* Posts by PrivateCitizen

175 posts • joined 12 Apr 2010


Ransomware drops the Lillehammer on Norsk Hydro: Aluminium giant forced into manual mode after systems scrambled



I cant see any indication that this was a wormable version of ransomware, so if they have had 000s of devices infected (rather than just the fileshares between the devices encrypted) then it implies they've been hit by a massive phishing campaign, failed to filter their email and been hammered for it.

Realistically, if they'd met the almost joke-like standards of Cyber Essentials, they'd probably have been ok.

Lauri Love's US extradition appeal judges reserve decision


Re: Just send him over there and good riddance.

He committed a crime (Let's be honest here and not use any 'allegedly'), and broke into a hornet's nest in terms of targets, the US Government.

Really? If that is the case then why are the US Government looking to try him? Surely he has already been found guilty and convicted?

The US want to try him on their terms, well it was their computers, in the US, where the actual crime took place, that Love chose as his intended victim.

Few things work this way. Love seems unlikely to face anything looking like a fair trial in the US (where lots of people share your opinion that he is guilty without going to the trouble of checking evidence) and the punishments he faces are significantly different from the ones he faces in the country which has a duty to protect him. This is not how most laws work.

Jingle bells, IBM tells more staff it is D-day ♫


Re: Insanity?

Amazingly, cutting costs by offering a service that customers might consider suboptimal have not turned things around.

This. A million times this.

IBM generally provides services which are so mediocre you'd have to assume that some form of backhander or bribe has taken place for them to be engaged. It now looks like they are going out of their way to make it worse by generating an environment where anyone who is good enough to find a new job will do...

No IT service manager in their right mind should consider engaging IBM now.

Insurers may have to adjust policies to reflect 'silent' cyber risks


Re: Wonders aloud...

I hope so, simply because I want to see what the results are.

Company: "Dear insurer, I decided to save money by not patching a critical system but still connected it to the internet with SMB wide open and I got ransacked by WCry. Please pay out on insurance"

Insurer: "......................."

'My dream job at Oracle left me homeless!' – A techie's relocation horror tale


Re: If he had been in the UK

They would not have had the right to sack him as he was not in work due to his disability, which cannot be counted as sickness.

Good job you arent practicing as an employment lawyer.

Reading TFA it said "When I returned to work I was informed that I will not pass the probation time and that I am fired immediately,". He wasnt sacked for sickness he simply wasnt retained during probation. In the UK this can happen at any point within the first two years of "employment" and most of the time the employer doesn't need a reason and the employee has no right to a tribunal.

The Equality Act 2010 (which I assume you mean rather than DDA 1995) doesn't give protection here.

Hackers able to turbo-charge DJI drones way beyond what's legal


Re: DJI can't police this.

DJI aren't the only route to drone ownership and at least should be commended for having a stab at drone safety restrictions for the uninformed masses.

I dont fully agree. DJI cant police people misbehaving with drones but they can police what happens with their own code and drones. They have obviously felt the need to put some application code in place to limit the drone but haven't felt it was worth doing this properly.

This is probably the worst option for them to take.

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide


Re: The real blame goes to..

Only very belatedly.

But before malware was publicly identified exploiting it with WannaCry (as an example).

NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem.

They have lots of excuses but that is largely irrelevant. The issue is organisations have NO EXCUSES whatsoever for failing to deploy patches that are issued. Unless of course we say the criminals who deployed the malware are really to blame here.

Sophos waters down 'NHS is totally protected' by us boast


Re: Ransomware is ...

Sophos would flag this pic!!

It depends...


How Rogue One's Imperial stormtroopers SAVED Star Wars and restored order


Sadly, very sadly, this request has been denied.

Information on smart meters? Yep. They're great. That works, right? – UK.gov


Re: estimated net "benefit" of £5.7bn by 2020

@Phil W

Have you any reason to believe that this function on a smart meter is any less accurate than that of a conventional meter?

No but that wasnt the real point. I suspect the read out on the smart meter will be just as accurate as the read out on the conventional meter. However having to regularly check this defeats the time saving the OP claimed.

However there is a side issue - the smart meter can be remotely configured to change the charging rate or the flow measurements etc. This means a malicious party can change things in a way that cant be done with a conventional meter.


Re: estimated net "benefit" of £5.7bn by 2020

The benefit to ME is paying an accurate bill monthly (or quarterly) without having to dick around taking and submitting readings myself.

So for me, the dicking around submitting readings adds up to about 5 minutes, once a quarter so a smart meter will save ME about 20 minutes a year. Not a lot and potentially wasted by the time I spend reading articles about them.

More importantly, the accuracy problem remains. If I dont check myself, or have some way of verifying, how would I know the power company isnt simply making up the bill - or a mischievous script kiddie has pwnd the system to rise and lower bills at random?

If I have a smart meter that I have to check (or even adjust) then a tiny bit of effort will definitely wipe out any value it has offered.

Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?


Re: Be Careful What You Wish For...

So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet,

Isn't this sort of the point? The Dyn attack was supposedly driven by generic "IoT" devices like fridges which are internet connected without any security but the problem is anything internet connected without security is creating a risk.

Smart TVs without security are just as much of a problem.

The problem, as Schneier has said, is that the manufacturers dont care and the purchasers of each item dont care but the attacks affect everyone. This means that deep down the manufacturers & customers are actually paying a bit more for everything else as the security controls have to be implemented in more expensive areas.

Tesco Bank limits online transactions after fraud hits thousands


Re: Big data angle?

Always the way - first rule of crisis management is to blame [north korea|china|russia], call in the NCA and then use that to cover for the complete lack of security funding over the last decade.

Whatever the outcome, no matter how many 15 year olds end up getting arrested, this is still perceived as more cost effective than actually implementing half decent security processes.


Re: Banking license?

Mark / defiler,

I agree it is a fair question but I dont think there is an easy answer.

In this incident, ~40,000 people have been affected. If the FCA pull Tesco Bank's licence, ~8 million people are affected. I agree something should be done, but is this the right thing? (However, I have no idea if the FCA considers things to this level, it might simply be a toothless tiger).

One point to consider is that this is a risk to the Bank not its customers. In theory, no customer should lose any money from this and Tesco are obliged to refund all the affected accounts.

This kind of means the breach is a fine on Tesco for shit security. Seems the hackers are doing the FCA's job for it....

Web security still outstandingly mediocre, experts report


Re: How do they know?

But it'd be very interesting to know how they know about the crackable login-password pair.

Normally it means they have actually cracked them. Generally this is because someone either left the defaults in place or used an easily guessable password (admin, password, pa55w0rd etc). Its unlikely that the theoretical attack would be noted here.

England expects... you to patch your apps and not just Windows


cars arent computers (yet)

Most users just expect their PCs to work. They have no more wish to be IT specialist than they wish to get their hands dirty servicing their cars.

I am not sure that is a viable model.

When you buy a car, you get everything from the manufacturer that you are going to use for the lifetime of the car (and this is ignoring the recalls, services etc that cars need). You also have to pay for insurance, tax and, importantly, pass a test showing you have practical competence before you are allowed to use the device.

Can you imagine saying I want an MS PC which can only run the MS software available at the time the PC was released and can only visit MS websites to make sure no browserpwnage takes place?

Then finding out that every 6 - 12 months (depending on how often you use the computer) you need to take it back to an MS approved dealer to have it serviced and whatever the analogies for tyres / windscreen wipers / washerfluid etc are.

Added in to this, you have to pay £400 a year to insure your device incase something you stupidly do causes a problem for other internet users, you have to pay an annual tax to be allowed to surf the internet (not just ISP fees), and you can only buy it if you can prove you have learned enough to use it safely. In the event you do anything risky you get points on your computer licence and should you get hacked and it causes problems for other internet users you get fined or go to jail.

The reality is, people dont want to be IT specialists but want to put their computers through all kinds of unexpected activities. They attach disks they get off their mates, they plug in USB sticks, they visit sites, they click "accept" on pop ups and they (willingly or otherwise) install vast quantities of random software. They need to understand more about what they are doing or stick to living in the walled gardens of Apple devices.

DNS devastation: Top websites whacked offline as Dyn dies again



"Politically, we need international treaties which provide that anyone who screws up the Internet, regardless of where they are, will be arrested and tried for it. "

Does this include the countless people / businesses / etc who cut every possible corner to produce cheap IoT style gadgets because they dont really give a toss about how they could be misused?

Yes, the skids who launched this attack need to be identified and punished, but then so do the people who fundamentally fucked everything up so much that a bored kid can take down the internet.

Render crashing PCs back to their component silicon: They deserve it



Ignoring the article, whoever took that stock photo should be shot.

There is no way that anyone would have punched through anything with their fist in that position....

Hackers unleash smart Twitter phishing tool that snags two in three users


Re: Puzzled

Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?

Harden your device - patch, control permissions, lock down apps, go via a proxy/firewall and have an up to date, working, AV.

Dont focus on the short URL threat otherwise you'll just as easily get pwnd by a flash based advert hosted by Yahoo on a legitimate website.

Short URLs are a PR gambit to talk about hacking threats - they arent significantly worse than clicking on any URL to a website you dont know, even sites you do know can have compromised pages.

77 per cent ignore company social media policies


Re: Using social media to learn?

Ok, I am finding it odd that I (without a facebook or instagram account) am sort of defending social media but:

still I have *never* seen a result which takes me to any of the social sites. Apparently that's how useful they are for my work.

There is more to learning than acting as a memory resource. Social media is a (on the whole) a transitory environment so the key is learning new things. As an example when a brand new problem occurs in System Centre, people will announce and talk about it on social media. This is learning. Then when people fix the problem it will migrate to blog posts (also social media but more old-fashioned now) and tech articles (often on blog engines anyway).


Re: Using social media to learn?

I have YET to see ANYONE on the job who is learning something job related from social media bullshit.

I suspect a lot of this is down to a combination of what your job is and who you follow on [social media platform of choice].

As an example, Twitter is a very good source of information security news around new exploits and what the impact of those exploits are. The key is to not follow social media luvvies but instead follow the people who know what they are talking about. These are global platforms with every type of person talking - you can choose to filter out the idiots, the vapid and the trolls.

Friends with benefits: A taxing problem for Ireland in a post-Brexit world



I was trying to distinguish the people native to Gibraltar - much as the Welsh are native to Wales - from people living there from other Commonwealth countries like New Zealand.

Ok - thanks but I am still not sure I get the point or question here.

British Citizens can vote, so the 'natives' in Gibraltar can vote in the same way that the Welsh can. Even English people living in Wales get to vote (and they get to vote in Welsh Assembly Elections).


Commonwealth citizens in Gibraltar also get a vote - so presumably do the local Gibraltarians?

What is a local gibraltarian? Do you mean the British citizens born and living in Gibraltar or something else?

Telco bosses' salaries must take heat for cyber attacks, says MPs' TalkTalk enquiry


Re: on bail

It isnt clear but Wikipedia helps: https://en.wikipedia.org/wiki/Bail#By_police_before_charge

"This is deemed to be a release on bail in accordance with sections 3, 3A, 5 and 5A of the Bail Act 1976."

GitHub presses big red password reset button after third-party breach


Re: Two factor authentication or lockout as I call it.

Two factor is different from two step authentication.

If they want a user name & password then some form of memorable information, it is stil single factor authentication.

Lester Haines: RIP


2016 sucks

This is shocking news and my heart goes out to his close friends and family. I am truly saddned to read this and there is nothing I can really add to what everyone else here is saying.

This really is a crap year.


Password reset: 45 million creds leak from popular .com forums


Automated Registrations - Bots

Ok, I am now leaning towards this being more a case of the forums managed here are just drowned in bot registrations.

A quick search for yagjecc826 (as an example) points to lots of password dumps with user names like:




Further checks associate these passwords / usernames with gmail accounts such as:







This strongly points towards the forums being swamped with bazillions of bot-users.



Are they system generated passwords issued to new users and then never changed (or the user accounts were simply fake and never used)?

Are they MD5 collisions?

Microsoft buys LinkedIn for the price of 36 Instagrams


Windows on Linux

Of course, to me the dream would be to just have the Windows 7's UI as a Desktop manager on top of a Linux distro and get AD ported to Linux and then we'd never have to see Windows on the server or desktop ever again.

This would just teach you to hate your Linux distro instead of Windows.


Re: Bonkers


This adjustment is a rounding error.

I agree. While the shares are slightly down over a couple of days ago, on a larger timescale its not really noticable.

Using share price to gauge the long term value of a business decisions always seems a bit irrational to me.

Bloke flogs $40 B&W printer on Craigslist, gets $12,000 legal bill


Broken laws

Costello claims he didn't get the requests, but under Indiana law, as he didn't respond to the request within 30 days or attend a hearing on the matter, then the legal rule is that he admitted the liabilities and damages by default.

So, hang on. It is possible for a serial litigant to say he sent a request and then 30 days later the victim has legally admitted liabilities?

Do they understand the concept of proof of postage?

London NHS trust fined £180,000 after second bcc fail on HIV email list


There's no two ways about it, personal liability is needed.


The problem here is NHS Chief Execs / "leadership" teams get bonuses and promotions by cutting costs. This means that lower quality staff are hired, training is curtailed and pressure is piled on the few competent workers who remain.

In this environment, breaches are inevitable.

However, when the happen, the PUBLIC as a whole takes the hit, not the people directly. The fine comes out the NHS operating budget while the management continue to get their bonuses.

There's more to life than Windows


Re: It's late. I'm up with a whelping Greyhound. I shouldn't post ... but ...

"When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops."

I'll fade that bet ... Not a snowball's chance in hell, in fact.

If you took that bet, you'd probably lose as all he says is the "chances are" - not that you "are." This means your experience of a different environment isnt enough to falsify his statement.

The reality, for better or worse, is that the majority of corporate environments will use Active Directory to manage a server farm where most devices have a little windows logo.

This year's H-1B visa lottery jammed full in just six days


Re: In my experience, there's always a shortage of the highly-skilled workers ...

We're quite prepared to pay above the normal market rate if we find someone good - but they seem to be very thin on the ground.

If you are paying above market rate and still not getting applicants, then the probability is that there is something else about your company putting applicants off. If this wasnt the case, you'd be poaching skilled workers from other employers.

From what I've seen, the claim that IT skills in [area] are lacking are a bit misleading as the salaries and contractor rates being offered for [most skill areas] are around the same levels as they were in 2008 (allowing for inflation at best).

Using "Cybersecurity" as an example - because this is the big one trumpted as missing skilled workers. In 2009 a good cybersecurity professional would command a salary of £55 - 65k or a contract day rate of around £600pd. CLAS consultants (whatever your opinion of them) were on more - often hitting £800pd.

Fast forward to the end of 2015 and the salary is around £60 - 70k with contractors on around £500pd. CLAS consultants have it worse, having dropped to the prole rates of £400 for a while, they are back around £550ish.

Hardly an example of market forces reacting to a skill shortage.

Skill shortage appears to be short hand for "we dont want to pay very much for this skill so intend to offshore it for pennies and dont really care about the quality of the work."

Computer says: Stop using MacWrite II, human!


@Lee D: I would love to know where you work so I could submit some tenders ;-)

Even if the pay isnt great, it seems like the hiring standards and work expectations are low enough for it to be profitable.

GDS gets it in the neck from MPs over Rural Payments Agency farce


Dr Syntax

"It's a consequence of seeing anyone who does the work as an expense to be outsourced to the cheapest bidder rather than the core of the operation and as a possibility for the next generation of managers. "

I wish I could upvote you more than once for that alone.

Hack VMware, score US$75K. Hack Flash, get much less



Hack VMware, score US$75K. Hack Flash, get much less

To be fair, if you pop Flash in both MS Edge and OSX Safari you get $25k more than escaping the VM.

Doctor Who: Nigel Farage-alike bogey beast terrorises in darkly comic Sleep No More


Re: Apart from the chance to offer a gratuitous insult to Farage...

To be fair, I watched it an thought it looked like Nigel as well............

UK.gov finally promises legally binding broadband service obligation – by 2020


Re: What use is a "right to request"?

That's why there are rural communities with no mains gas, or with cess pits.

In my case it is no mains gas, septic tank waste disposal but close enough to the big lights to get 40mpbs broadband dirt cheap.

The problem is exactly as you have described - the obligation to supply may be there but the service providers just set a rate that keeps it out of reach.

TalkTalk attack: Lad, 15, cuffed by UK cyber-cops


Re: Are we to believe this is the work of a 15yr old ?

On a serious note, why not?

If the attack was fundamentally an SQLi, then yes - it is pretty easy for a 15 year old to manage that (metasploit + YouTube tutorials + Computer + broadband = pwnage).

The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.

Outlook.com had classic security blunder in authentication engine


Re: Here's a question:

I have to agree - this is EXACTLY what data protection laws are for.

Only if you mean "personal data" rather than "data."

If you ignore this distinction, then things are going wrong.

'10-second' theoretical hack could jog Fitbits into malware-spreading mode


Re: Phew

I am glad you understood that sentence. It seemed to me that a crucial word or two were missing.

US Cyber Command floats $460m contract to outsource most of itself


Re: not surprising

The military doesn't have a pay scale to afford experienced people, who could be making upwards of $100k per year, rather than the pittance that the US pays service members.

So rather than pay its soldiers well, the decision was made to outsource to a more expensive provider?


Now it's the security industry's turn to be burned by cloud


Re: Why pay

I've always thought WAFs were little more than a nice front end for Mod Security and it seems that Amazon have just come up with a way to monetise it while simultaneously undercutting most WAF providers.

Top QLD sex shop cops Cryptowall lock; cops flop as state biz popped


Get a 2-3TB sata or usb 3.0 disc, and backup all your data there daily.

A reasonable idea as long as A) this is enough and B) you have the time and patience to do this.

A 1TB back up would take around an hour to complete each day and this doesnt include the time required to test the validity etc. If you are a business which pretty much runs on emails, purchase orders and contracts this will probably be enough (especially if you only backup diffs) but if you need to back up any types of content then you might discover 3 TB is insufficient pretty quickly.

I agree it needs to be off-line as if the device is connected at the time the ransomware is running, you can say bye bye to all the backed up data as well.


Re: Time to move to North Queensland and set up as a general tech

Clearly, there aren't decent ones in the area.

Apparently not and not just for that howler either.

It seems that a number of small businesses have saved $300 on a NAS and $300 on a bit of tech advice to run their backups..... then are whining that their tightfisted approach to what appears to be a business critical system has cost them $1000.

Shocking approach to IT.

Layabout, sun-blushed techies have pick of IT job market, says survey



There are quite a few things confusing about this, but then we have to keep in mind that this is KPMG survey so they are skewing it in their own interests.

1) Permanent jobs are not really as much of an indicator of seasonal issues as contractor / temp roles:

That's the finding of a new survey, which revealed that according to a seasonally adjusted index measuring permanent vacancies in the IT sector, demand to fill permanent staffer jobs in the IT market had risen to 64.4 per cent in the dog days of August, up from 62.8 per cent a month earlier.

Permanent roles are long term commitment so if this is true, it isnt really seasonal. Its companies deciding they need more employees for something and will continue to need them for a long time.

2) Contractor jobs are an indicator of seasonal trends:

Meanwhile, demand from Blighty companies to hire temporary techies fell to 58.7 per cent from 59.1 per cent in July.

So in August there was less of a need for a temporary work force to fill gaps.

Seems the headline is a bit assbackwards.

There is a point 3 though.

3) This data is likely to be meaningless. In all likelihood, KPMG searched round the job boards and simply counted the adverts. This means that when (like my current role) it is advertised by 12 different agencies - all with slightly different details - it counts as 12 jobs rather than 1. It also means that some non-existent jobs (posted by unscrupulous or clueless recruiters or hiring companies) get counted when in reality there are none.

The easiest way to tell if demand has outstripped supply is to look at the average salaries and contract rates available. These are still, largely, in line with 2009 figures - and as other posters have said include shopping lists of skills for £35-40k a year.

All of this implies to me, at least, that there isnt enough of a skills shortage for anyone to actually care - it is just a shortage of skilled workers prepared to work for the salary they had when they were unskilled.

Fiat Chrysler recalls THOUSANDS more cars to swerve hack-my-brakes roadkill


Re: 2FA?

It is 2015. 2FA is now commonplace. Surely, admin for a car can be secured this way?

Hard to think how multi-factor authentication would help this sort of attack.


Re: There ought to be a moratorium on connecting any wireless systems to the canbus

Unless/until appropriate and uncompromisable security protocols are in place.

Now, if you find such a beast, truly great riches will be yours. I am reasonably sure no such thing exists.

Company in shambles, marriages ruined. My work here is done, says Ashley Madison CEO


Blunt Swords

If only more CEOs fell on their sword so quickly (or gov't ministers).

The problem is that "falling on his sword" here actually means he will be able to avoid the massive financial pain from the inevitable law suits and other forms of legal action.

Basically he has been able to reap great profits, avoid paying for the security he promised users, scammed gullible men with fake female profiles and jumped ship in time to make it on the life raft.

While I hate the man, I do have to say he has good timing.


Biting the hand that feeds IT © 1998–2019