* Posts by Alex Brett

114 posts • joined 11 May 2007


Junior dev decides to clear space for brewing boss, doesn't know what 'LDF' is, sooo...

Alex Brett

Re: I was also clueless at the time

That may give you a false sense of security, as if the software has an open file handle to it, you may be able to rename it without affecting the software using it (until the software restarts or tries to (re)open the file)...

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Alex Brett

> An infosec expert with experience in the aviation industry told El Reg: "You don't outsource something that is working well."

Has your expert ever met a beancounter, as that's precisely the sort of thing they do...

Thunderstruck: Azure Back in Black(out) after High Voltage causes Flick of the Switch

Alex Brett

Re: Texas - Europe ?

While business names and addresses are not PII, if you e.g. have your employee's names and contact numbers, that very much *is* PII...

DVLA denies driving licence processing site is a security 'car crash'

Alex Brett

Re: Certificate chain

Most likely because Firefox maintains its own set of trusted certificates, whereas IE and Chrome (for example) use the operating systems. It's quite likely the operating system has (or has at least cached) the intermediate certificates needed to complete the chain...

See that over Heathrow? It's not an airliner – it's a Predator drone

Alex Brett

Re: Echo might be "controlled"

Same problem in class D - while ATC must provide traffic information on VFR flights, they are not required to separate VFR flights from each other, or IFR flights from VFR flights, thus your IFR drone still has to somehow avoid VFR traffic...

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Alex Brett

Re: Not the best of articles.

Yes - while /you/ as the site admin might not be running a site on port 80, the person who attacks the end user can, and there browser will happily connect to it, whereas with HSTS the browser will always go to the HTTPS site and thus as well as MITMing the connection, you have to somehow get the browser to trust the certificate you present as well...

Smart meters: 'Dog's breakfast' that'll only save you 'a tenner' – report

Alex Brett

Re: I want a smart water meter

The water company replaced my original electronic meter (that was wired up to a disc on the outside of the house for them to read it with) as it failed (display went entirely blank etc) - the replacement is a 'smart meter' in the sense that it sends readings to them via GSM or similar, but it has a really annoying loud 'clicking' sound every time significant water runs through it that reverberates through the pipework.

When I first raised this they sent someone out to swap it, but (and to be fair to the guy he warned me beforehand it probably wouldn't solve it but he'd been told to do it so had to) it appears to be part of the design.

Considering getting them to move it outside now in the hope the extra distance reduces the reverberation because at the moment it means I can't e.g. run the washing machine overnight as the noise is too annoying...

Alex Brett

Saving on meter readers?

I suppose there's an argument that not having to send people out to get meter readings (because they're coming in via GSM or whatever) should be a cost saving for the energy companies, though the chances of them passing that saving on to their customers rather than their shareholders seems slim...

Tory-commissioned call centres 'might have bent data protection laws'

Alex Brett

Re: ICO involvement?

Wrong - it's not illegal to campaign on election day in the UK.

There are some restrictions around what can be done near polling stations (i.e. you can't intimidate voters etc), and there are lots of restrictions on what the media can do/say on election day, but nothing to stop a candidate or their campaign doing anything, including making phone calls.

Indeed most candidates will have their teams out knocking up expected voters (either in person or by phone) to ensure they go out and vote etc...

Google caps punch-yourself-in-the-face malicious charger hack

Alex Brett

Don't trust random ports

If I ever use a random USB port to charge my phone I'll use something like http://plugable.com/products/usb-mc1/ (~6 quid from Amazon) in line to ensure i'm only getting power and no data connection is possible...

Boy, 12, gets €100k bill from Google after confusing Adwords with Adsense

Alex Brett

Not true in the UK at least - Direct Debits can be set up entirely online, with no signature required...

BT customers hit by broadband outage ... again

Alex Brett

Re: something doesn't make sense

There are two issues here - firstly there are very few facilities in the Docklands kitted out to a 2n (i.e. having two sets of everything) spec, most are just n+1 (so e.g. if you need 2 UPS units to cover the load, you'll have 3 so can handle one failing). Now n+1 is fine, until a problem either downstream of your redundancy (e.g. a circuit breaker) fails, or something fails in a way your redundancy doesn't expect (e.g. your failed UPS shorting the common bus). With 2n you are in general able to avoid this, as each rack has two supplies fed independently from the grid onwards (the really good ones even have separate substations), but it costs more, and most of the older facilities where the majority of carriers you want to connect to are present in don't have the space etc to actually become 2n.

The second issue is that all the redundancy in the world doesn't help in some situations - e.g. if you have a fire that somehow your extinguishing system can't manage to deal with, the first thing the fire brigade are going to say when they turn up on site is "OK, turn the power off". To a lesser extent you've also got the issue that a faulty bit of kit could trip both supplies, though good design of the breakers and distribution should be able to limit that e.g. to a single rack being affected.

Hacks rebel after bosses secretly install motion sensors under desks

Alex Brett

Excuse perhaps a little poorly thought through?

From what I can see on the OccupEye spec page, the devices only have a PIR, there is no temperature sensor built in.

If that's the case (and it's not just missing from the page), then there was no way these were monitoring the building temperature, the 'best' they could say was they were monitoring how many desks were being used e.g. in advance of a move to hotdesking...

Did North Korea really just detonate a hydrogen bomb? Probably not

Alex Brett

Re: Of course there is the possibility...

AIUI the difficult bit about a thermonuclear device is getting the secondary to go off properly rather than just being a fission explosion, not the basic principle of the thing which is well understood (there's even a diagram on Wikipedia!), so even if it was intended as an H bomb if it didn't perform as such that doesn't necessarily mean they're any closer to one than before...

I survived a head-on crash with driverless cars – and dummies

Alex Brett

In some cars the pedal on the passenger side is not quite imaginary: http://www.bbc.co.uk/news/business-13566999 ;)

The last post: Building your own mail server, part 2

Alex Brett

Smarthost likely required

A lot of large ISPs block any inbound mail from subnets that are believed to be 'end user' IP addresses and thus not expected to be delivering mail - see https://www.spamhaus.org/pbl/ for an example - as such if you do host a mailserver yourself you would be well advised to use e.g. your ISPs mail server (if it will accept mail for non hosted domains) as a smarthost for outbound mail otherwise you'll find quite a few destinations rejecting it.

Also re: dynamic IPs - there is a big risk in using a DDNS service that if your connection goes down, you won't update the DDNS name until it comes back, at which point you might find people delivering mail to someone entirely different who happens to have got your old IP - while in most cases that person won't be running a mailserver, if they are then they can either steal your mail, or if they reject it as an invalid recipient the other end will bounce it back to the sender, which I suspect is not what you want...

SpaceX Dragon crew capsule in 'CHUTE ABORT drama – don't panic, no one died

Alex Brett

If you read 'Riding Rockets' by the astronaut Mike Mullane (an excellent read by the way), he said some astronauts thought if they used the seats in flight they'd probably just end up going through the SRB exhaust, i.e. they were only any good before launch...

BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Alex Brett

This is almost certainly someone's attempt to workaround some of the NAT issues you can experience with SIP - I suspect they've set it up so that when an outbound SIP connection is made outbound, *all* connections to port 5060 are NAT'd back to the host that made the connection so if a reply comes from a different address (which is allowed in the SIP standard) it still gets through, probably combined with an ALG that is translating internal IPs in the SIP message into the external one. Normally you'd expect your NAT device to just accept packets from IPs you'd connected out to (the service provider in this case).

If it's a phone connecting out that's not a big problem, as most phones these days can be (and should be) configured to ignore traffic that's not from the configured server / proxy, and even in the worst case all that happens is they ring - they're not going to end up placing an outbound call.

I can understand smaller installers not thinking to put brute force protection on a PBX that they are not intending to expose to the internet - unless you've seen issues like this and had to deal with the crazyness of ALGs etc you wouldn't expect it.

Frustratingly all these sorts of things (ALGs in particular) actually normally make VoIP less likely to work - any competent ITSP will have a Session Border Controller (SBC), or something carrying out the same functions, at their end, which will just handle the NAT issues (i.e. all signalling will come back from the same IP and where necessary they will proxy the audio etc). However, with an ALG, 9 times out of 10 (at least in my experience) it has 'modified' the SIP messages in such a crazy way that the SBC can't work out what to do, and so you get one way audio or calls cutting off after a short time etc...

Lloyds supplier payments TITSUP: What, you want money from a bank?

Alex Brett

The law says you have 6 years to claim, so you can put the claim for interest / charges through *after* they've actually paid the original invoice...

Alex Brett

I hope all these suppliers will be charging statutory late payment fees - while the fixed charge (£40 - £100 depending on value of invoice) is nothing to Lloyds, the interest at 8.5% for ~£30m of invoices being paid say 2 months late is £419k...

Hackney council leaked thousands of locals' data in FoI blunder

Alex Brett

I wonder what the complexity of this was, I'm guessing it was something to do with Excel's versions functionality, so the question is whether it was exposed as a previous version that just using the UI could get you to, or if you had to do some digging in the raw file to get at it (e.g. as it was data left in space that Excel had marked as reuseable but not yet done so).

If the latter then I have some sympathy as you wouldn't expect it to be there, if the former then that's just not understanding the tools, and only one step up from redacting something by setting the background colour to black rather than actually removing it ;)

Git thee behind me, Git crit security bug!

Alex Brett

Re: Have to agree

GitHub releases some software, but as far as I am aware that bundles the official git client in, and is basically just wrapping it.

There's a pretty good summary on the github blog at https://github.com/blog/1938-git-client-vulnerability-announced - but to answer your question yes it is a flaw in the official git client, that applies when run on a system with a case insensitive filesystem (e.g. NTFS)...

Alex Brett

Why the focus on GitHub?

This article is quite poorly worded - if you only use GitHub you're safe as they've put protection in at the server side (though obviously upgrading anyway would still be recommended), the issue is if you use git (which while it is the client software you use with GitHub, it is not 'their' client software - GitHub came around about 2-3 years later as a collection of repositories with a nice web UI etc) on other untrusted repositories on case insensitive systems where your .git directory can get overwritten...

Can't stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain

Alex Brett

The biggest problem I've found with the standards, is if the business doesn't fit into one of their standard categories stating which sections you can ignore, you have to go through the whole thing, which then entails you writing ream after ream of policy documents, which nobody is ever going to read / comply with in reality.

(See http://www.alexbrett.net/blog/2013/05/open-letter-to-the-pci-ssc/ for more rants about PCI:DSS in general...)

REVEALED: Titsup flight plan mainframe borks UK air traffic control

Alex Brett

The difficulty is you need to know what other aircraft are expected in order to properly plan deconfliction - e.g. the radar for a particular sector might have 3 aircraft all nicely separated vertically / horizontally with no problems, but because you couldn't track what was coming, you suddenly find you have 10 more arrive at once all on course to meet at the same point in the sky - there's a limit to how quickly you can get them all onto different headings / altitudes. If you knew in advance then you can get them sorted in other sectors prior to being handed over.

There's also the problem that if you have to start asking each aircraft where it's going, that's a lot of time on the already busy radio taken up with the back and forth...

BT Infinity ‘working to fix problem’ after three days of outages

Alex Brett

Re: Could be GCHQ that is playing up. Also, it's in Northern Ireland too

The only address the modem has is its management one, the primary connection it provides is via a PPP connection between the customer's router and the ISP's LNS where it is just passing packets.

I see no evidence found by anybody that any traffic was forwarded through the management address, and ultimately it would make absolutely no sense to do it that way when you could do it far easier at either the DSLAM or core network level entirely transparently to the end user and any equipment they might have!

Alex Brett

Re: Could be GCHQ that is playing up. Also, it's in Northern Ireland too

The claims that there were backdoors in the modem for DoD/NSA/GCHQ were thoroughly debunked - see http://www.revk.uk/2013/12/paraniod-ravings.html or http://www.ispreview.co.uk/index.php/2013/12/confusion-alleged-gchq-nsa-backdoor-bt-fttc-modems.html for details...

BYOD: don't let the dream turn into a nightmare

Alex Brett

Surely NAS is the answer?

No I don't mean storage, but a Network Access Server, which is where the 'network' (normally the switch in consultation with a backend service) decides whether to grant you access (normally put you on the right vlan) if you comply with the business requirements around AV etc...

Having said that, in a lot of cases peoples personal machines may be more secure than company laptops which have nothing more than default Windows firewall to protect them when off the network, and the user having no permissions to do anything more stringent...

NeoPost: This is how you DON'T do PIN security

Alex Brett

I'm not sure how the pricing compares (if it's more I don't see any reason for it since presumably the mail is handled in the same way within RM), but there's always Smart Stamp - couple it either with a decent label printer or a printer that can feed envelopes (not sure if such a thing exists?), and that's probably a lot simpler than most franking machines...

eBay slammed for daft post-hack password swap advice

Alex Brett

Shouldn't there be the obligatory reference to http://xkcd.com/936/ somewhere in this article?

Nominet bins Optical Express' appeal against 'It ruined my life' website

Alex Brett

It appears now, however that is likely to be due to a number of news sites linking to it, which wouldn't otherwise have happened and thus not brought its page rank etc up so high...

AT&T and Netflix get into very public spat over net neutrality

Alex Brett

Re: There are plenty .......

Just don't follow the model used by Ofcom in the UK, whereby they accepted BT's proposal to split themselves into three parts (BT retail, BT wholesale, and BT Openreach, with the latter being the 'local loop' part), leading to a sort of corporate schizophrenia and now basically ends up with the different parts blaming each other when something goes wrong, and bouncing the fault backwards and forwards and not actually fixing it (and trying to charge the customer for the privilege with SFI2)...

Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update

Alex Brett

Re: As if this will make people happy!

'WIMP GUIs have always been designed to provide neophytes a way to discover functionality for themselves and learn the keyboard shortcuts as they do so.' - can you explain then why with the Ribbon in Office MS have been actively discouraging the use of keyboard shortcuts?

Chinese Bitcoin exchange disappears, along with £2.5m

Alex Brett

Re: Backups ?

There's a small pub chain that will let you buy beer *directly* with bitcoins: http://www.individualpubs.co.uk/bitcoin.html

IT Pro confession: How I helped in the BIGGEST DDoS OF ALL TIME

Alex Brett

As I understand it this wasn't actually a DNS amplification attack as you described in the article, instead they were sending DNS requests with the source address spoofed to be the target, causing the DNS servers to send its response directly to the target. As the request is quite small it isn't too difficult to send lots of them, and by targetting the request appropriately you can get the response to be quite large, thus causing the DDOS.

This also means that often simply turning recursion off in BIND is not sufficient, as in the default configuration it will likely (depending on which version of BIND) still return the list of root servers as a referral instead of simply refusing the query. The list of root servers is quite a large response on its own, and thus can be used in this attack.

The magic line you need to add is "additional-from-cache no;" - this will stop that behaviour.

Brit firm PinPlus flogs another password 'n' PIN killer

Alex Brett

Possible attack?

They seem to be claiming that from the grid and the entered code you can't work out the pattern - this is true if the grid is a suitably randomised set of numbers with numbers occurring multiple times in different places etc, however surely all a MITM attacker needs to do to get the pattern, is display a grid with numbers set up such that you can identify which ones were selected (with 10 digits and the grid the size they suggest you'd need to do this 2-3 times, but that's probably not a big deal), and then you have the pattern...

Space Shuttle Columbia disaster remembered 10 years on

Alex Brett

Re: Killed by numeric overflow?

I think what he was referring to was the way the same overpressure wave which damaged the TPS also caused a body flap to be deflected beyond the point where damage would have been expected...

Alex Brett

As I understand it they were wearing pressure suits, so they would presumably have survived the decompression of the cabin at least for a short period?

RIPE NCC handing out last European IPv4 addresses

Alex Brett

Sadly the ISPs are looking at CGN

Unfortunately the ISPs see the answer as Carrier Grade NAT (CGN) - while for a fairly large proportion of their customers this will likely work (most *commonly used* protocols don't require you to have a public IP, the only notable exception that comes to mind is BitTorrent, but I'm sure ISPs won't mind causing their users problems there!), the big thing they're missing is that it won't be long before we start having services that are IPv6 only (as the providers can't get any IPv4 addressing for them), at which point CGN doesn't help...


Alex Brett

Re: Speaking of Armstrong

While I'm not denying the Apollo astronauts were very brave to take on such a lot of risk etc, it is worth mentioning that the LLTV was always going to be much more unstable than the real lunar lander, as it was operating in an environment with 6 times the force of gravity than the LEM was going to operate in, so having to bail out of it was unlikely to add any significan worry over the real thing...

Vixie warns: DNS Changer ‘blackouts’ inevitable

Alex Brett

Do it gradually?

Surely the solution here for any competent ISP is to gradually block subsets of customers from accessing these DNS servers in stages, and handle the support calls over time rather than waiting for them all to get blocked in one go and have a deluge of phone calls to deal with...

BT blows fibre into 'multiple biz units' for first time

Alex Brett

How does this differ from their other fibre products?

How does FTTP differ from any other BT product involving fibre installed to the premises (such as WES/BES), other than it's presumably a bit cheaper?

Xbox 360 video cable boasts NOISE VIRUS protection

Alex Brett

Snake oil

They're not a patch on Russ Andrews - they've had several ASA judgements against them (e.g. http://www.theregister.co.uk/2011/01/13/russ_accessories/), with no sign of stopping (just tweaking the wording of their claims so they can't be proved wrong)...

Pub landlady's footie sat-TV battle moves law's goal posts

Alex Brett

It's like with DVDs...

The thing is I suspect a lot of people don't want the logos / anthems / graphics etc anyway - it's like with a DVD / Blu-ray how when you put it in you have to watch (as they make them unskippable) a load of anti-copyright messages (and in some cases trailers), followed by a useless menu all to actually start playing the film. This is vs a pirated film where as they tend to only pull the movie you stick it in and it plays - why does the pirate get a better user experience than someone who has paid for the film?

I was pleasantly surprised by the Blu-ray of Die Hard 4, as although from memory it did have the copyright notices, after that it actually did just start the movie, with the menus etc all available as overlays. I wish more films were like that...

Duff Russian Mars probe spotted flying in reverse

Alex Brett

Is it not possible that due to lack of thrusters etc to maintain an orbital rate rotation such that it was facing the same direction from Earth's PoV it's just gone in to a mostly inertial attitude (i.e. 50% of the orbit it will appear to be facing the 'correct' way, 50% of the orbit it won't)?

Verizon retreats on ‘convenience fee’ for online bill payment

Alex Brett

While I agree they're annoying there is at least a reason for them - with a 'booking fee' the entirety of it goes straight to the venue, whereas if they just increased the ticket price the increase would normally be split with the film (or the producing company in the case of theatre), so to make the same amount they would have to increase the ticket price significantly more (hence it's actually better for you in the long run)...

US Senator demands answers from Carrier IQ

Alex Brett

We don't know it's actually *logging* anything

All the video shows is that it is receiving events when keypresses are made etc - there's no evidence from the video that it is actually logging and/or transmitting any of these on. It might simply be that in order to get the events it reasonably needs for diagnosing issues it has to get *everything* and then ignore the things it doesn't.

On the other hand, it could of course be logging all of this which would be bad, but compare it to for example an AV application on a PC, which does intercept a lot of things to check for viruses, but is not syphoning off any of that data etc...

Telcos snub UK.gov broadband cash pot

Alex Brett


One of the biggest issues with laying any sort of fibre network is the fact that fibre optic cables in the ground are subject to (believe it or not) business rates, though on a very strange scale (it gets significantly cheaper per fibre the more you have, such that it presents a big barrier to entry for new players who will only have a few).

Combined with the fact that because BT apparently don't know how much fibre they have, they have a deal worked out with the valuations office, that (from 2010 figures) means their bill comes to £255m, but if worked out (very approximately) on the distance rules everybody else pays should be over £1bn...

Adventures in Tech: Taking the plunge into IPv6

Alex Brett

OK taking each point in turn:

- Privacy extensions (on by default in Windows and some other OSs) negate this as the machine rotates IPv6 addresses regularly

- The *prefix* is tied to the ISP yes, but by using router advertisement should the prefix change the only change needed is on the router and then everything else should just work (note that in most cases the router will handle it automatically)

- OK I'll give you this one, writing IPs is much harder, however needing to use IPs is becoming much rarer now

- In a consumer / SME environment you would expect IPv6 devices to ship with a ruleset that is secure by default, and require some sort of 'advanced' mode to remove the 'block inbound unless related to outbound' rule that makes it do the equivalent of a typical IPv4 NAT device

Cops find hackers' phone in NOTW office

Alex Brett

Might not be a mobile

If the hacking was as has been widely reported by setting the caller ID to be the mobile you wanted to hack and dialling the voicemail access number, then I doubt this is a mobile, but most likely a phone on its own ISDN or similar set up to allow it to specify caller ID...


Biting the hand that feeds IT © 1998–2018