* Posts by TonyHoyle

328 posts • joined 22 Mar 2010

Page:

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

TonyHoyle

Yes you can theoretically mitigate it on the AP - it effectively turns into a DoS on the client, which is in many cases preferable to leaking information.

Aruba are the first I've heard to actually implement this if so (Unifi only fixed client mode).

2
0
TonyHoyle

Unless your ubiquiti hardware is a client you did nothing.

This is a client side vulnerability not AP side, and there's little that can be done on the AP to detect it (and unifi have said they currently aren't tackling that.

Too many people are installing AP updates and thing they've fixed it. Nope. You need to update every wireless client.

25
0

Equifax mega-leak: Security wonks smack firm over breach notification plan

TonyHoyle

Well considering one was the CFO and one was the 'president of U.S. information solutions' the idea that neither of them knew of a significant data breach days after it happened is farcical.

8
0

Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

TonyHoyle

Re: Can't even be arsed to use an Equifax cert?

Also they failed to defensively register

equifaxsecurity.com

equifax2017.com

equifaxsecurity2107.com

equifaxsecurity2018.com

etc.

As a result they've all been registered by a mixture of people having fun and miscreants stealing data.

6
0

Firmware update blunder bricks hundreds of home 'smart' locks

TonyHoyle

They're probably hardened against that, being $800 locks.

It's like being able to open padlocks with bits of beercan or pick locks in about 10 seconds flat (I've seen an electric lockpick in action.. 10 seconds is an outlier - it's probably quicker than using the key..). A *lot* of locks are just security theatre, but most burglars don't know that, and of those that do, they'll go after the easy ones rather than the hard ones, so all you have to do is make sure you don't get your lock from the bargain bin like your neighbour did and you're probably safe

0
0
TonyHoyle

I lost count of the number of companies that would publish an email support address that would just autorespond with a phone number. I don't get the mentality.. To badly misquote yoda.. have an email or don't, there is no middle ground.

0
0
TonyHoyle

Given the price I'm at a loss why it didn't have backup firmware and switch to that when the update failed. The kind of thing that has been standard in consumer upgradable devices for years.

But that would have cost them 10p, and required them to give a shit.

1
0

Blighty bloke: PC World lost my Mac Mini – and trolled my blog!

TonyHoyle

I'm not sure their reservation system actually does anything.

For various reasons I needed an extra hard drive caddy.. could have got it next day from amazon but this couldn't wait, so I did a 'reserve' on the PC World website and set off up there... so arrived maybe half an hour later. It's a £10 fairly common item.. should be easy, right?

They had the reservation on their system, sure, but it took the staff completely by surprise that anyone would actually want to pick one up - it took multiple staff hunting around the back of the store.. I was stood at the till for another half an hour before they turned up with the caddy. I would have walked out, but needed the damned thing.

In my head a reservation would mean that a little thing would pop up and a minion would go to the right place in the stock room (catalogued.. if your'e searching for stock you're doing it wrong) and put it behind the till.. 2-3 minutes tops. That's clearly not what happens..

4
0

US ATM fraud surges despite EMV

TonyHoyle

Re: Speed

It also says a lot about how much verification was going on with the magstripes ie. none.

The longest I've had to wait was 30 seconds which is generally small shops with handheld cheap readers. In larger stores it's so fast I've got the notification the money has gone from my account before the receipt printer has finished printing.. it's sub-second.

2
0
TonyHoyle

Heck, modern cards here don't even *have* a functional magstripe any more. Clone the magstripe on my card and you got some random data, congratulations.

The US is oddly behind on something so simple.

3
0

Global IPv4 address drought: Seriously, we're done now. We're done

TonyHoyle

Re: IPv6 is fundamentally broken

That would be ipv6 then.

Although cripping the network using NAT would be just cutting your hand off to spite your face, given that address randomisation means you're not trackable anyway.

11
10
TonyHoyle

Re: IPv6 usage soaring?

1 in 6 is a bit low considering how many users are on large ISPs which have enabled ipv6 like Sky and BT.

A home user that does nothing special will be running it without knowing or caring.

1
1

Smart Meter rollout delayed again. Cost us £11bn, eh?

TonyHoyle

Re: Free?

The electricity companies are refusing to install smart meters in houses with solar PV stating that smart meters can't work with them, so whatever the standards might say the companies that have to actually implement this stuff say they don't work.

0
0
TonyHoyle

Re: What's the advantage to the consumer?

I did wonder how people were quoting those repayment times.. I reliably calculate 20 years.. I did pay quite a bit more than they cost now, but I have the higher FIT to make up for it.

In practice the effect on energy consumption is minimal. They work during the day when I'm at work and the house is just drawing baseline, and don't work in the evenings when I'm at home and everything is on. Hence in practice they might have saved maybe £5 a month, except in winter when they rarely even generate baseline.

FIT is around £300-£500 a year. £8k initial cost. 20 years is about right. Not that I mind - those are the same calcs that I was seeing online when I initially bought them - wanted them because they're cool tech not because they save money.

0
0

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

TonyHoyle

Re: VPN?

It's not harder at all - You'd block the /64, since the bottom 64 bits refer to a local network and can change fairly easily (/48 possibly if you want to block an entire site owner).

0
0
TonyHoyle

Re: This is the last backdoor

It's an interesting problem. Triggering a warrant canary - even by inaction - could be considered informing the public, so in that case can the law compel someone to lie?

You could even contrive a warrant canary such that the only way to fake it would be to break the law. Can the law compel someone to break the law?

3
0
TonyHoyle

Re: stumbling blocks

The definition is so loose that running an open wifi point could make you one. A&A used to (possibly still do) have a check box you could set saying 'I am a CSP'.

1
0

vSphere has been moved onto VMware's slow development train

TonyHoyle

Definately not out of the door.. I can't see anything but a press release hawking features.

3
0

Mozilla wants woeful WoSign certs off the list

TonyHoyle

Re: What about the other browsers?

They probably will, if these allegations are proven.

0
0
TonyHoyle

Re: Get in first

And the startcom certs, since they're essentially the same company.

That's likely to have a bigger impact.

0
0

Action Fraud warns of fraudulent anti-fraud warnings posing as Action Fraud

TonyHoyle

The problem is bank's ludicrously bad 'fraud detection' requires you to answer the phone otherwise they block all your cards because you apparently buying the same things you do every month is somehow suspicious.

You get a call from mumbai from someone with an accent so thick you can barely work out who they're from, demanding private information for 'security' and if you fail to answer correctly good luck spending any money for a whille.

It's a real concern. Banks should be hauled over the coals for it, as it not only encourages - even requires - behaviour that makes you vulnerable to fraud, they don't offer any alternatives - A simple text saying 'call the number on the back of your card' would suffice, but nope..

8
0

Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops

TonyHoyle

Why would it become a route for any network traffic? The OS shouldn't be changing its default route on a whim because something answered ping faster (maybe windows does, but I'm sure even MS aren't that stupid, surely?).

4
0

Got a pricey gaming desktop from PC World for Xmas? Check the graphics specs

TonyHoyle

Maybe have a word with HP?

The 980 is listed as an option for that machine..

http://www8.hp.com/uk/en/products/desktops/product-detail.html?oid=9014466#!tab=specs

Or, maybe it works just fine and the article is bollocks?

21
0

Facebook arrives at commonsense 'real names' policy

TonyHoyle

I have a friend who has been forced to use a fake name because of this policy.

The name that everyone else knows him by was unacceptable to facebook because it isn't on his birth certificate, so he made up an obvious bullshit fake name and apparently that's fine...

3
0

UH OH: Windows 10 will share your Wi-Fi key with your friends' friends

TonyHoyle

Re: A Stalker's Dream

Yeah I don't really know how you enforce WAN access only... The windows device has the password. This must be reversible to work, so it's only a matter of time (hours, days) before you can download a tool that tells you the password which bypasses the restriction.

Also, how do you restrict.. I can't see it being particularly troublesome to bypass that. Once you're on the network you have access to that network - simple software blocks (under the control of the attacker, no less) simply won't work. You could simply dump all the now unencrypted traffic straight off the wifi interface & get loads of information.

0
0
TonyHoyle

Re: Bear of little brain is confused...

Basically the password is tied to the BSSID. You have 100 friends, all the networks that they connect to will be stored on your computer somewhere with reversible passwords.

That's quite a lot of passwords.. and I reckon it'll be about a day before you can download a tool to print out all those passwords (and malware starts dumping it across the internet).

0
0
TonyHoyle

Re: The moment I saw that option I turned it off and it will remain off.

Problem is.. can you be certain that everyone who visits your house has it turned off? your kids' friends?

I'm hoping there's some network based countermeasure that can be put in place to block devices with it enabled, or at least block devices using it (those that have not legitimately been given the password).

0
0
TonyHoyle

Re: Off

At home I found freeradius an absolute pig, but the LDAP I have using FreeIPA which does the trick for home.

Most of my devices don't allow WPA Enterprise though... not even the xbox one which is fairly recent. Or chromecasts.. so I still need a password based network for those. I'll have to invest in other countermeasures to defeat wifisense.

0
0
TonyHoyle

Re: MAC filtering is a waste of time

MAC filtering is a waste of time against attackers.

Against random windows 10 boxes connecting to your network because microsoft have given away all your passwords, it's quite effective.

1
0
TonyHoyle

Re: Nothing new here

I would really hope that it didn't apply to WPA Enterprise, otherwise it'll be sharing windows login details all over the place.

In small companies it's not uncommon to use a single password (smaller companies rarely have the requisite radius server setup or the experience to run one).

At home of course, it's all passwords. That said, from what they're saying you can detect wifisense users - it's saying they can't access local resources somehow.. in which case you can configure a network to break access for such users (for example redirect the first request outgoing to a local portal... if they don't click OK on that - which wifisense users won't be able to do - then no access).

1
0

Finally, Mozilla looks at moving away from 'insecure' HTTP. Maybe

TonyHoyle

Re: Not https as it is right now

Self Signed plus DNSSEC plus a signature in DNS is enough to verify that the site is what it claims to be at least as far as DNS goes (which is good enough for 99% of cases.. it flags MITM and government/corporate snooping which is what we're interested in).. DANE solves the same problem.

No browser manufacturer has shown any interest in implementing anything like it - it does make me wonder if the CAs are pushing brown envelopes in their direction sometimes.

That said, who cares if HTTP is 'insecure'. My home page with pictures of random stuff on it? Who give a stuff if someone can read that on the wire?

4
0

Landlines: The tech that just won't die

TonyHoyle

Re: Call filtering

The TPS is simply not enforced.. it even says when you report a violation (or said, about a year ago before I gave up on it) that individual reports are only aggregated.

In fact, a quick google shows it's worse.. http://www.bbc.co.uk/news/business-22833965

You're *more* likely to be called if you're on the TPS, because the 'direct marketing association' just sent out a big list with your number on it..

8
0

What do UK and Iran have in common? Both want to outlaw encrypted apps

TonyHoyle

Re: Am I a wrung'en?

If they MITM SSL you just wrap SSL in SSL.. they still only see encrypted traffic.

Not that it'd happen - ecommerce and banking, and therefore a large part of the economy, relies on secure financial transaciions.

5
0

Hilton, Marriott and co want permission to JAM guests' personal Wi-Fi

TonyHoyle

Re: Boycott those hotels

It does seem that way.

A couple of years back I had the chance of the Hilton for one price on special offer and a 'cheaper' hotel for the same price. I took the Hilton offer.

They then proceeded to charge for *everything*. Parking.. (first time I've *ever* had to pay extra for parking at a hotel), breakfast, even though the offer said 'included', wifi was a stupid price, 1 channel of TV and everything else extra, the bar and restaurant were eyewateringly expensive, etc.

I've never been back. Nowadays I always look for the place with reasonable wifi first and avoid the 'well known' brands.

0
0
TonyHoyle

Re: Do wireless signals know the boundaries?

Some of them already are - I've been in a few hotels where the mobile signal mysteriously dropped to 0 the moment you walked in the door.

0
0
TonyHoyle

Wow.. wifi in wards? The local one goes apeshit if they even see a mobile phone switched on on the wards, or any electrical device.. you'll be ejected if you don't switch it off immediately - that that's not on the critical wards either.

The only internet access is through their overpriced and shitty 'patient line' (which thankfully was completely broken when my wife was last in hospital, as it was £30 a day and that mounts up over a couple of weeks).

I've quietly scanned a few times and there's no 2.4ghz or 5ghz anywhere even in outpatients, or at least nothing obvious.. they could be using a proprietary protocol of course.

2
0

FTDI yanks chip-bricking driver from Windows Update, vows to fight on

TonyHoyle

Re: Question - what about MS folk who already installed?

Indeed I actually had this happen last week. I had a USB->Serial I'd been using in linux, and for a specific application needed to plug it into windows. Instant brick. Windows wouldn't even enumerate it, and neither would linux afterwards.

I'm fairly technical but I hadn't heard of this 'feature' of the FTDI driver at that point and nothing I could do could poke it back into life, so it went in the bin. It was, as far as I can tell, a 100% genuine cable (bought from an established site, not ebay) so it was a false positive too.

In future I'll ask what chipset is used and stick to PL2303, as they've never failed on me.

2
2

THREE QUARTERS of Android mobes open to web page spy bug

TonyHoyle

1. AOSP has not been killed off, and I've never heard anyone suggest that it would be. They're talking about the AOSP *browser* which has been replaced by Chrome.

2. 4.2.1 is not 75% of phones. The entire 4.2.x series is only 20%, and 4.2.2 would be the majority of that - and 4.2.2 was released 18 months ago. Note the CVE relates specifically to 4.2.1. You can't even get close to 75% by adding all the previous versions together (which would be bogus anyway unless you could prove it existed right back to froyo/gingerbread).

So bug exists in a small % of old phones. Other than saying 'time to upgrade' what are people expected to do?

5
4

Nuts to your poncey hipster coffees, I want a TESLA ELECTRO-CAFE

TonyHoyle

Re: I feel like I'm living in an alternative reality sometimes.

It's mostly press exaggeration... gets hits. The only place I haven't been able to get HSDPA is in the middle of wales, and apparently that was just O2 being shit (three have better coverage there).

In villages like the one I'm currently sat in there's nowhere that doesn't get plenty of signal.

OTOH one of the reasons to use free wifi is it doesn't come off your allowance - I pay £2/mo plus data, but that data is quite pricey, so free wifi is a net win.

0
0
TonyHoyle

The local greggs has free wifi and continental style outside tables. They're the ideal breakfast/lunch destination.

0
0

FAKE Google web SSL certificates tip-toe out from Indian authorities

TonyHoyle

Re: DNSSEC

DNSSEC + DANE does seem the best route, but DNSSEC rollout is basically nonexistant (none of the major banks even use it), and DANE isn't supported by any browser - it was added to Chrome then pulled.. they cynic in me says verisign is pushing out a lot of brown envelopes to keep it that way.

1
0

Austrian Tor exit relay operator guilty of ferrying child porn

TonyHoyle

Re: Botnet

Spreading the packets across multiple exit points means that no one person has transmitted anything illegal, however I wouldn't put it past someone to define 1% of a CP image as equal to the entire image and lock everyone up..

Basically the authorities don't want TOR around, so they'll use any method to kill it. VPNs will be next, if they can find a way of legally distinguishing between business and private ones.

1
1

You THINK you're watching your LG smart TV - but IT's WATCHING YOU, baby

TonyHoyle

Re: For shame

Example of an LG TV with spying enabled and no option to switch it off:

http://revk.www.me.uk/2013/11/wtf-lg_19.html

Maybe they 'fixed' the buggy option by removing it completely...

1
0

'Not even Santa could save Microsoft's Windows 8'

TonyHoyle

Re: How things have changed....

Install StartIsBack (if Start8 if that's more your style). Banishes TIFKAM to a distant memory (although you can still invoke it if you really want to).

Win8 without the metro bloat is a pretty competent upgrade to Win7.

1
7

Which qualifications are worthwhile?

TonyHoyle

Support is the wrong place to start

If you start at entry level support you're a receptionist. The reason the bar to entry is so low is you're not expected to know any IT and you won't have any chance to learn any either.

Agreed with much of the above - if the reason you want to get into IT is for the pay etc. then you've picked the wrong career. That ship has sailed.. I earn only 60% of what I did 5 years ago and my job is harder. And that's normal. The days of 20%+ annual pay rises are long gone.

OTOH if you're doing it because you like working with computers then it may be worth doing, but start at entry level programming not support... and you're going to have to get whatever qualifications are 'trendy' at the moment to get your foot in the door* (haven't heard of any of the ones mentioned above.. when I did it it was HND at a minimum), then be treated like shit for at least 5 years before you have the experience to work your way up the ladder. That much hasn't changed.

* The qualifications won't actually tell you anything - if you've got any interest in computing at all you already know everything (and more, probably) they're likely to teach - but without them your CV will be straight in the bin.

** Thinking about it, we have no formal qualification - it's all experience, and we don't read CVs until late in the recruitment process, if at all.. but as a small company we can get away with that. Larger companies often use recruitment companies - who basically strip your CV for keywords then match with requirements and send everyone to interview who appears to match. Hence having a CV with lots of relevant qualifications/buzzwords on it is essential.

0
0

Search engines we have known ... before Google crushed them

TonyHoyle

And all the 'under construction' gifs.

Then there's the ultimate horror.. the marquee tag.

2
0

Dixons returns to profit in UK, rubs hands as Comet circles drain

TonyHoyle

disxons? souk?

If I wanted spelling that bad I'd read the daily mail!

0
0

Want to run your own Apple shop? Start with £70k of German chairs

TonyHoyle

Re: Planning restrictions

..and if you're in a shopping centre you have no choice on those specifications anyway.

The local apple store is barely a cupboard - I bet they don't meet their own standards!

1
0

Apple, Spotify, Amazon: All your Cloud are belong to us, says firm

TonyHoyle

"Method and System for Supplying Products from Pre-Stored Digital Data in Response to Demands Transmitted via Computer Network"

Lolwut?

FTP predates that by some years

UUCP even further

How in *hell* did they get a patent on that.

9
0

Design guru: Windows 8 is 'a monster' and 'a tortured soul'

TonyHoyle

"The worst gesture might be the one to reveal the list of currently running applications: you need to first swipe from the screen's left edge, and then immediately reverse direction and do a small swipe the other way, and finally make a 90-degree turn to move your finger to a thumbnail of the desired application. The slightest mistake in any of these steps gives you a different result,"

Seriously?!!!

How in hell did anyone even discover how to do that in the first place?

8
1

Page:

Forums

Biting the hand that feeds IT © 1998–2017