* Posts by Robert Carnegie

2776 posts • joined 30 Sep 2009

Faxploit: Retro hacking of fax machines can spread malware

Robert Carnegie
Silver badge

Sure, here's how I did it yesterday (not really).

As bad guys know already: there are historic bugs in widely used versions of JPEG image data handling library. JPEG is basically Zip file for pictures. Fax machines can handle JPEG data, and due to either a new bug or an unpatched old one, you can send binary data and code in the format of JPEG - maliciously malformed data - to a fax machine, and it will hit the bug and START EXECUTING THE PROGRAM CODE IN YOUR JPEG STREAM INSIDE THE FAX MACHINE. Well... there is some more work to do to get there from "buffer overflow" or "chair stacking", but it's not -difficult- work.

And since the fax machine these days is networked, once it's pwned, you have an enemy inside your camp - or your network.

So, no, please don't publish details, such as a QR code of the data file needed to hack any fax machine.

0
0

Dropbox plans to drop encrypted Linux filesystems in November

Robert Carnegie
Silver badge

Re: Filesystem choice

Dropbox is to sack up your files automatically to the cloud, yes? That sort of is about disk management, then.

0
9

It's official: TLS 1.3 approved as standard while spies weep

Robert Carnegie
Silver badge

Re: no-brainer for sysadmins

Tell management that all the kit will stop working at the end of 2018. In terms of working securely, that's not so far wrong. Y2K18 Bug: This Time It's Spurious. You could probably even persuade them that "spurious" means "very, very bad." Serious and worse. So when they ask the consultants, "Our guy says this threat is spurious, do you agree?" "Oh yes, it's the most spurious that I've ever seen."

I suppose this is a Man In The Budget Freeze Attack:

9
1

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Robert Carnegie
Silver badge

https://www.theregister.co.uk/Tag/on-call

And it turns out:

https://www.theregister.co.uk/Tag/who-me

But no longer

https://www.theregister.co.uk/Tag/line-break

which I guess was kind of tech-ie for readers.

2
0

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners

Robert Carnegie
Silver badge

Re: was it the red wire or the blue one to disarm the bomb?

Perhaps the detonator has a tamper switch. Start to pull out the detonator and boom.

On the other hand, there's an argument that terrorists' home-made bombs are built with an off-switch for safety, as they are liable to be precarious otherwise. But once you place the bomb, you may remove the off-switch. Then, you know, run.

The off-switch appeared in a TV programme I watched recently; I won't say which as it may spoil the surprise i.e. not wiping out the cast of the show. (That is, the characters, but with some special effects, who knows.)

1
0
Robert Carnegie
Silver badge

Also

How do you distinguish your chaff bugs, which don't need to be removed from the program, from actual bugs, which ought to be removed? If you can't tell them apart, then haven't you given yourself the same problem?

14
1

Devon County Council techies: WE KNOW IT WASN'T YOU!

Robert Carnegie
Silver badge

Re: dispatch or despatch

I'd write "send". With despatch, or with dispatch if I feel like it.

Since the 1960s and mostly in Scotland.

3
0
Robert Carnegie
Silver badge

Re: Thanks, Labour

Wikipedia has incomplete records for recent Devon County Council elections, but they appear to have been Liberal Democrat after 1997 and before 2009, since when they've been Conservative. And UK.gov put the screws on state school term-time holidays in 2013 (and I'm disinclined to disapprove). So, "thanks, Labour" not so much. Good news is that there won't be any state schools left soon, and, leaving your daughter in the pub after a good lunch - presumably still fine, and by "fine" I don't mean money taken off you. Unlike Devon Conty Cuncil.

34
9

Revealed: El Reg blew lid off Meltdown CPU bug before Intel told US govt – and how bitter tech rivals teamed up

Robert Carnegie
Silver badge

Re: replace their processors??

Well, if the flaw is firmly baked into the hardware, the speculative execution microprocessor, then the only way to remove the flaw is to remove the processor and replace it - or replace the machine that contains the processor. This obviously is inconvenient but it would be the only way to stop the flaw properly. Or run a really, really good anti-virus - but that's not a 100% answer.

It's like if your equipment will all stop working at all at the end of, oh, the year 2000 - in that case, you simply have to plan to scrap it then, or, before then. And sue the supplier, of course.

The alternative was a lot of work.

2
0

Time to party like it's 2005! Palm is coming BAAAA-ACK

Robert Carnegie
Silver badge

Re: Awesome! I love Palm!

PalmOS emulation is in existence. But I don't know if it will be included in these devices.

1
0

Funnily enough, no, infosec bods aren't mad keen on W. Virginia's vote-by-phone-app plan

Robert Carnegie
Silver badge

Re: Old fashioned

If I go to your UK voting centre first I can just say that I'm you. And more people don't vote than do, so they might never know. Maybe we should improve the system, although the main motivation for doing so presumably is to stop political left-leaning people from voting.

3
11

Oi, clickbait cop bot, jam this in your neural net: Hot new AI threatens to DESTROY web journos

Robert Carnegie
Silver badge

Re: what exactly is a clickbait headline? It's a tough question

I count Register puns - not to mention the rhyming headlines - as a reason not to read. If your story doesn't hold your own attention......

0
3

Password strength meters promote piss-poor paswords

Robert Carnegie
Silver badge

Re: Passphrase.Life gets it right!

Since Passphrase.Life snidely rejects connection by Internet Explorer, feel free to tell me how it rates my recently discarded random-ish password: Mtlhrw13

(Mnemonic: "Metal harrow")

I have been sceptical of https://www.my1login.com/resources/password-strength-test/ which says,

"Time to crack your password: 443 years

Review: Fantastic, using that password makes you as secure as Fort Knox."

- but also says "Make your passwords at least 15 characters long": why? 443 years to crack that one, and it expires after about one month.

So... maybe the assumption about how good cracking hardware will be 442 years from now is not up-to-date.

0
0
Robert Carnegie
Silver badge

Re: @AC

Leave out vowels and you may not hit a block on using real words in a password. However, my method is a handful of random letters... that aren't vowels; when I make a password up, I expect it to be accepted.

Counter example as I've mentioned before: Fiqbly54 apparently contains a real word (I presume "Fiq", either a sort of fig or a mistyped one) and a personal name ("Bly" I suppose exists), so a strict password rejecter may reject it.

I presume you wrote or have seen the spoof password policy which allows at most one actual password to be used, so we will take that as read.

0
0

'Can you just pop in to the office and hit the power button?' 'Not really... the G8 is on'

Robert Carnegie
Silver badge

Re: Geiger router

If the router gets reset when there's no traffic... is that going to be happening all night at 5 minutes intervals? Or do the servers chatter amongst themselves all night (the ages hang heavy on their dusty data banks)... Or do you breed a router that generates its own "keep alive" packets?

5
0
Robert Carnegie
Silver badge

Re: That sinking feeling

"Ely. the first, tiniest inkling that something, somewhere has gone terribly wrong." From "The Meaning of Liff" by Douglas Adams and John Lloyd, a fictitious compendium of dictionary meanings of place names, especially British places. "Ahenny. The way people stand when examining other people's bookshelves."

17
0

Sysadmin trained his offshore replacements, sat back, watched ex-employer's world burn

Robert Carnegie
Silver badge

Re: IP is all you have why give it away?

I worry about the amount of stuff in my corner of the network that only I know about. If something happened to me... But no one else is interested, management or colleagues. And it would be their problem, not mine, if I'm not there for whichever reason. By the way, this also applies to me "wasting" time writing proper documentation: they don't like that either. This paragraph doesn't count......

0
0
Robert Carnegie
Silver badge

Re: Timing is everything

I think muscle power goes by two-dimensional cross-section, but I may have to look into that. On the other hand, some superheroes who can shrink to 3 inches or smaller don't lose any of their mass. Presumably they don't lose any strength either. But technically this isn't science... C. B. Fry was supposed to be able to jump onto an ordinary mantelpiece; so can a cat. Not every person can do it; not every cat can...

9
0

Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Robert Carnegie
Silver badge

Re: Security?

Jamaica? (I know, sorry)

5
0
Robert Carnegie
Silver badge

After all, they didn't send your login and password across the internet to an unidentified stranger, in plaintebt... did they? Wait, that's a point. Did they? Do they still? (see "Iran", "BGP", this week.)

3
0

Grad sends warning to manager: Be nice to our kit and it'll be nice to you

Robert Carnegie
Silver badge
Coat

Re: Rebecca++

I'm not saying these are better stories or better told, but if they are, I suspect that The Register's large male readership is excited there's a lady in charge and getting out their old favourites to impress her. Maybe with a bit of a polish beforehand.

13
0
Robert Carnegie
Silver badge

Re: Elphin safety

"Good Omens" (1990) apparently was out before "The Nick Revell Show"(1992), but Nick Revell's complicated relationship with houseplants may have appeared earlier. Threats against inanimate objects arguably include Zaphod Beeblebrox threatening to do some computer reprogramming with an axe (the computer's feelings were very hurt), and an anecdote from some touring entertainer long, long ago concerned a troublesome lavatory cistern whose owner explained to her theatrical paying guest, "You have to surprise it, Mr. ____" - which I suppose means a sudden sharp pull.

https://www.bbc.co.uk/programmes/p03p77t9 seems to include Miriam Margolyes re-telling this as happening to Lionel Blair.

5
0

'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist

Robert Carnegie
Silver badge

Re: No need to hack anything?

Stealing the device physically and demanding a ransom isn't hacking. A device with substantial hacking resistance still can be worthwhile to have.

On the other hand, if this was just a cellphone and someone stole it, it would typically be findable remotely.

iPhone has that feature; I understand it also is fussy about interference with its internal parts. I don't have one, but it seems to me that an iPhone is a better one of what this is, than this is.

3
3

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Robert Carnegie
Silver badge

Re: Good idea.

Presumably ordinary users are urged to use a password-store program with long passwords because it's a good idea, and not just to annoy them. But what do I know?

I have a password-store at work; I have to input 3 passwords to open it. One of those is "password". I don't actually use it to store passwords in. If I did, then they wouldn't be behind "password".

1
0

Early experiment in mass email ends with mad dash across office to unplug mail gateway

Robert Carnegie
Silver badge

Re: Career-limiting

I suppose you could try to pretend that you thought Peter Principle was the name of a very famous engineer - the youngest chief engineer in Starfleet or something. Scotty has a nephew named Peter on board in "Star Trek 2"; it could work.

2
0

Malware targeting cash machines fetches top dollar on dark web

Robert Carnegie
Silver badge

Why wouldn't software that gets you free money - albeit illegally - be worth more than anything else?

On the other hand, if it works, then why does it have a retail price at all? Why do the people who can get unlimited free money, want your money?

Is that a rat I smell? Maybe!

3
0

Boss helped sysadmin take down horrible client with swift kick to the nether regions

Robert Carnegie
Silver badge

Re: Clickbait headline?

Now I've forgotten what I was going to say. It may have concerned sexual harassment of IT workers and some improbability, although that wasn't what this story was about, either. Well, if not that, then whatever I meant may come back. By the way, I meant "what ISIHAC used to call", specifically, the late Humphrey Lyttelton's output device - not the trumpet but a record player. Or in this story, the output plotter.

0
1
Robert Carnegie
Silver badge

Clickbait headline?

Thanks and bye and all that, but - this headline led us to expect something that wasn't delivered and was long wanted, namely, a kick to the user instead of ISIHAC used to call the "reproduction equipment" - and a lasting solution to the "Problem Exists between Chair and Keyboard" error when the user can't sit down for a while. Of course they would have to be very bad to deserve that.

Something else occurred to me on Friday which may have been the reason I wasn't allowed to post the comment then, so I'll try it later to see.

0
1

Dust yourself off and try again: Ancient Solaris patch missed the mark

Robert Carnegie
Silver badge

A case of "not many eyes" perhaps?

1
1

No big deal... Kremlin hackers 'jumped air-gapped networks' to pwn US power utilities

Robert Carnegie
Silver badge

How?

Two words: power lines.

two more words: Carrington event.

By manipulating sunspots and the solar wind, Russian scientists were able to signal to the power company computer systems... but why would they even need to, if they can do the first thing!

6
2

Either my name, my password or my soul is invalid – but which?

Robert Carnegie
Silver badge

@EnviableOne

I'm not quite sure I like this. Is it saying that I can't have password = 5000358745115 because someone else on planet Earth once had that password?

It's not actually my password, it is the bar code of Tesco Omega 3 linseed oil tablets - which may not do you any good, it turns out.

0
0
Robert Carnegie
Silver badge

"By pressing down a special key - It plays a little melody"

In principle, whatever you type as password can be represented as character bytes in hexadecimal notation, or even just decimal (numbers). So, restricting the character set just means that each symbol has fewer random options, but you can make the whole thing more random again by making it longer. No special keys required.

In practice, when I assigned random hexadecimal codes as passwords for a fleet of servers, some were rejected. Not apparent why, but I got around it by changing the format from 1a2b3c to 0qz1a2b3c - the start always being 0qz, the rest being random.

When I had to change them all again, I used 1a2b3cqz0 - new random numbers, and qz0 at the end, so that the new password wasn't "detected" as "too similar" to the old one.

Also if there is a fixed length - such as Wi-Fi key - then don't skimp on the randomness. I think that random alphanumerics are good enough in practice, though - although each character has about 5 or 6 bits of individual self-expression instead of 8. But a sentence in English has about 1 bit per character of variety, I think.

0
0
Robert Carnegie
Silver badge

p!a!s!s!w!o!r!d!

It's not really safer. And some systems choke on non-alphanumeric symbols in a password - I suspect one of our systems can't take a !

A password of 8 genuinely random letters is safe. I standardise on Abcdef78 - as format, not as actual password - as concession to stupid system rules (and with all consonants, like I think I said above), and I put ! at the end if I really have to. But a password of a word with $ for S isn't safe because hackers have already got all those combinations in their dictionary.

2
2
Robert Carnegie
Silver badge

Re: Idiot password checkers

For a password to remember, and easy to type: 6 random distinct consonants, then 2 numerals. I usually grab 20 letters https://www.random.org/strings/?num=1&len=20&upperalpha=on&unique=off&format=html&rnd=new - shuffle at random and pick out letters that fit e.g. Robert Carnegie -> Rbtcng95 (I don't actually use my name for this). That's the password, but to remember it, pick words that represent 5 or 6 of the letters. I find that after a few days, remembering the words e.g."Robot carnage" (possibly my name spell checked) brings up the letters and the numbers as well.

An online password checker spotted that "Fiqbly45" contains a given name (Bly) and a dictionary word (Fiq with a Q, evidently), it must be a fiend at Scrabble.

8
0

Microsoft Visual Studio Code replumbed for better Python taming

Robert Carnegie
Silver badge

Intelli-thing for SQL Server 2014

For SQL scripting... I haven't looked at it closely, maybe it can be improved. My issues with it:

1. If you write something wrong, it gets underlined red. So you correct it... and it takes a second or two for the red mark-up to go away. Long enough to think "What else is wrong with... oh I get it."

2. One error is to refer to a data table that doesn't exist. So, create the data table... the "error" stays marked as an error, even though it isn't. If the list of existing objects can be refreshed, I'd like to know how.

1
1

As Corning unveils its latest Gorilla Glass, we ask: What happened to sapphire mobe screens?

Robert Carnegie
Silver badge

Re: Seems obvious ...

Cats like to lie on a warm place...

2
1
Robert Carnegie
Silver badge

Maybe it was one of those ultrahard bollards with diamonds in :-) Rather oversold in my opinion as terrorism and ram raider prevention, but they are pretty!

8
0

Fukushima reactors lend exotic nuclear finish to California's wines

Robert Carnegie
Silver badge

Putting the "terror" in "terroir" ... "I Have No Mouth And I Really Need A Drink So Basically I'm Stuffed".

I think you might as well go back to the anti-freeze method.

2
0
Robert Carnegie
Silver badge

Radioactivity, wild boars

...what -were- they putting in the magic potion in that indomitable Gaulish village? (besides tea leaves, canonically established :-)

6
0

Elon Musk, his arch nemesis DeepMind swear off AI weapons

Robert Carnegie
Silver badge

Re: Pugwash 2.0?

We need the AIs themselves to make the pledge, not just the fleshy masters. Solved...ish.

1
0

Get rich with Firefox or *(int *)NULL = 0 trying: Automated bug-bounty hunter build touted

Robert Carnegie
Silver badge

Dilbert 26/07/1995

http://dilbert.com/strip/1995-07-26

"I was this close to making it my job..."

1
0

Declassified files reveal how pre-WW2 Brits smashed Russian crypto

Robert Carnegie
Silver badge

Outsourcing.

Ass, you, bitten in.

3
0
Robert Carnegie
Silver badge

A foreign language isn't code.

It takes years to learn a foreign language properly, and people whose language it is can immediately understand you... unless you're dreadful.

A dictionary of under 100 common words in any language liable to be used in this way should make it veey easy to detect.

1
0

Adtech-for-sex biz tells blockchain consent app firm, 'hold my beer'

Robert Carnegie
Silver badge

According to Abba

"Lovers (Live a Little Longer)"

Medically proved apparently, or maybe it just SEEMS longer...

2
0
Robert Carnegie
Silver badge

Re: This is incredibly misogynistic alright

To answer you:

The following appears to be a joke about a Jewish gentleman, which may be a required detail.

He was talking to a friend and said, ”I prefer to sleep alone. I believe in celibacy. In fact, ever since we were married, my wife and I have had separate rooms.”

’’But,” said the friend, ’’supposing during the night you feel that you would like a little love, what do you do?”

”Oh,” replied the other, ”I just whistle.”

The friend was astonished, but went on to ask, "But supposing it is the other way round and your wife feels that she would like a little loving - what happens then?”

”Oh,” he replied, "she comes to my door and taps, and when I answer says, 'lkey, did you whistle?’”

0
0

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

Robert Carnegie
Silver badge

Re: It's easy to improve security by using this...

I found it pretty hard to decide what to write on my replacement bank card as a reminder to self not to use the old PIN. The catch being that this could look like a disguised way to write down the new PIN, making the card more attractive to steal.

I decided in the end on - "Remember they gave you a new PIN number so don't use the old one", in capitals.

0
0
Robert Carnegie
Silver badge

It's small enough

Roughly the area of a credit card. So you can store it somewhere very, very safe.

Just as long as no one watches you getting it out.

0
0

Open plan offices flop – you talk less, IM more, if forced to flee a cubicle

Robert Carnegie
Silver badge

Re: Monasteries had it right centuries ago

"Translated from Arabic" doesn't sound like Christianity was all that responsible for carrying knowledge through the Dark Ages. Rather, it was responsible for there BEING Dark Ages.

7
8
Robert Carnegie
Silver badge

Flawed experiment design?

"a 'sciometric badge' that was worn around the neck"

If I sit at my computer monitor and talk to people around me, the "sociometric badge' will only see me apparently talking into my computer screen. And likewise the people I'm taking with. With cubicles, you have to leave your computer and find someone to talk to... unless "cubicle invasion" is a thing where you are. See Dilbert cartoon (of course): Friday January 12, 1996.

4
0

Gemini goes back to the '90s with Agenda, Data and mulls next steps

Robert Carnegie
Silver badge

Top wish = backlit keyboard?

Don't people touch type, by feel? Well... a small LED light that plugs into its USB would be another option. It comes as USB-C though?

2
0

Forums

Biting the hand that feeds IT © 1998–2018