* Posts by Alister

3265 posts • joined 19 May 2010

British Airways hack: Infosec experts finger third-party scripts on payment pages

Alister Silver badge

Let's just be clear

The scripts WERE NOT hosted on an external resource, they were served from inside BAs infrastructure. The path they came from was:

https://www.britishairways.com/cms/global/scripts/lib

However, they WERE third party scripts in that they were not written specifically for the BA site, but were local copies of script libraries freely available to web developers from various vendors.

In this case, they were modified versions of the freely available scripts, with malicious extra code added to siphon off users details to an external domain.

Post-silly season blues leave me bereft of autonomous robot limbs

Alister Silver badge
Joke

Ok... how do I load it with washing over the internet

Depends on what fabric you're using... apparently Brocade is quite fast.

Alister Silver badge

Your sub heading made me think of Jeff Lynnes' opening lyrics for "Ticket to the Moon"...

Remember the good old 1980's

When things were so uncomplicated

I wish I could go back there again

And everything could be the same

Microsoft tells volume customers they can stay on Windows 7... for a bit longer... for a fee

Alister Silver badge
Facepalm

Re: Microsoft is giving people some extra time...

Unless your company runs some weird custom middleware or specialized software

Yeah, like Active Directory, or Visual Studio...

HTTPS crypto-shame: TV Licensing website pulled offline

Alister Silver badge

Re: We take security very seriously

You forgot:

It's not you, it's me.

Alister Silver badge

Re: redirecting HTTP to HTTPS

In my experience, the current crop of Comp Sci graduates wouldn't have a fucking clue how to do this, nor why they should...

Heart-stopping predictions from AI doctors could save lives

Alister Silver badge

Difficulty breathing can be associated with heart problems, yes, as in congestive cardiac failure, or atrial fibrillation, where the breathing problems are due to a backlog of fluid in the lungs.

A heart attack does not usually cause breathing difficulty except as a consequence of the associated chest pain, however "shortness of breath" is often reported as a symptom as the body is trying to compensate for the lack of oxygen to the heart. There is no actual impairment of breathing.

Alister Silver badge

making it difficult for oxygen to be circulated around the bloodstream

Nope. The article does not explain it very well, but the arteries which are involved are the coronary arteries which supply blood and oxygen to the muscle of the heart itself, not those which transport blood to the rest of the body.

A heart attack is actually the death of a portion of the muscle tissue of the heart, due to oxygen starvation caused by blocked or constricted coronary arteries. The proper term for a heart attack is a Myocardial Infarction, which literally means heart muscle death.

Note that a Heart Attack is not the same as a Cardiac Arrest.

I've seen the future of consumer AI, and it doesn't have one

Alister Silver badge

Lumphammer at the ready...

Aah, so you're a waffle man.

Software dev-turned-councillor launches rubbish* chatbot

Alister Silver badge
Joke

What kind of animal does this?

Um, Badgers, maybe? They are quite fastidious about keeping clean, so they might want a washing machine...

Congress wants CVE stability, China wants your LinkedIn details, and Adobe wants you to patch Creative Cloud

Alister Silver badge

Re: CVE Funding

No, no, no, no NO! US government funding for CVE will remove any and all trust I have in the system.

Did you miss the bit where it says the CVE is already government funded - just not on a long term basis.

Spies still super upset they can't get at your encrypted comms data

Alister Silver badge

Tide, stop coming in!

Tide, I said stop!

Please stop the tide, my feet are wet.

bubble-bu-blub-blub-blub.

Yeah, go on, try legislating encryption out of existence, see how that goes for you!

No need to code your webpage yourself, says Microsoft – draw it and our AI will do the rest

Alister Silver badge

Re: Quality output

Next, there is blisteringly blindingly bright white, for 90% of the page, to keep you from being able to see anything on it [like staring directly into the sun].

I reckon there's a conspiracy among monitor manufacturers and web designers, to use as much white as possible, to decrease the useful life of the screen.

Russian volcanoes fingered for Earth's largest mass extinction

Alister Silver badge

My understanding is that the Deccan Traps were effectively the exit wound from the asteroid impact at Chicxulub, as they were located more or less diametrically opposite at the time.

No, eight characters, some capital letters and numbers is not a good password policy

Alister Silver badge

Re: Password security check

@DrD'eath

My password is Sw0rdf15h!

Don't let Google dox me on Lumen Database, nameless man begs

Alister Silver badge

the hearing, which ended at about 6pm on a Bank Holiday Friday.

No wonder the Judge was getting annoyed, that's a round of golf he missed out on...

It liiives! Sorta. Gentle azure glow of Windows XP clocked in Tesco's self-checkouts, no less

Alister Silver badge

Re: Cross platform development is EASY

It shouldn't be hard at all for find a developer who can make a GUI that runs on multiple platforms.

No, maybe not.

Now find a developer who will write the kernel drivers for the proprietary hardware that runs on multiple platforms...

Alister Silver badge

I don't understand why NCR and the lot their peers bother to use anything so bloated when an R-pi properly configured could do the job. (Someone correct me if I'm wrong, please.)

I suspect it's a matter of availability of drivers for the hardware, there may not be Linux equivalents to run the various peripherals.

Certainly when our company had a brief dalliance with ticketing kiosks, some years ago, the only available software was Windows based, and relied on a proprietary interface card to join all the bits up - no USB equivalents.

Alister Silver badge

Next time you see a self-service checkout throw a wobbly and revert to XP, don't panic straightaway.

Thank you for that sage advice.

Because of course without it, I would have run screaming from the store crying "OH MY GOD , WE'RE ALL DOOMED!".

NOT!

Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug

Alister Silver badge

create a unique, strong password"

- Which I have to write down or store insecurely because I can't remember it, and don't know what a password safe is.

Maybe it's time to acknowledge that writing down strong, complex, unique passwords for websites and keeping them at home, is far more secure than reusing weak easily remembered passwords everywhere?

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

Alister Silver badge

Re: So long Grandma, thanks for all the fish

an .. automatic defibrillator ?

That's an interesting idea. I think there's probably a law against it though.

What a stupid comment!

Nearly all defibrillators - even those used in hospitals or by paramedics, have software which automatically determines if the patient is in a shockable rhythm.

Some, like the LifePak 20, which combine proper 12-lead ECG monitoring, are capable of being switched to manual mode, but they usually default to the AED setting.

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Alister Silver badge

Holschuh was not entirely clear why the license is a problem.

Maybe you should go back to him pointing out Section 3 sub-section (v) and ask him to explain why users should not highlight the likely performance impact of the code?

Boffins blame meteorites for creating Earth's oldest rocks

Alister Silver badge

Re: Pedant Alert

Interesting. What's your reaction to these examples?

Arsenal have won the FA Cup more times than any other team.

The Chicago Bears has never played in the FA Cup.

Alister Silver badge

Re: Pedant Alert

'A team' must be grammatically singular, regardless of whether it is composed of many individuals.

Whilst that may be true by American convention, it is definitely not the case for British English.

As this is still a British website (just about) then British rules win...

Alister Silver badge

Re: Pedant Alert

Wears my coat...?

What does?

The future of humanity: A Bluetooth ball hitting your face – forever

Alister Silver badge
Headmaster

Re: Just great!

I frequently had to jam my breaks

Oh Michael, I'm so disappointed in you...

Your Phone prematurely ejected, Skype texting on the way, and 900 more years of Windows

Alister Silver badge

2919

The year of the Linux desktop

Beam me up, PM: Digital secretary expected to give Tory conference speech as hologram

Alister Silver badge

That speech also saw the PM's set fall apart, with the letter "F" falling off the Tory slogan behind her.

So, Mrs May was F-bombed by the stage set?

Self-driving cars will be safe, we're testing them in a massive AI Sim

Alister Silver badge

Yeah, in the simulation, the AVs are green, but in the real universe they are grey...

Alister Silver badge

Re: Evidence?

Google cars have currently driven 120million miles with zero fatalities, zero serious injuries,and a handful of fender benders.

Maybe collectively they've managed to accumulate that number of miles, although I doubt it, but each individual car can't possibly have accrued that much.

That is definitely better than human average for fender benders, definitely better than human average for serious injuries (by a factor of several), and no worse than human average for fatalities.

Again, average cumulative statistics make a nonsense of this argument.

There are millions of drivers around the world who have each driven for years and years without ever being involved in an accident. The statistics are slewed by the small minority of drivers who are incompetent or reckless. In contrast, there are a vanishingly small number of Google AVs and yet they have managed between them to accrue an impressive collection of bumps.

Until an individual AV can match the record of an individual, competent human, then a fair comparison cannot be made. And this will obviously take a long time.

Alister Silver badge

A lot of people can't actually manage to do those things in a safe manner without putting others into danger.

The overwhelming majority of human drivers manage to drive safely most of the time.

AV advocates seem to delight in painting human drivers as dangerous and unsafe, compared to their chosen deus in machina, but the evidence so far is that none of the current crop of AVs are as safe as the average human.

Shiver me timbers: Symantec spots activist investor Starboard side

Alister Silver badge

You forgot to mention that Symantec's root certificates have been distrusted by all major browsers after security concerns were raised.

Lo and behold, Earth's special chemical cocktail for life seems to be pretty common

Alister Silver badge

Re: So, why don't we still have dinosaurs?

there would also be forms of plants, animals and all the rest that are the product of evolution from the second time that life started on Earth. And from the third, fourth, the seventy-seventh, the 2,916'th and so on.

As humans, we have told ourselves the comfortable story of a single thread of evolution, but actually, if they are all based on the same chemicals, then we have no way of telling whether any of what we know of the fossil record and current species are from a first or subsequent attempt at life.

Brit banks must disclose outages via API, decrees finance watchdog

Alister Silver badge

Re: Obligate!

Did you by any chance Google "define obligate" or did you miss that bit?

From the OED:

Obligate: Require or compel (someone) to undertake a legal or moral duty.

Origin

Late Middle English (as an adjective in the sense ‘bound by law’): from Latin obligatus, past participle of obligare (see oblige). The current adjectival use dates from the late 19th century.

Note that, unlike Oblige, there are no secondary definitions mentioning being indebted or grateful.

Alister Silver badge

Re: Obligate!

I am obliged to tell you that obligated is a US English bastardisation.

I am obliged to tell you that you are talking bollocks.

Obliged and obligated do not mean the same thing, and there is a clear distinction.

To be obliged means you are indebted to someone for some service or favour.

Obligated carries a slightly different meaning, in that the subject is forced to do something because the law or morality requires it.

Alister Silver badge

“More than any other industry, banks still contain a mix of archaic legacy systems, new cloud platforms, and yet are under pressure to accelerate their software development to combat the threat of their ‘digital-first’ competitors,” opined Dave Anderson, a marketing bod

Thanks for that. Perhaps if marketing could keep their noses out of IT then banks would not be "under pressure to accelerate their software development" to the point where it is untested and insecure?

Google risks mega-fine in EU over location 'stalking'

Alister Silver badge

Re: RAAAAAAAAAAGE!

Yeah, and Grimsby, while you're there.

EU wants one phone plug to rule them all. But we've got a better idea.

Alister Silver badge

Re: To later

@Charlie Clark

@alister I think you might have ignored the possibility of sarcasm in the original post.

Yes, sadly. However, going by the number of downvotes the OP is collecting, it appears I am not alone...

:)

Alister Silver badge
Facepalm

Re: To later

What does this matter to the UK, as of March 2019 we can tell the EU to go whistle

Yeah, because ignoring standards is such a good idea.

Let's have a British USB specification, which does what WE want, no matter that it doesn't match the rest of the world.

London fuzz to get 600 more mobile fingerprint scanners

Alister Silver badge

They can just get your fingerprint off the reflection of the door handle that you just touched, reflected in a rain drop on the window opposite, which you can see in the mirror which is mounted on the corner of the street from the CCTV camera round the corner...

It's easy, I've seen it on the telly...

Medical device vuln allows hackers to falsify patients' vitals

Alister Silver badge

Question: is it better to get life-saving technology into the market now at an affordable price (but with an obscure hole or two), or wait another five years (while people die) and then deliver something secure at twice the price, making it less widely used.

To be fair, very little of this technology could be classed as life saving... standalone monitors, syringe drivers etc have been around for years, and do a perfectly adequate job, so to suggest that not having this equipment available will allow patients to die is unrealistic at best.

The main reason that Hospital authorities are pushing for this sort of always connected, centrally managed equipment is so they don't have to employ as many staff - one person sitting at a desk with all the patients' vital signs available to them at the same time, and all the alerting in one place.

That doesn't mean that it's essential to the care of patients - the machine that goes beep is a nice-to-have...

Phased out: IT architect plugs hole in clean-freak admin's wiring design

Alister Silver badge
Thumb Up

Re: get out quick

@AC

looking at the quality of some of the building work, I imagine he was a fan of the western genre of movies.

I chortled at that.

No, really...

Work at a startup? Think US military isn't good enough at killing? We've got the program for you

Alister Silver badge

...and AI to detect hardware failures

“I've just picked up a fault in the AE35 unit. It's going to go 100% failure in 72 hours.”

What could possibly go wrong?

Alaskan borough dusts off the typewriters after ransomware crims pwn entire network

Alister Silver badge

The attackers gained Active Directory admin access

Only criminal negligence, or deliberate criminal intent of an insider, could allow that to happen, surely.

This doesn't sound like a happenstance ransomware or malware infection, but a deliberately targeted attempt to destroy the borough's IT.

Grad sends warning to manager: Be nice to our kit and it'll be nice to you

Alister Silver badge

Re: Sometimes violence is the only answer

I'm sure I've posted this tale before, but it bears repeating:

A colleague of mine was working on a desktop machine which steadfastly refused to boot cleanly.

All the component parts, (motherboard, CPU, Fan, RAM, PSU, Video card, network card, etc) had been tested in other machines and were known to work, but put them all together in one case and it wouldn't work.

Finally, in exasperation, my colleague picked the whole thing up and threw it out of an (open) second-floor window.

When he had trudged downstairs and retrieved it from the flowerbed it was occupying, he emptied out the soil and plugged it in, and it worked first time.

...

On the workbench in the comms room here we have the skeletal remains of a Dell PE860 with a large screwdriver embedded in its mainboard. It is left there as a salutary lesson to all the servers in the racks...

India mulls ban on probes into anonymized data use – with GDPR-style privacy laws

Alister Silver badge

Re: re-identifying anonymized data

If it can be re-identified, then it hasn't been properly anonymized in the first place.

That is not necessarily the case. Let's say that company A provide anonymized purchase data to a company Z who carry out data analysis.

And then company B provide anonymized health data to company Z,

And then company C provide anonymized travel data to company Z.

Company Z may, through intersections between data from A B and C, be able to identify individuals, where that would be impossible from any single one of the data sets.

That doesn't mean that the individual data sets are not sufficiently anonymized, just that accumulation of many data points from different sources can allow correlations which lead to the identity of the subject.

Dixons Carphone: Yeah, so, about that hack we said hit 1.2m records? Multiply that by 8.3

Alister Silver badge

Re: Why did they keep so much data???

Well, they have to keep most of the data as a legal requirement (see post further up).

Yes, they have to keep transaction records, but NOT the CC details, there is no requirement for that.

Alister Silver badge

I don't think companies should be allowed to hold full credit card data.

They aren't supposed to, if they want to be PCI-DSS compliant. But lots still do it, and even store them unencrypted as well.

There are well established methods to make repeat payments using an authorisation token, which don't require the retailer to store the card details, and for one off payments the details shouldn't be stored at all.

Beam me up, UK.gov: 'Extra-terrestrial markup language' booted off G-Cloud

Alister Silver badge
Boffin

Re: "All work is Blue Book compliant"

Well played, I give that a Twelve...

Ecuador's Prez talking to UK about Assange's six-year London Embassy stay – reports

Alister Silver badge

Re: Julian has already been deprived from liberty of movement by Britain for 6 years

What complete bollocks.

Biting the hand that feeds IT © 1998–2019