch

Tom 13

Re: If you are inept, crooked or stupid

You forgot the last option, which applies to Oracle:

Have more cash reserves than the government and will be able to charge back the lawyers fees after you win the case.

Tom 13

Re: Oracle taking a hit????

You know about the 7 green lines right?

If not, search Google. It should be the first item listed. From Youtube of course.

Tom 13

Re: instead of a wopping fifty two.

I thought it was 57.

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Tom 13

Re: my personal information is now released into the wild

Yes, that would be my only concern. Not sure if I have an account with them. If I do it is more than 10 years old and I haven't used it since I created it. Not sure I'd recall what the password is if I tried. Pretty sure it was attached to an ISP email account that I couldn't get a password reset on because of merger magic. So at least as far as I'm concerned the only thing there they could steal is my identity.

Congress guts law to restrict NSA spying, civil liberty groups appalled

Tom 13

Re: parties and individual candidates can only get into power with huge financial backing


The parties are run on precinct levels. A precinct is an area that on average contains 2000 people. Each precinct has a captain. Each precinct captain votes on the party platform. About 2/3 of the positions for precinct captains are empty at any given time. Which means any reasonable populist cause can if it so wishes assume control of the party any time it wants to. The only things stopping it from happening are a lack of will and the misconception that getting involved will necessarily corrupt your soul so its best to stay out.

Tom 13

Re: not with data mining.

But we all know data mining is far more effective at both targeting the bad guys and ignoring the salacious but irrelevant data that human interaction might detour towards.

The problem isn't with the method. The problem, assuming there is one, is with oversight of the people coding the search algorithms. And so far there isn't any proof the information has been misused, only speculation and the assumption that it has because the processes have been hidden from us. This is a Stalinist tactic from the Cold War years: allege the secret process is corrupt and demand it take place in public. Then when salacious but irrelevant details that were ignored by the secret courts are revealed, demand the whole program be scrapped.

Tom 13

Re: vote to ensure that it never happens again.

Neither you nor Cord have been paying attention. No need for that, they already did it. See the hoopla surrounding Linda Tripp when she played the tapes of her conversations with Monica Lewinsky when Bill Clinton was trying to suborn perjury from Tripp.

Beyond that, you can't pass any law that will put a Congress critter in prison. It's forbidden by the US Constitution while Congress is in session. These days, it's ALWAYS in session.

Tom 13

Re: Obviously time to turn the tables, then...

If we can't put Charlie Rangel in jail for tax fraud when the non-NSA agencies have gathered (through the appropriate legal mechanisms) more information about his fraud than they gathered for Nixon on Watergate, there's no chance any of them are going anywhere except where they are right now.

Tom 13

This article is even more badly flawed than the Congress critters considering the law.

It contains no actual facts, only opinions about opinions. And when you're posting only opinions as news it is normally considered appropriate to quote from both sides. And no, links to press statements are insufficient. So let's look at the clause seems to be at the root of the ruckus:

(2) Specific selection term.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.

Adding "address" and "device" seems entirely appropriate. Either are terms any of us would use to identify a system in our daily work. In any other context we would regard the phrase "such as" as entirely necessary because of the speed at which IT changes. Therefore it is also appropriate in this context.

350 DBAs stare blankly when reminded super-users can pinch data

Tom 13

Re: Nice FUD

Privileged user is not necessarily equal to DBA for the relevant context. In most of my above examples, the people who stole the data had privileged access even if they weren't DBAs or sysadmins.

Like what happened at Enron and Bernard L. Madoff Investment Securities LLC ? Yeah, a bunch of DBAs, Network ops and Sys admins criminals...

No, but Barclay's was certainly a privileged user who should not have had the access he was granted. And the DBAs certainly should have prevented it.

I concur that most sysadmins and dba's are honest people trying who aren't trying to rip off the company. The problem is, it only takes a couple bad apples to do an awful lot of damage. And the DBAs and Sysadmins are on the front line for keeping the bad apples at bay.

Tom 13

@James Anderson

No, the one customer case I listed above was far more expensive than you'd think. Business owner lost half his business, plus lawyers costs, plus an expensive audit from MS because the rogue former employee accused the owner of pirating software. I think the audit took a year and at the end they determined he was out of compliance for 1 desktop for 1 rental for at most 1 month. And he had to revise his business practices as a result.

Tom 13

Re: What IS surprising ...

Where's the wholesale reading of the CEO's email to warn of future restructuring

Seen that one, only it was done by a low level employee, not the sysadmin. Technically still the sysadmin's fault because of the configuration, but in his defense, this was at least 5 years before security even became an inkling of an image on the early warning radar. And after it was discovered, it was fixed post haste. Including the employee who engaged in the spying being canned even faster.

How come so few disaffected fire-ees don't "take out" that one single, critical machine when they are let go?

Sort of seen this one too, although again it was at the employee level. All critical files on their network and local drives were wiped. Yeah, they were keeping the bulk of their data on the local against company policy. But then again there was no enforcement mechanism.

And the biggie: stealing customer files before walking. Seen that one twice. First time it was a sales guy who copied the list the second month he was with the business. Next time it was more heard of rather than saw. Agreement in place when I was hired as a field tech. Previous lead tech walked off with the company customer list. But in that case I'll still call him employee as opposed to sysadmin because we were all field techs.

Tom 13

Re: showing age maybe ?

I think the problem there is you're using "sysadmin or DBA" in a technical manner as opposed to the MS label for people who are only using the system.

The problem is, most companies don't understand their actual risk profile. Two instances from a company I worked at.

1. Jr Network admin who was more competent than most of the Sr. Network admins commenting on a new security initiative: "I'll start taking security seriously right after the remove the backup app they have installed on all the user dba systems that has the default MS SQL admin active with the password set to blank." The backup app was third party using an embedded MS SQL engine. It was installed on all the dba desktops because: 1) They had sold a customer on desktops being more cost efficient than a SAS server, 2) They decided it was cheaper to use over the wire than buy the extension for the network backup system plus the additional tape storage they would have needed for all the desktops. Yes, they did promise all of the healthcare related information they were analyzing had been sanitized before it was put on those computers. Honest.

2. Sr. Network admin: "Yeah I told them they couldn't give me the password for the system they use to transfer money from the primary company accounts to the payroll account because right now that's the ONLY password I don't have for our systems. I need some level of protection if something bad happens."

Space hackers prepare to reactivate antiquated spacecraft

Tom 13

Re: course today's funniest news story

A spokesman for the RFF confirmed they had "discovered the problem a bit late".

I certainly hope the "bit late" wasn't AFTER they'd scraped up a train.

Tom 13

Re: Where have you been?

Just hope it doesn't get to "I think therefore I am." As I recall one of the phrases very shortly thereafter is "Let there be light," which turned out badly for everyone else.

Google is tech industry and world's most valuable brand as Apple rots

Tom 13

Re: But then it's still a drivel.

No, at that point it is expensive drivel, which is the important bit.

No such luck: Apple, Samsung say peace talks are off – way off

Tom 13


I'll see your US$30 million/day/company and raise you the equivalents for South Korea and the UK, direct to the appropriate national treasuries under IRS regs or regional equivalents as appropriate.

Brits to vote: Which pressing scientific challenge should get £10m thrown at it?

Tom 13

Re: Get some science oriented translators to do up the English

And depending on the journal, the English in the original submission doesn't necessarily have to be that good. The one I worked on had a small staff of editors and took a fair number of submissions from Central and South America. So long as the ideas were fairly clear and the data was solid, they'd happily clean up the English from the original submission.

Tom 13

Re: "Regular brits"

Well, not me.

Although I wouldn't object to being an honorary "Regular brit" (with or without the correct capitalis/zation).

Tom 13

Re: Get rid of the politicians?

There's only one thing on the planet worse than a politician. That's why we used politicians to replace warlords.

Tom 13

Re: They missed a trick...

There is a bigger maths fail, but it's hidden in the assumptions.

Jupiter's Great Red Spot becoming mere pimple

Tom 13

Re: just who or what is squeezing it is the question.

Maybe HG just got the wrong planet....

Uncivil engineering: US society skewers self-published science

Tom 13

Re: The real crime here

Maybe. The Journal almost certainly required the authors to sign over the copyright. It may be that they have violated the copyright after signing it over. But given the breadth of the take down notices that were issued there certainly appears to be a great deal of overreach. Which leaves open the question of whether it is ALL overreach.

Tom 13

Re: ASCE's journals

I'm familiar with those arguments. Being a bit of an experimentalist myself, I have a fundamental problem with them:

They've never been tested.

I think, maybe it is time to test them, excluding the copyright bits.

Weather forecast: WiFi storms make meteorologists look mad

Tom 13

Re: why it has taken until now

A friend of mine works directly with data received from weather satellites. There are a variety of problems all over the useful weather spectrum and the guys in the trenches know and complain about all of them. But most of the time nobody with a megaphone cares. The usual solution is to just throw the data away because it is corrupted. The fundamental problem is all of the spectrum is commercially useful, and given our data transmission, defense, and scientific needs there is a constant clash for it.

As for the approach outlined in this paper, I don't like it. The point of collecting actual data instead of modeled data is to correct the model. But given the amount of data being thrown away I understand the impetus to try to correct for known issues and am willing to tolerate it.

FINGERS CROSSED: Apple and Samsung said to be hammering out settlement

Tom 13

Re: possibly bringing an end

I'll wait to see.

Looks to me more like a temporary pause in the modern version of the Hundred Years War.

Chip and SKIM: How dodgy crypto can leave shoppers open to fraud

Tom 13

Re: Physical security?

No, there software implementation is weak even if they have good physical security on the system. So it is still vulnerable.

Which doesn't mean they HAVE good physical security, only that the software problem exists independently. And if you have weak physical security, software security is more easily compromised.

Tom 13

Re: the losses that also appear to be sustainable to the banks

The losses appear to be sustainable to the banks only because the banks have claimed the system is infallible and therefore it must the customer's fault.

World loses mind: Uber valued at TEN BEEELLION DOLLARS, Pinterest pegged at $5bn

Tom 13


IM me when the price on a two bedroom apartment has returned to Earth. Say something in the stratospheric $400,000 range. Until then it's all angels dancing on a pin head.

Tom 13

Re: 1999 called...

Well, when the Fed is pumping out greenbacks like Monopoly(TM)* money while claiming there is no inflation, these are the kinds of things you get.

*A Milton Bradley company, blah, blah, blah.

Tom 13

Re: Cabs are unreliable, untrustworthy

I've got sympathy for both sides. Cabbies work long hours have to drive to some nasty neighborhoods, and can't refuse service to anyone. They are at high risk of being robbed when they pick up some of their fares.

On the other hand I've had to pay the $75 fare on occasion when I wasn't able to use mass transit to return home, or split it with a couple of others (which bumped us into a higher fare rate) when mass transit was suddenly unavailable for the return trip home.*

At the end of the day, I have to find for Uber. If people are willing to use the service recognizing its potential issues why not make same trip for $20 instead of $75?

*Usually because some loser has attempted or succeeded at suicide by train.

Tom 13

@ Ralph B

Hey, Don's always telling us you don't invest your own money, always use someone else's. They're just taking his advice.

LifeLock snaps shut Wallet mobile app over credit card leak fears

Tom 13

@ fred_larson_65

Life Lock is the 800 pound gorilla for prevention of identity theft and bank accounts. If you signed up for their services and you don't know that, you're too stupid for me to care about. Many people consider their measures to be over the top. Sign up for their service and you may not be able to get a loan yourself if you don't tell them first via their verification process. If you're one of those people, you shouldn't be using them. But they should be an option for people who want that level of security.

Dogecoin off the leash after Doge Vault admits server attack

Tom 13

Re: the difference between

"Proper" banks also benefit from centuries of learning from the school of hard knocks. So they have lots of checks and balances in their system to ensure accountability. It isn't fobbed of on "the mathematics" or some other such nonsense. It accounts for humans being fallible and in some instances corrupt, and the fact that any entity that holds large quantities of easily transportable wealth tend to attract the attention of the most corrupt in society. And yes, some of that learning is that governments will enforce some of those learned lessons on "proper" banks because even "proper" banks would sometimes prefer the bad taste from the learning event were forgotten.

Europe's shock Google privacy ruling: The end of history? Don't be daft

Tom 13

Re: request will (usually) be decided in a court


Europeans can submit take-down requests directly to Internet companies rather than to local authorities or publishers under the ruling. If a search engine elects not to remove the link, a person can seek redress from the courts.


So the court just gave every European citizen the same rights as the RIAA. That's going to turn out well. NOT.

Surprise! Google chairman blasts EU's privacy ruling

Tom 13

Re: This is censorship, plain and simple

I take offense at that remark!

I'm about as anti-Google as it gets these days and I think this is a stupid and even worse, dangerous ruling.

Now what I'm not is freetard or anti-corporate. And yeah, that lot are roaming unchecked in these parts. But it's Europe, so what are you going to do?

Be the next tech hotshot – by staying the hell away from regulators

Tom 13

After reading this article I have only two questions:

Who are you? And what have you done with the real Tim Worstall?

I'd expect to read something like this at Heritage or CATO or maybe even National Review. But not on El Reg!

ULA says to blame SpaceX for Russian rocket rebuff

Tom 13

Dear ULA


You knew damn well that this was a potential issue. You should have had an acceptable contingency plan for it. If you can't crap one in the next three weeks, maybe the Pentagon should cancel that sweet contract they just handed you. Because whether it was Crimea or SpaceX or GPS Ground Stations doesn't really matter. Russia is back in belligerence mode so sooner or later they were going to pull this on you/us.

That Crazy 'Merkin who keeps posting on El Reg,

Tom 13

Tom 13

Re: Or perhaps this is about the spat over GPS/GLONASS monitoring stations

Which is itself only a problem because of the issues in Ukraine/Crimea.

Senate slams ad servers for security failings

Tom 13

Re: Oh joy!!!

It's one of the powers which is actually invested in Congress. Granted there are still operational issues with it, but legally I'd be okay with that.

Except of course that's not what they're planning to do. They're going to fob it off on an unelected and therefore unaccountable agency to write the laws regulations.

Tom 13

@ Shannon Jacobs

While I like the concept it has a problem which the Senate report has already identified: there are already so many parties involved nobody can determine who let the dogs in.

Tom 13

Re: Better yet

Not necessarily the problem. I recall building out a system once and failing to make my standard adjustment of switching the default for IE from MSN to Google. Fired it up to start the MS Update processs. It defaulted to MSN and ...

BOOM ! ! ! !

The malware Antivirus/Spyware 2005 (or some such year) was installed on the PC. I just turned it off and started over.

Comcast exec says wired broadband customers should pay-as-they-go

Tom 13

Re: Once this is averaged out

It will help, but it's not a magic bullet. (note that above I have supported the concept).

The problem at least here in the US is that we're turning off the LSM in favor of personalized entertainment. That entertainment is being pushed down the interweb pipes. While you can get some download shifting, you're still going to see loads peaking during certain time periods while it is wide open at others. So some infrastructure improvements are still required.

What the limits will eliminate or at least majorly reign in are the 2% who as you've noted are downloading everything they can simply because they can and not because they use it.

Tom 13

@ An0n C0w4rd Re: you have to run a ton of new fibre

I see your argument. The weak spot is, they've already done that to get the high speed connections. When the cable companies were first running their stuff they were working with the existing copper cables and counting on the asymetrics to carry the day. I'll grant they may still have to install the nodes and rebalance the plant, but the cable is there. Or it should be there if they had the brain cells of even an alcoholic flea.

Tom 13

Re: Perversely, I thought metering was sane.

Mostly agree except:

I'm a Netflix customer. I'd actually prefer I was the one paying the ISP to transit the data. That way only Comcast has to take a profit cut for the data transit rather than Netflix also needing to get a cut. What I really don't want is me paying the ISP and then the ISP charging Netflix again so that I in turn have to pay Netflix more.

Now, on the technical side I get that it makes a fair bit of sense for Netflix and the ISPs to cooperate with peering arrangements because its more efficient and cost effective to have some specialized piping in place to handle the load. I'm ok with that, just as long as there's no double dipping. At this point I'm satisfied the peering arrangements Netflix have arranged with Comcast and Verizon are business sensible, not gouging.

Activist investors try forcing Google to pay more taxes

Tom 13

Re: The board don't want?

Regardless of what the shareholders think they want, the law sets certain standards for the BoD. The resolution as worded does not meet those requirements. I've been in the room when the lawyer has advised that the board shouldn't breach those responsibilities no matter what the shareholders want. And that if they do so, they lose the shield of corporate protection and become personally liable for damages that might arise from any lawsuits that ensue. That's a phrase that focuses one's mind wonderfully when the corporation is handling tens and hundreds of times one's personal wealth.

Biting the hand that feeds IT © 1998–2019