Posts by NightFox 666 publicly visible posts • joined 23 Oct 2009
Just last week I had:
> "Hello, Customer Service - Can I take your order number please?"
"Hi, yes, it's November Five Three Charlie Echo Eight Two Six"
> "No, your order number, it should be eight letters or numbers"
"N 53 C E 8 2 6?"
> "Thank you, how can I help?"
Negotiators can end up being a means of bypassing sanctions, either inadvertently or intentionally.
Scenario 1: Company receives demand for $5m, brings in a legitimate negotiator. They pay negotiator $1m to resolve the situation directly, with no further involvement by the company. Negotiator (who's not US-based) negotiates and makes direct payment of $500,000 to the bad guys, keeps the other $500k as his profit. End result = ransom payment made without company breaking sanctions.
Scenario 2: Bad guys demand $1m from company. They know that company can't pay them directly so they tell company to engage Negotiator X (who works for the bad guys) as a front and pay him $1m in negotiation fees.
Both of these things happen in human kidnapping, so there's no reason they couldn't be or aren't already happening with ransomware.
A lot of people seem to see this as the emergence of a new capability that could now be open to abuse. However, that capability has existing for years already - this is just the case that Apple are now talking about implementing it. It's potential for abuse is no greater than it was previously.
I'm not saying there's nothing to be worried about here - just that the genie's already out of the bottle and whichever way Apple goes with CSAM scanning doesn't really change that. Concerns that at oppressive regime or whoever could persuade Apple to scan content for something else were just as valid 5 years ago - all this does is serve as a reminder of what technology is capable of.
A critical mistake in the third paragraph: "...will scan all those you have sent and will send to *iPhotos*" should be "iCloud Photo Library".
iPhoto was replaced by Photos many years ago, but more significantly that is/was just a local app, it's only if you're using the iCloud-based service that Apple will scan those photos AFAIK.
I remember having finally got my 14,000 baud dial-up modem and my Demon Internet account details through the post (having filled in, cut out and sent off a form in the back of a book), connecting to THE INTERNET... then staring at a blank screen with a command line prompt. I phoned Demon's helpline to find out what was wrong, where was the information superhighway? to be told that was expected behaviour. I now needed to open up my browser. My what? My browser. Oh,.. what's that then?
So then a trip to Escom and £50 paid for Microsoft Plus! (sic) to get Internet Explorer 1 (that on the back of the £80 I'd recently spent on Windows 95). That was money I barely had back then - the irony was that within a year or so virtually everywhere you turned an ISP was trying push a free CD with their customised version of IE under your nose.
You're hanging on to your stuff too long between replacements by waiting for kit to fail or become obsolete. You can drastically shorten the cycle with the "I can sell the old one on eBay while it's still current and worth a bit so the new one will only actually cost me £xxx" self-justification - then with the purchase made, put the old one in the roof/cellar until 5 years later when you do actually finally get round to listing it on eBay to find it's now worth about 7p.
Agree - people who can't even be arsed to press shift when writing their own name, how much pride and effort is that person going to take in anything else they do?
I used to make a point of whenever somebody bought something off me on eBay who'd entered their entire name, address and postcode completely in lower case, I'd delay sending the item for a day.
I have however finally come to terms with the fact that my eldest daughter (who's a computer-literate student) insists on Caps Lock On X Caps Lock Off rather than just hold down shift to capitalise a single letter.
I never had a ZX81 - at the time I was going from Commodore PET to a VIC20, but I did go on a school French exchange where the family I was staying with had one. I remember spending what seemed the best part of a day typing in the code for "that program" that had the tyrannosaurus rex advancing menacingly from a 3D maze (without the benefit of the muscle-memory ZX81 owners developed for which keys corresponded to which BASIC commands) only to have it totally crash when I tried to run it. No idea why I didn't save it first, I think I was just used to the Commodores where the worst you'd get if something was wrong with a BASIC program was a ?SYNTAX ERROR IN 270
@John Brown
I'm not convinced by your dismissal of the use of live video to reduce unnecessary responses to false alarms. It's not excessively expensive and isn't restricted to commercial monitoring services. For example if my Ring alarm system tells me it's detected motion in my hallway when I'm away from home, there's little I can do with just that information apart from worry until I can get home. However, if I can remotely check a live video feed of my hallway, I can then either relax and carry on with what I was doing, or call the police.
And I don't see how money that consumers might spend on CCTV relates to money spent by manufacturers on alarm system development.
You're right that sentencing based on the outcome rather than the act is illogical, but the intended purpose of a court's sentence is threefold: Deterrent (stop others doing it), Punishment (stop the person doing it again) and Retribution (let the public/victims feel they've 'got their own back' and justice has been done). With this third factor, human nature is usually at odds with, and prevails over, logic.
Agree - we're used to see companies weaselling their way out of earlier promises, but saying that something described "for life" was just an introductory offer just took things to a new level that even TomTom would struggle to justify. Maybe HP will start bricking their printers and then say the offer referred to the life of the printer, or I guess there's also a more sinister solution they could impose...
It may be an age-related thing now I'm the wrong side of 50, but am I the only one who just wants to shoot crap out of things and actually doesn't give a toss about character development cut-scenes and back stories so tragic and clichéd that the characters could almost be Britain's Got Talent finalists? There's too much of this blaming galactic oppression or genocidal-level rebellion on unresolved family tensions.
I actually think this addresses a gap in remotely-monitored home security systems that doesn't occur to most people until their systems are up and running. Getting a notification that there's movement in your lounge when you're on holiday 2000 miles away is good, but then what do you do? You've got no way of knowing whether it's somebody breaking into your house or a spider walking across a sensor. Asking your mate to check it when he gets home from work isn't really going to achieve much. Sticking multiple CCTV camera up is one option, but a deployable CCTV camera like this is actually a much neater solution - even if the burglar does grab it out of the air and smash it, you still know it's a genuine alarm and can call the police or whoever. And the police will rightly prioritise a "burglary in progress" much higher than a "I've just got home from holiday and discovered I've been burgled*" call, where the horse has already bolted so to speak and - public expectation aside - there's very little justification for any urgency in the response over other more urgent queued responses.
Or 'burglarized' as Americans obscurely seem to insist on.
Still remember swapping loads of my Commodore 64 games for a second-hand version of Flight Simulator II complete with its mind-blowing wireframe graphics, which my Dad then used to spend hours playing on his SX64 with its built-in 5" screen. He then got hooked on FS right through to X which he was still 'flying' in his late-80s, though sadly isn't around any more to enjoy this release.
Putting aside any subjective feelings about this specific case, I don't understand America's interpretation of "cruel and unusual punishment" which is accepted to include banning humiliating punishments, yet I frequently see US judges meting out 'creative' sentences like this clearly intended to humiliate the culprit. I sometimes get the impression that US judges are free to dream up any punishment they like - surely there's some form of control here?
Of course the baying mobs love this stuff, and retribution is always going to be a part of punishment, but I'm not sure that humiliating punishments belong in civilised society.
"Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted."
Not really. As I mentioned in another thread, in countries that have made ransom payments for kidnap illegal, people are less likely to inform the authorities of a kidnap so the authorities can't then obstruct/prosecute them for paying the ransom to save their loved one (it's not unheard of for authorities to freeze the assets of someone who reports a kidnap to prevent any ransom payment). As a result, it's easier for kidnappers to operate knowing that there's little chance of the police getting involved. The same would probably apply with ransomware.
There's also ways around making an obvious payment to the demanders. You can't be seen to pay a $5m ransom, but you can engage a 'specialist' consultant to either negotiate with the kidnappers or disinfect your IT systems for maybe $1m, that consultant being either a front for the kidnappers/malware pushers, or a legitimate consultant laundering the ransom payment before passing it on to the baddies.
Have to say though, it seems a poorly-chosen time to target CWL when business travel is at an all time low.
Payment of ransom for kidnap is illegal in some countries as an attempt to deter kidnap, but it generally fails because:
a) Consultants who support victims through the negotiation process know how to make payments discretely and work around such laws
b) It makes victims less likely to report the incident to the authorities, actually making it easier for kidnappers to operate.
Same logic applies to ransomware.
I think Garmin will have been through their systems looking at absolutely *everything* over the last few days before making the decision to bring it back online.
The general assumption seems to be that because everything Garmin went down, everything had been infected by the ransomware, but I'd suggest it's more likely that once Garmin discovered the malware in one segment of their system, they pulled the plug on everything as a precaution and much of the recovery has involved ascertaining how far the infection had spread, and whether there were open routes of (re)infection between segments before turning them back on. The last thing they would want is to turn on the recovered system only for it to immediately get re-infected by their Building Management System that everyone had forgotten about.
Been there, done that with Tado. Good system at the time and it certainly paid for itself, but whenever they experienced server issues the system would permanently send a demand for heat to the boiler with the TRVs staying fully open and the house just got hotter and hotter (arguably better than failing 'off' I guess). Happened in the middle of winter, and summer too.
Yeah, always easy to be smug at times like this. So what is it that keeps you going during a run? I'm sure being an experienced runner you'll appreciate that motivation is a very personal thing, and for some it's just that prospect of getting home, uploading their run and looking at their stats and perhaps sharing them on Strava. It doesn't matter if that VO2Max, fitness age or ground contact time is of questionable accuracy or training value as long as it's a motivator.
I suspect there's large number of people today who maybe started out with a fitness tracker just to track their daily steps and then got hooked into the whole fitness thing and are now leading much more healthy and active lives as a result of the technology who would otherwise just be sat watching Netflix.
Of course it's easy to to be condescending and say "we didn't need this stuff in my day" and "the only motivation people should need is their own health" but that misses the point entirely. When I've still got another k to do, trying to convince myself that I'm actually getting fitter despite the fact I feel like my whole body is about to shut down doesn't hit the mark, but thinking ahead to seeing my efforts immortalised online with enough data to launch a lunar mission keeps me going. Yes, your motivation may be purer, but I'm still doing the miles and getting the same benefits as you.
"It's like taking a stroll in a forest. Honestly, officer, apart from you, who do think I came in contact with ? You're the only other person around here, so you're the one putting me in danger."
But the trouble is you can't have discretionary rules because many people's discretion is poorly founded (as just a cursory glance of Facebook will confirm) - Pascal went walking [in the forest] and encountered a police office and that was OK, so I can also go for a walk [in a highly populated area].
But as soon as you start trying to be more granular with the rules (it's OK to go walking in forests but not in highly populated areas), people say the rules are too confusing - is a wood a forest? how many people makes an area highly populated?
So you're back to having a simple one-size-fits-all rule which has to be enforced with no scope for discretion.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
