* Posts by Philip Hands

64 posts • joined 25 Nov 2009


Small Brit firms beg for 'light touch' as only half are ready for digital tax reforms due next month

Philip Hands

Sombody in there understands something about Free Software...

given that the API is under the Apache license:


so there are clearly some people with some sort of clue involved, but apparently the higher-ups don't understand that requiring a secret developer key is a show-stopper when it comes to a Free Software client implementation.

I also find it pretty odd that they appear to have written an API without a reference client to go with it -- how are they testing this stuff? (or is there a secret in-house client for testing? If so, shouldn't taxpayers get access to that too, having paid for it?)

This seems to amount to something akin to illegal state aide of the proprietary vendors to me. The cheapest that one seems to be able to get bridge software for is about 75 quid, and the cloudy offerings are charging a tenner a month or more. If one multiplies that by the number of VAT registered folk that need to comply one is talking about a vast cash injection for the accountancy industry for what amounts to almost no gain and often quite a lot of pain for the people that are actually doing something productive.

£1 in every fiver that UK biz, public sector spent on software in 2017 went to *drumroll* Microsoft

Philip Hands

Re: £7.353bn

> With £7.353bn you could easily finance ...

but anything that went wrong would then be your fault.

Philip Hands

the vast majority of which is then spent on marketing

So uk.gov spends about a billion quid on adverts to convince themselves that spending all that money was a good idea.


Texas ISP slams music biz for trying to turn it into a 'copyright cop'

Philip Hands

Re: Infringing files

I'm sure that I read about a researcher writing a BT client that claims to have popular files (but only a few blocks in the middle IIRC), and if anyone asks for those blocks, they hand out a block of NULs (or some such).

Inevitably, they got a load of take-down notices claiming infringement, despite there having been no (or almost no) attempts to grab the supposedly available blocks.

Oldest swinger in town, Slackware, notches up a quarter of a century

Philip Hands

Re: Lack of phoning home=frying pan/fire

>> Looking at system logs of a distro using sysytemd will show everything going smoothly until org.freedesktop appears.

... and there was me momentarily believing the thing about systemd ensuring that you'd never see another log message.

Nice to see that is just so much nonsense, eh?

Devuan ships second stable cut of its systemd-free Linux

Philip Hands

Re: systemd-free?

Hopefully it will encourage Debian to continue allowing that choice at a fully supported level.

My concern is that if the people that care about running without systemd all migrate to Devuan, and if Devuan developers put little effort into pushing their changes upstream into Debian, then there will be that much less reason for Debian Developers to maintain the choice.

It takes good bugs, preferably with good patches attached, to keep that sort of functionality viable, especially if the person maintaining the package has no strong views about the init debacle (which is the case for the majority of Debian users and thus developers).

The work that gets done in Debian is that which interests people enough to do it. If those interested in choice of init all go elsewhere then of course that choice will wither on the vine.

If on the other hand Devuan were to act more like a normal Debian Derivative, they'd be making sure that as much of their work as possible was fed back into Debian, they'd be maintaining major components as both Devuan and Debian packages, they'd be reporting bugs where Debian fails to satisfy their preferences, and all that would act to preserve the choice that you worry about losing.

Philip Hands

Re: systemd-free?

s/allowed/currently\ allowed\ as\ a\ short\ term\ workaround/

Ah, well, if you're still intent on the elimination of libsystemd0 then that is the thing that will not happen in Debian itself, for the very dull technical reason that we don't have a good way of dealing with multiple versions of many packages that are linked against differeing sets of libraries.

I was thinking that the fact that a release had been made including libsystemd0, and people were saying things like "Since libsystemd0 is totally innocuous if systemd is not installed ..." there might be some hope of pushing some/all of the delta upstream.

If not, well, never mind -- good luck with your vision of the future.

Philip Hands

Re: systemd-free?

exactly, and if one installs another init on Debian, presumably systemd is also not running (sorry, but I've not actually tried it lately, so I'm not certain, but presumably there are people that use Devuan that have tried that and can explain what the actual difference is, and what might be needed to make Debian run in a way that would make them cheerful about life)

I can imagine that there are rough edges at present -- e.g. presumably one needs something to do whatever systemd-logind does -- personally I use Xmonad, so I have no idea what a default install of e.g. gnome or MATE needs to run, nor how much of it is provided by things within the systemd stable, so this is a genuine question about how far apart we really are.

In the past, people seemed to be so systemd-averse that the suggestion that some things might continue to depend upon libsystemd0 was a deal-breaker, and that seems to be the point where people decided to create Devuan as a fork.

If libsystemd0 is now allowed, then it seems to me that Devuan is in a position to be a more conventional derivative of Debian, which might be good both for Devuan (as some of the maintenance could be pushed upstream into Debian, allowing them to concentrate on any real differences that are required) and good for Debian (by keeping the options for users regarding which inits they can choose more viable).

Philip Hands

Re: systemd-free?

Right, so if we're all relaxed about having libsystemd0 sitting on the disk, and if we're capable of remembering that Debian allows one to choose the init of one's choice, what exactly is the difference between Debian with sysvinit installed, and Devuan?

Note: init-system-helpers -- a package specifically created to allow one to switch between inits in Debian, which of course is also used in Devuan.

Is the answer to that things like udev rather than eudev?

If so, is there anything to stop eudev being uploaded to Debian? (I note that the ITP has been fallow since 2014: https://bugs.debian.org/765971 )

Philip Hands


well, apart from libsystemd0 of course.

I was surprised when someone on slashdot pointed that out, but I grabbed the live ISO, spun it up, and discover that it really does contain libsystemd0, and the package is bit-for-bit the same as that in Debian stretch-updates, so it's not just some pretend empty package installed just to satisfy some dependency, or similar hack.

I thought that the whole point of Devuan was to remove every bit of systemd, including libsystemd0, since if one can live with that, then one can just install Debian, with the init of your choice, and get pretty-much the same thing.

Perhaps some Devuan person could explain what the thinking behind this is. To me it points towards the possibility of Devuan becoming a conventional Debian derivative, but perhaps I'm missing something.

BTW given that the vast majority of the packages in Devuan ASCII are actually bit-for-bit the same as packages from Debian, it might have been polite to mention the reliance on the work of Debian in the release notes, but never mind.

Munich council: To hell with Linux, we're going full Windows in 2020

Philip Hands

Couldn't conceivably have anything to do with MS moving their HQ, of course

MS moves HQ ... to Munich (Sep 2016)

I'm sure the local government wouldn't have indulged in some sort of tit for tat arrangement to make sure that's where they ended up, would they?

And the honorable politicians would never do something like ask a Microsoft partner to assess the wisdom of switching back to Windows now, would they? No, no, of course they wouldn't do something so transparently corrupt.

systemd'oh! DNS lib underscore bug bites everyone's favorite init tool, blanks Netflix

Philip Hands

... not that Debian users should notice

As someone who's been using Debian since '93 I certainly understand that one sometimes gets a visceral negative reaction to change, but the incoherent backlash is getting pretty tiresome.

sysvinit was and is a heap of shit, which often works more by luck than judgment.

I admit, I never really considered this until someone came along and tried to build a better alternative. Namely Upstart, which I didn't like at all. Systemd didn't get a better reaction from me either, but the vast quantity of abuse piled on it eventually provoked me to take a long hard look at what I was clinging to and realise that rather than it being a lifebouy, it was actually a large floating turd.

Just because we've all been trained by bitter experience not to stray into the dodgy areas where it is most likely to break (or where you're no longer even being given the option to stray there because DDs are no longer willing to deal with the related bug reports) does not mean that it's good. Likewise, just because we've learned what is wrong when it breaks, does not mean that it's easy to fix.

Clearly, trying to replace this sort of software is a thankless task. I think the least that we owe those brave enough to take on the task is to not simply believe every single bad thing that anyone says about them and their software and their motives.

How about at least trying to concentrate long enough to decide whether we really actually care about any particular story?

For instance, Debian users might want to notice that Debian does not use systemd-resolved by default, so this story is of no real interest to them unless they've decided to use resolved.

If someone reacts to this and similar stories by quitting Debian, then that is one less person to care about the non-systemd inits that Debian still supports (systemd is only the _default_, after all -- and only on Linux). That's one less person noticing and reporting bugs if those alternatives start to rot. That's less pressure on developers to keep those alternatives viable.

So, if you care about choice, I suggest that you stick around, use Debian without systemd as the init, and report bugs when you notice them.

Running off elsewhere is not likely to keep other inits viable in Debian, and since Debian is one of the few major distros that still offers a choice of init, if that ceases to be true, the death of choice will be that much closer.

Cyber arm of UK spy agency left without PGP for four months

Philip Hands

GPG? on Debian say?

If one were paying attention at all to these matters (and I think they do so in parts of GCHQ), you'd know that things like Debian come with full source, and that includes GPG which can deal with OpenPGP messages just as well as PGP.

I guess that sort of special knowledge is only shared on a need to know basis (or perhaps it took whoever it was who failed to get the licenses paid for four months to pluck up the courage to ask anyone what they could do about it).

Feelin' safe and snug on Linux while the Windows world burns? Stop that

Philip Hands



Also, the numbers for Debian (which includes over 51,000 packages) to those for Windows is no basis for comparison. Of those 51,000+ there is a very long tail of packages that get installed in only very small niches, so if there's a CVE for a package that is only installed in compute cluster nodes that are never exposed directly to the Internet, that is in no way equivalent to a CVE that is reported against Windows which has _much_ less variation in the set of software installed across the herd.

The top-50 list pointed at includes a large element of double-counting, since Ubuntu and many other Debian derivatives will often inherit any flaws in Debian, since they are closely derived from Debian.

I note that 2016 was chosen rather 2017 -- Could it be that the wedge of Microsoft products in positions 6--11 in the 2017 list is not so easy to spin as being somehow good?


Microsoft boasted it had rebuilt Skype 'from the ground up'. Instead, it should have buried it

Philip Hands

Completely normal from Microsoft

except that in this case they're not in a position to abuse some monopoly in order to force people to use their shoddy nonsense anyway.

systemd-free Devuan Linux hits version 1.0.0

Philip Hands

Re: Cat among the pigions but...

I'm puzzled by people that raise the bogey man of "binary logging"

It's really not _that_ hard to discover that the command 'journalctl' will spew out the contents of those log files, as text, with the added bonus of having the opportunity to add options that give you the logs from this boot, or any previous boot, or only logs associated with particular binaries or services (if you can work out the not very memorable options required).

You can pipe that into the grep command that you were going to point at your logs, and get the same result, with the added bonus that you don't have to guess the right log file, or wonder if some of the messages you were looking for went elsewhere, or decompress the older compressed (and hence binary) logs, and then sod about stitching them back together with cat if you want to grep back across several of those log files.

Not that any of that's particularly relevant to Debian, which still defaults to running rsyslogd, with its normal text files, and will only do binary logging if you choose to create the /var/log/journal/ directory.

El Reg Redesign - leave your comment here.

Philip Hands


I didn't think much to the old thing with the changing content at the top of the screen that's just a repeat of the stories listed in a sane order below, but at least it was easy to ignore.

This is much less easy to ignore -- although I guess I'll manage it by not bothering to look at the site.

I'll check back in the new year to see if you've regained your sanity.

UK.gov mulls three-point turn on three-point turn thanks to satnav. Weeeeeeee. THUD

Philip Hands

GPS training seems like a great idea

As long as the GPS used for the test is programmed to suggest a route that will make them fail the test if they trust it blindly (e.g. entering a busses-only road, or against the flow on a one-way street).

Valve showers Debian Linux devs with FREE Steam games

Philip Hands

You'll be wanting Ye Olde SteamOSe


How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report

Philip Hands

RSA==tossers ... How is that news?

I used to maintain ssh for Debian back in the day when one was supposed to use librsa (from RSA) in order to comply with their patent, so we had the real version of ssh in non-us, and the librsa-linked one for US based users that felt the need to comply with the patent.

librsa was a piss poor implementation of "their" algorithm, so when it also caused some build failures I just forgot to produce the US patent friendly version.

Nobody complained, because anyone with any sense had already decided to ignore the patent.

I've had no respect for RSA ever since -- they failed to fix reported bugs for ages too IIRC -- I had chalked that down to lazy incompetence founded on having the patent to protect them from proper competition, but it seems that there might have been a spot of corruption in the mix too.

On the other hand, having a product that appeals to the clueless is a great way to get rich, so I don't suppose most of their customers will take the slightest notice, or even realise the implications of this.

Foxconn must pay Microsoft for EVERY Android thing it makes

Philip Hands

Re: Not paying for patents

> Scrapping patents would be the worst move a modern society could make

Nonsense -- The fashion industry has effectively no protection for its designs, other than trademark, and yet it exists, and innovates strongly, and turns over vast amounts more than most of the sectors with strong protection:


Whoops! Tiny bug in NetBSD 6.0 code ruins SSH crypto keys

Philip Hands

Re: Document your tricksy shit?

Also, Kurt (the maintainer in quesion) did ask about whether it was a good idea to "fix" said tricksy shit, on the openssl-devel mailing list, and recieved only positive noises in response.

It was later revealed that the OpenSSL developers generally don't read their -devel list, because it's too noisy, and instead hang out elsewhere -- feel free to make your own judgements about the overall wisdom of that, and how to allocate the blame arising from the Debian patch.

NHS Trust ditches in-house servers, chucks 15TB into the cloud

Philip Hands

Would that 15% be the salaries of the staff that they can now fire?

Extrapolating from what I've seen a few times in the comms side of things, I'm guessing that the story so far is:

A manager wanting to furthjer inflate his reputation, worked out that techies are expensive, and only ever came to him with problems, so why not kill two birds with one stone, push the things they look after into "the cloud", then fire all the people that can diagnose who's to blame in case of failure, thus making sure that it takes as long as possible for the sevice providers faults to come to light.

Coming soon in the next exciting episode:

Our manager hero gets an award from SocITM for his cloudy prowess, and makes a quick exit to the next oportunity for an even bigger SNAFU on a larger salary, sortly before it becomes apparent that his supposed stroke of genius has resulted in nobody being able to access their data on occasion, and a casualty or two.

Boffins: VAMPIRE stars are PREYING on their companions

Philip Hands


I didn't think real scientists did Fahrenheit, particularly not this side of the pond.

Actually 54000 °F is very close to 30000 °C, so my guess is that a scientist guessed the surface temperature as 30k °C ±5k and someone else (probably the journalist) has then decided make the number bigger by converting to Fahrenheit -- giving a false impression of accuracty while they're about it.

Microsoft unfurls patent lasso, snares Linux servers

Philip Hands


... so, it seems that one needs to ask the troll to demonstrate the infringement in discovery

I wonder how MS would respond to that.

EU privacy body slams ACTA as 'unacceptable'

Philip Hands

Nice TED talk exposing the utter tosh used to try to justify ACTA & Co.


Two UK airports scrap IRIS eye-scanners

Philip Hands


Those percentages seem impressively small until you multiply them by 200,000,000 at which point we find that 280000 indians will fail to enrol in the system -- too bad for them.

If you tried checking the population's ID once each, 70000 people would be wrongly decleared to be using false ID, and 114000 would get away with using someone else's (or perhaps be identified as a terrorist instead -- it's not clear what false positive means here).

So it seems like somewhere between a quarter and half a million indians are likely to end up one ID check away from a pretty unamusing time after this system is implemented.

Cabinet Office moves step closer to killing Directgov

Philip Hands

Nice to see that the code's open: https://github.com/alphagov

So all you naysayers, how about cloning the repos and fixing the stuff you don't like, and trying to submit patches. You're all clever enough to poke holes, but are you clever enough to fix them?

Would also be very interesting to see how they react to third party patches, and the govenment's reaction to getting work done for nowt.

OFFICIAL: Smart meters won't be compulsory

Philip Hands

I want one, but I want to own it

I'll cheerfully pay 350 quid for a device I own (i.e. Free firmware that I can at least examine, and ensure does not include a remote kill switch or other features that are not in my interests, and preferably also includes features to protect my privacy from leaking data).

I'm not wanting to be able to significantly twiddle with the readings, obviously, so they need a tamper-proof module that generates readings, along with a cryptographic checksum that allows them to confirm that I'm not tampering with that when I send readings in.

Having seen Ross Anderson ( http://www.cl.cam.ac.uk/~rja14/ ) talk about this subject, it seems inevitable that the way these meters are being funded will lead to them being cheap and nasty little security nightmares that will inevitably be abused, which could involve anything from theives looking for power usage patterns showing empty properties, up to hostile nations breaking the national grid by flicking the power in a few million homes off and on simultaneously.

Microsoft will beat Linux clouds at their own game - with open source

Philip Hands

these figures are drivel

So, they ask ~940 people where they're going to deploy, one of them says AT&T and two say IBM, and they report that as 1% vs. 3% respectively -- oh, and they apparently have 103% total.

Drawing any conclusions from this, when you tell us that the MS-lovers are an irrelevant side show in the cloud, is pointless.

Anyone that's decided they want to run Free Software on VMs is liable to be open minded enough to make a rational decision, rather than fearfully clinging to nurse for fear of something worse, so Microsoft tempting the kids with some free sweeties isn't going to make much odds.

UK nuclear: Walking into darkness with eyes screwed shut

Philip Hands

Just out of interest

How is one supposed to tell the difference between bogus justifications for nuclear power that were touted in the past when we were in the cold war, and it had been decided that we needed reactors to make weapons regardless of any down side, and real actual scientific justifications that we might see today, that sound eerily familiar?

Also, I note that we don't have much in the way of tidal generation, despite it being a power source that surrounds this country. I would assume that that is because it's too difficult to extract and not close enough to where it was needed if I didn't know that those lobbying for nuclear had been sabotaging funding for alternative energy sources for decades.

My suspicion is that nuclear is something we probably need more of, but it's really difficult to trust any of the evidence from those on either side of the argument given the history, and extreme articles of this sort only serve to polarise opinion.

All it takes to kill the private sector's enthusiasm for nuclear is to suggest that they pick up the clean-up costs -- interesting that, eh?

The Co-operative on application migration

Philip Hands

Co-op's policy on ethics?

I'm a co-op member, and bank with them at least in part because of their supposed commitment to ethics in business, which makes me wonder why they're willing to use suppliers who have been repeatedly convicted of abusing their market position, as Microsoft has, which strikes me as evidence of a certain lack of ethics.

It wouldn't be so bad, but they're wasting my money on second rate software, and thereby shipping money that could be spent in the local economy off to Redmond, via the Irish government's friendly tax rates, such that they don't even pay what would appear to be a fair level of local taxes on their takings.

What's worse is that there's Free Software available that would do the job at least as well, the development model of which fits in perfectly with the co-op's philosophy, and they're not using it.

Ian is clearly a bit of a dimwit -- hopefully he'll be out on his ear shortly like the folks who were foolish enough to try and run the London Stock Exchange on a Microsoft platform.

IPO finally begins peer review pilot to test patent applications

Philip Hands

I wonder if pointing out...

"This is a software patent [and is therefore not patentable]"

will be taken as a valid criticism.

I doubt it, given what's been allowed in the past.

Terrorists stamp on Indy's Kate Middleton jelly bean

Philip Hands


or any other nonsense you feel like, as it happens

US proposes online IDs for Americans

Philip Hands

It _could_ work ...

if it were done such that one could buy a key fob or similar token from one of a dozen manufacturers, depending on your needs, which device would generate a new key whenever one fancied, and would allow you to chose between one of several such identities.

Then you take your widget to the post office, or some such, along with your passport, a gas bill and your swimming proficiency certificate, and they sign your ID using public key crypto.

I believe that one of the ex-USSR countries has something pretty close to that in their ID cards.

If you think that one of your keys is compromised, you revoke the key, create a new one and go back to the post office for it to be authenticated. No enormous central database required.

of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities.

One could imagine having a tamper-proof module built into phones for holding these keys.

at which point this becomes something like Dave Birch's psychic paper idea:


shame it'll never happen

UK mobile punters get swift network switcheroo ability

Philip Hands

Porting Authorisation _Code_ (PAC)

... code

Open sourcers urged to adopt dancing poultry license

Philip Hands

Here's the thread at the OSI ...


Simon and the others seem to have missed the fact that clause 4 is optional, as it only applies to people who want to avoid distributing source, so the fact that some of the non-free users get discriminated against seems like an irrelevance to me.

The thing that is problematic to me is that it makes the chicken clause dependent on distribution of source, but doesn't really define which source we're talking about -- whether that was the source one got before any modification, or after any changes that went to make the binary being distributed. Even that doesn't seem to make it non-free, since if one behaved as though the software were under the GPL (except for linking it against real GPL software), it's clear that one would not then be obliged to dance, so it cannot be less Open/Free than the GPL.

It's a shame it's GPL incompatible though -- I could imagine using it for a laugh if it were not for that. Let's hope that this becomes another instance where the OSI and the FSF differ on their decisions -- it would be nice to have this as one in the grey area as being free but not open ;-)

MPs' IT support costs £1.122m

Philip Hands

or about 2k per MP's office

Which doesn't sound too bad...

except for the fact that my MP tells me that he couldn't get the IT folks to do anything useful with his mail for several days when the account to which he was forwarding his mail became inaccessible in a fumbled ISP move.

I'd imagine that many MPs are the worst combination of arrogant and clueless, so I'd probably want more than 2k/p.a. to support one of those, but the fact that they were unable to sort out an MP's mail for about a week, and so wasted a load of his time would seem to indicate that they're not earning the money.

Intel gifts world open source FCoE

Philip Hands

its the hardware, and the software

In a stroke of genius, the folks that came up with Fibre Channel decided to use that name for the protocol that runs over the hardware, for the Fiber-optic hardware, and even for the copper cables that the majority of the kit I've seen seems to use.

So, you can do stuff like run Ethernet protocols over Fibre Chanel copper wires if you want to max out your confusion.

Gov will spend £400k to destroy ID card data

Philip Hands
Big Brother

Let's spend another 100k

on an artist's time to take the debris and create an artwork that will remind future politicians what the British people think of this sort of nonsense.

I'd prefer it if the disk platters were left largely intact, so that one could tell the sign-ups that their personal data had been welded into an artwork, and if they didn't like that they shouldn't have been in such a rush to hand it over in the first place.

Assange 'threatened to sue' Grauniad over leak of WikiLeak

Philip Hands

@Ian Michael Gumby - "Ad Revenue"

You state: "The only one making money from it is Wikileaks because ... more eyes on their site and more ad revenue generated."

I'm stunned that, despite the fact that you've been spouting bile about wikileaks with such volume that one might be forgiven for assuming that you're being paid to do so, you seem not to have bothered visiting the site about which you are so exercised.

There are no adverts on the wikileaks site

Anonymous hacktivists fire ion cannons at Zimbabwe

Philip Hands


What else can you do?

How about something constructive?

What have I done in response to the Wikileaks debacle?

I set up a Tor exit node:


I could be devoting the 50 Mbit/s that machine is now consuming to taking down Mugabe's web site, but I think it's probably more important to allow dissidents and the oppressed unfettered access to the Internet.

If it was a little more runnable under Debian, I'd also be running a Freenet node. When the software wrinkles get sorted out, I'll almost certainly do that too.

Things like Tor and Freenet make the net much more resistant to authoritarian control, and can be tuned to use only whatever resources you can afford to spare. So when you get bored with running LOIC, please consider devoting the same effort to Tor and/or Freenet instead, and leaving that running long term.



That's not to say that I think that people shouldn't entertain themselves by attacking Mugabe and his chums. Having been to Zimbabwe a few years ago I'm fully aware of what sort of bastard Mugabe is, but I seriously doubt that he'll even hear about his web site being inconvenienced (not if the sysadmins want to be alive next week, anyway).

iPad's biggest rival? Microsoft's dead Courier

This post has been deleted by a moderator

OOo's put the willies up Microsoft

Philip Hands

funny how a quick search on the contributors turns up...




Philip Hands

credit where it's due

Just in case the people who contributed quotes are upset about the fact that their names flashed by so fast as to be invisible, here's the list of quoted people for Google and posterity:

James Fleming -- Infrastructure and Support Manager, Speedy Hire

Jeff Cimmerer -- Director of Technology for the Pitsford School District

David Sterling, ICT Manager, Central Scotland Police

Bülent Türker, Product Manager, Scarves Department, SARAR Group

Eugenio Mariotto, ICT Director, Cobra Automotive Technologies

Eros Borgogelli, Information Systems Coordinator, Ciar

Eugenio Mariotto, ICT Director, Cobra Automotive Technologies (again)

Randal C Kennedy, InfoWorld

Tisome Nugent, Educator, Orange County Public School

Sergey Sakharov, Buisiness Process Optimisation, Art of Transport Logistics

Darek Muraszko, Information Systems Administrator, Kaczmarski Inkasso

Igor Gentosh, Head of System Integration Department, Kredobank JSC

Tiziano Battilana, Information Syatems Coordinator, Euromobil Group

Joerg Lenze, System Administrator, Heinrich Berndes Haushaltstechnik GmbH & Co. KG

Leonid Medvediev, Head of IT Department CISC SPC "Borschagivskiy Chemical and Pharmaceutical Plant"

Bailey Mitchell, CIO, Forsyth County Schools

I do hope that it improves their employment chances being involved in a FUD campaign in which most of them say things that boil down to "we didn't properly plan and fund the migration to an alternative, so the project failed and we had to scuttle back to mummy with our tails between our legs".

Microsoft confirms Russian pill-pusher attack on its network

Philip Hands

Re: Testing lab?

Yeah, I'm pretty suspicious about the claim that it was in a testing lab.

What are the chances that this was down to some PHB buyng a shiny new router, and plugging it in in defiance of company policy, utterly failing to secure it, and then forgetting that they'd done it (hence making it difficult to find the thing)?

When such a scenario comes to light, do you:

a) declare that you have a moron in middle management, who plugged something unauthorised in near his desk (thus also admitting that your infrastructure has more general security issues).

b) describe the location as a test lab

Philip Hands

"Network Hardware Devices"

Microsoft called the things "Network Hardware Devices", which sounds more like an ADSL router or some such to me than a Linux Server. These days most commodity network kit is running Linux, and sadly the people that throw together the firmware for these things are often reasonably clueless and rushed embedded hardware engineers, who have no interest in whether the result of their efforts is secure, as long as it provides the main functionality that they've been told to implement. Then they kick it out of the door and forget about it, more often than not failing to provide the board manufacturer with the source, thus setting the manufacturer up for a GPL violation case.

If MS had such a widget in their test lab, well that's no surprise, they were probably checking that uPnP worked on it or some such. Being in their test lab, it probably had the Admin/Admin password still set. I suppose, depending on what exactly they were testing, it's even reasonable that it had to really be plugged into the Internet with no intervening firewall.

The problem is likely to be that quite a lot of these devices default to having ports like FTP and Telnet open on the outside. That is the fault of the rushed engineer that knocked up the firmware. There is also the person that set the kit up, and probably didn't immediately check that it had no port open on the outside, and didn't bother changing the password. The only thing you can really blame Microsoft for is not tracking the problem down more quickly after they were told about it.

Trying to use any of this to draw conclusions about the security or otherwise of GNU/Linux in general is moronic.

Rogue engineer supplied dodgy power to 1,500 homes

Philip Hands

He resigned, didn't he?

The implication that the circuits would need to be reinstalled in order to be safe seems a little odd. He was presumably fully trained and qualified before he resigned, so one might expect him to do at least as good a job when he's working for himself, as the bloke that's now doing his old job that's going to rewire it.

Presumably, the only difference is that EDF will now know about the meters, rather than him being their only EDF contact. I doubt that he'd manage to accumulate 1500 customers without a leak if he'd told people what was really going on, so presumably he's been telling the customer that he's signing them up with EDF, reading the meter regularly, and then knocking up bills for them.

Suspicions were probably aroused when the customer service was better than expected.


Biting the hand that feeds IT © 1998–2019