* Posts by Alister

2542 posts • joined 19 May 2010

Royal Bank of Scotland website goes TITSUP*

Alister
Silver badge

I reckon they've just implemented HSTS.

It's very secure now - nobody can get in.

See, it works!

3
0

It was El Reg wot won it: Bing banishes bogus Brit bank banner ad

Alister
Silver badge

Re: ‘Check car tax on’ Google

Interesting how personalised search works.

If I Google "check car tax" I get the top five results all starting with "https://www.gov.uk/"

0
0
Alister
Silver badge

Re: Follow the money ...

are Microsoft following the money that paid for the ad?

No, why would they?

Microsoft would have to pay it back, then.

1
0

Container ship loading plans are 'easily hackable'

Alister
Silver badge
Joke

AVAST BEHIND

I thought it was a comment on my generous posterior...

Yew Bastud!

:)

2
0
Alister
Silver badge
Pirate

Container ships don't have rowlocks in their gunwales, me hearty. Shiver me girders.

4
0

ICO probes universities accused of using private data to target donation campaigns

Alister
Silver badge

Re: spending millions on poor kids

Everyone pays the fee's through student loans

Greengrocer's University education?

5
0

How is 55 Cancri e like a Sisters of Mercy gig? Astroboffins: It has atmosphere

Alister
Silver badge

How is 55 Cancri e like a Sisters Of Mercy gig?

'why may a caudled fillhorse be deemed the brother to a hiren candle in the night?'

8
0

Car tax evasion has soared since paper discs scrapped

Alister
Silver badge
Facepalm

What they should do is introduce some sort of token that car owners have to display on the vehicle, which proves that they have paid their VED.

You could print the date on it, and perhaps make it different colours every year, so an out of date one would be obvious.

What do you think? would it work?

24
2

The Reg parts ways with imagineer and thought pathfinder Steve Bong

Alister
Silver badge

America doesn't have a functional extradition treaty with the UK - well not in the USA ->> UK direction, anyway, maybe My Lord Bong could interestify Donald into imagineering a whole new paradigm?

24
0

Does UK high street banks' crappy crypto actually matter?

Alister
Silver badge

@Dan55

Thank you for the non-downvote. :)

As far as I know, what you propose would have to mean hosting the main site on one server, and the banking site on a different server, as you cannot assign different cipher suites on a per site basis, only at server level.

Now this is not a bad idea at all, but it does mean that again, anyone connecting to the banking site would be required to have a browser and operating system that supported the latest ciphers, or the connection would fail. So really no different in outcome to what we have already.

0
0
Alister
Silver badge

The problem is that banks force your connection to use weaker encryption than your device is capable of.

No, they don't.

2
0
Alister
Silver badge

Get some perspective.

A lot of the commentards here seem to be misunderstanding the issues raised in the article, abetted, it has to be said by some editorial misdirection.

Firstly, to describe the HSTS header as "Cryptographic Technology" is a gross exaggeration.

It is an HTTP Header, which when read by a client browser, ensures that the browser only uses HTTPS to connect to the domain it is served from. That's all it is, nothing else, and certainly not cryptographic technology.

Secondly, the article is written in such a way as to suggest that banks have downgraded their cryptographic cyphers to the lowest common denominator, and therefore endanger everybody's security.

I've just reviewed the SSL Labs results for each of the banks tested, and I can unequivocally state that this is not true.

In all the tested cases, the banks offer the latest ECDHE_RSA_AES ciphers, and therefore modern browsers will connect using TLS1.2 using those ciphers.

However, all of the banks tested, even Santander, the highest scoring, also offer, to a greater or lesser extent, older weaker ciphers to allow older browsers and operating systems to connect. Some of them, RBS and Natwest for example, offer really old, weak ciphers, and they should consider removing those.

It is pointed out that none of the tested banks offer PFS (Forward Secrecy). This is probably something which should be done, but relies on the correct ordering of the cipher suites offered, amongst other things, and is easy to get wrong.

So to sum up, none of the banks tested are endangering your security by only allowing weak cryptographic ciphers and HSTS is not some magic security feature.

1
0
Alister
Silver badge

If people are using outdated browsers, redirect them to a page explaining why you must insist that they upgrade, and explain how

It's not technically possible to do that without providing ciphers that the out of date browsers support, unfortunately. The TLS session must be established before you can carry out any redirection.

Yes you could do this for a while, before turning the ciphers off, and this is often what is done in practice.

0
2
Alister
Silver badge

@Amos

Possibly this is the difference between e-banking and e-commerce?

A short summary breakdown of our connections shows:

Windows 7 with IE 8, 9 or 10 requires TLS1.0 by default, the client can turn on TLS1.2 but rarely does

Windows Vista with IE 7 or 8 requires TLS1.0

Windows XP with IE7 or 8 requires TLS1.0 - IE6 protocol mismatch, can't connect.

Windows Mobile 8.0 requires TLS1.0

Android versions older than 4.4 require TLS1.0

OSX 10.8 requires TLS1.0

Safari 6 or older requires TLS1.0

Anything using OPenSSL 0.9 or earlier require TLS1.0

Anything written in Java 7u25 or earlier require TLS1.0

In addition to direct browser connections, we also provide an API to various external web sites, and by far the majority of those sites use software written in older versions of Java which require TLS1.0 to access our services. (Including, I might add, ATOS Worldline, who have so far refused to update their stack).

The running total as of today is 38.7% of all connections to us use TLS1.0

3
0
Alister
Silver badge

Re: IT security enforcement

It's about time there was an IT security equivalent to environmental health...

There is, it's called PCI-DSS

0
6
Alister
Silver badge

@Iglethal.

No, that's not the case, the article is rather disingenuous about the report.

If you run a report yourself on HSBC for instance:

https://www.ssllabs.com/ssltest/analyze.html?d=www.security.hsbc.co.uk&hideResults=on

You can see that they do support the latest SSL ciphers (ECDHE_RSA) but that they also support various ciphers which are now considered to be weak.

What Scott Helme is claiming - that they don't implement HSTS headers - is NOT a major issue despite his claims, all that the HSTS header does is to tell the browser to always use HTTPS to connect to the site, but it doesn't specify the ciphers to be used on the connection, and most if not all the bank sites will only accept connections over HTTPS anyway.

9
2
Alister
Silver badge

@iron

Crooks being able to steal MY money from the bank because some clueless user is still using IE6 and the bank want to be compatible is completely unacceptable.

That's a nonsensical strawman.

If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.

If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.

14
13
Alister
Silver badge

The TLS 1.1 requirement is currently June 2018, however that has been delayed many times.

As it should be, because:

"Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken," Grooten said. "And rightly so."

I'm not involved with banking, but do manage various eticketing and retail solutions. If we were to turn off TLS1.1, we would lose up to 40% of our customer base.

That's potentially 40% less revenue.

No sensible business can afford to do that.

9
2

Help desk declared code PEBCAK and therefore refused to help!

Alister
Silver badge

Re: Memory Issues

We used to have one when I was in the Ambulance service, I've never seen it anywhere else:

PENCIL: Patient Exists, Not Considered Intelligent Life

and the more common one:

NFN: Normal For Norfolk

51
1

Yes, I took Putin's roubles to undermine Western democracy. This is my story

Alister
Silver badge

Re: I don't get it?

Can anybody explain this "article"?

Google the word "satire"

9
1
Alister
Silver badge
Thumb Up

Thumbs up for "technology trebuchets"...

Many successful launches...

6
0

Slack apologises to Europe for TITSUP* services

Alister
Silver badge

and the news room now has all sorts of excuses to go down the pub

Here's a journalistic tip...

Don't print that in a story the Editor is going to see!

4
0

Belgian court says Skype must provide interception facilities

Alister
Silver badge
Coat

Microsoft classified as a telco, so told to cough up. It may gaufre an appeal

Don't know what you are waffling on about...

13
0

Pastry in a manger: We're soz, Greggs man said

Alister
Silver badge
Headmaster

Grammar!

substituting Baby Jesus for a sausage roll

Does nobody know how to write English anymore? What you wrote above means that you replaced a sausage roll with Baby Jesus.

What you should have said is either:

substituting Baby Jesus with a sausage roll

(which is poor construction in itself)

or: substituting a sausage roll for Baby Jesus.

Hmmmph!

36
0

The Quantum of Firefox: Why is this one unlike any other Firefox?

Alister
Silver badge

The Quantum of Firefox

I see you took solace from that title.

42
0

What do Vegas hookers, Colombian government, and 30,000 other sites have in common? Crypto-jacking miners

Alister
Silver badge
Thumb Up

Re: So Vegas has a Rugby team?

Nice try MJI but I think for most people that will be a Whoooooooooosh!

1
0

Donald Trump's tweets: Are they presidential statements or not?

Alister
Silver badge

Re: Obama

Barack Obama is a card-carrying member of ISIS

I didn't know ISIS had membership cards. That should make things easier for law-enforcement, shouldn't it?

4
0

Universal basic income is a great idea, which is also why it won't happen

Alister
Silver badge

Communists saw human society as a "system" that could be perfected if only a small group of very clever people (themselves) could only be given absolute control over it. How did that work out again?

To be fair, the actual root idea of communism (with a small "c") where everybody shares property, and wealth is distributed equally amongst everybody, is a valid utopian ideal.

The way that Communism was actually implemented in those countries that espoused it was as a ruling elite with all the property and all the wealth, and the rest of the population kept in poverty.

27
8

Uncle Sam to strap body sensors to hackers in nuke lab security study

Alister
Silver badge

It's a Trap!

Hi, Welcome to the Department of Defense Hacking Study.

For your comfort and convenience, please wear the orange jumpsuits provided at all times.

Free transport to our Caribbean paradise testing area is included in the program.

11
0

Remember CompuServe forums? They're still around! Also they're about to die

Alister
Silver badge

Re: CIS

Yep, I used to use the Borland forum on Compuserve a lot back in the day, and I had a numeric email address, shame I can't remember what it was, now.

2
0

Think the US is alone? 18 countries had their elections hacked last year

Alister
Silver badge
Thumb Up

Refusing to give in to the terrorist hysteria is a sign of a stable and mature society. Whether it has anything to do with the level of education of an average citizen I cannot rightfully say.

Well said AC.

4
0

Harry Potter to get the Pokémon GO treatment

Alister
Silver badge

explore their real world neighborhoods and cities to discover and fight legendary beasts

Yeah, send your kids with expensive smartphones off into the shittier neighborhoods that most large cities have, and they'll be coming back with their phones magically vanished.

10
0

Jet packs are REAL – and inventor just broke world speed record in it

Alister
Silver badge

Flying is the easy bit...

Landing gently however, is more tricky...

13
0

Self-driving bus in crash just 2 hours after entering public service

Alister
Silver badge

Re: One thing's for sure: we're gonna need more mechanics.

Or even if the bus sounded its horn to alert the meatsack to the impending collision.

That might have been enough.

11
0

Brit moron tried buying a car bomb on dark web, posted it to his address. Now he's screwed

Alister
Silver badge

Re: Erm...

There's no claim that the two women were helping him, they were just on the premises when he was arrested. I would guess probably his mum and his sister.

9
1
Alister
Silver badge

Re: Time to start deporting the problem fast before it gets much worse!

eject the people en-mass of alien religions/cultures

Yeah, they're the worst, especially those religions that started in the Middle East, you know like in Jerusalem, or Nazareth...

25
2

US domestic, er, foreign spying bill progresses through Congress

Alister
Silver badge

Re: It may already be too late for legislatures to stand up to security agencies

What the fsck could the FBI have on Trump that he doesn't tweet about himself ?

Details of his tax payments?

12
0

That awkward moment when AWS charges you BEELLIONS for Lightsail

Alister
Silver badge

I wonder if Jeff Bezos calculates his wealth based on the same algorithms - maybe he isn't a multi-billionaire after all?

13
0

Look out, Pepe: Martha Lane Fox has a plan

Alister
Silver badge

Re: How about the Badger's Nadgers?

What about "The Penguin's Privates"?

There's already the Bee's Knees, but I would also like to offer Gnat's Knackers and Cat's Pyjamas as alternatives.

1
0

Landlubber northern council shores up against boat-tipping

Alister
Silver badge

Re: Vocabulary

Here in the States, there's supposedly a pastime of misguided rural youth called "cow tipping"

I thought you did "tractor tipping" over there?

2
0
Alister
Silver badge

Re: "In boat heaven"

I don't understand all these gybes.

11
0

Osama Bin Laden had copy of Resident Evil, smut, in compound

Alister
Silver badge

Re: Work for El Reg

Jake was around a long time before Eadon, sorry to piss on your conspiracy.

4
0

TalkTalk glitch causing mobiles and landlines to go off at the same time

Alister
Silver badge

Re: To their remaining customers...

Yep, love the typo in the article which says:

"One customer deserved the issue..."

I reckon any remaining customers deserve all that happens.

8
0

Google Drive ate our homework! Doc block blamed on code blunder

Alister
Silver badge

They should implement safeguards to safeguard the safeguards, I reckon.

18
0

Vlad the blockader: Russia's anti-VPN law comes into effect

Alister
Silver badge

Russia is using its sway at the United Nations to push a much more restrictive approach to the internet: something that many Western governments fear hope will lead to a gradual shutting down of the open internet.

TFTFY

26
2

Submarine builder admits dismembering journalist's body

Alister
Silver badge

I know he's supposed to be innocent unless proven guilty, and all that, but his credibility is rapidly diminishing every time he changes his story.

37
0

USB stick found in West London contained Heathrow security data

Alister
Silver badge

Re: “Heathrow remains secure”

"Olympus London has fallen."

They should do a film...

Oh, wait...

10
0

Chinese whispers: China shows off magnetic propulsion engine for ultra-silent subs, ships

Alister
Silver badge

Shurely shome mishtake?

26
0

Brave Twitter axes Russian media ads 11 months after the fact

Alister
Silver badge

Re: Russian bought adverts influenced US presidential election?

I have it on good authority it was albino shape shifting reptiles from a planet in the Draco constellation that bought the adverts.

You've been listening to David Icke again, haven't you?

1
0

BOFH: Do I smell burning toes, I mean burning toast?

Alister
Silver badge

At one site I worked at, the server room (on the third floor) had a number of rows of racks set at 90degrees to the external wall, and between each row was a large high window in the wall which was hinged at the top.

I was working in the rack nearest the wall, and leant on the window whilst trying to persuade a server into the sliders in the rack.

The window was unlatched, and opened under my weight, so there I was hanging out of the window with a large server in my arms, desperately trying to lever myself back in through force of will and a toe hold under the rack...

Interesting moment... :)

25
0

Forums

Biting the hand that feeds IT © 1998–2017