* Posts by storner

68 posts • joined 25 May 2011


Schneier: Don't expect Uncle Sam to guard your web privacy – it's Europe riding to the rescue

Big Brother

Re: One niggle

As seen from this (eastern) side of the pond, it is not only the US politicians who are clueless. The general population know even less about how surveillance capitalism work, and will happily divulge any and all personal details if only there's a chance of winning a free doughnut.

It really is the same thing in Europe, we are just lucky that our politicians - miraculously, I have no idea how it came to be! - implemented reasonable privacy measures with the GDPR.

The Large Hadron Collider is small beer. Give us billions more for bigger kit, say boffins


Re: New name needed

Since there is always going to be one more accelerator, we need something that extends into infinity. Like numbers.

So I suggest "Particle Coliider 0", "Particle Collider 1" etc. Abbreviated PC1, PC2 ...

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown


Re: Operational Incompetence

Indeed you can, that is common sense practice. The remaining days are usually added to the new certificates lifetime.

You were told to clean up our systems, not delete 8,000 crucial files



Sounds like backing up those harddisks were not on Sam's agenda. Considering the reliability of harddisks back then, maybe it should have been.

The Palm Palm: The Derringer of smartphones


I'll take the revived Nokia 3310 instead, thank you

Granted, it is 2 cm longer, and weighs 18 grams more.

But it only costs 1/10'th of this little critter.

Expired cert... Really? #O2down meltdown shows we should fear bungles and bugs more than hackers


Because certificates typically expire after 2-3 years - beancounters and bosses cannot see that far ahead (except when pulling "strategies" out of various orifices).

Even the IT monkeys doing the renewals have moved to new offices at least 3 times, so that two your old calendar with the post-it notes? Noone remembers what it was for, so it goes down the bin.

Microsoft promises a fix for Windows 10 zip file woes. In November


'Users will be relieved to know that the team is indeed actually looking at feedback, even if it seems to be skipping the “stop the thing deleting my stuff” entries in favour of “make search a bit faster.”'

You don't seem to understand that these two work together. With all user files deleted, there is a lot less to index. Hence search runs faster.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection


Re: Never should be remotely controllable in the first place

"Heavy machinery, especially something that if mishandled can kill hundreds, is not something that should be fully-controlled by software."

In that case, most commercial airplanes would have to stay on the ground.

UK cyber security boffins dispense Ubuntu 18.04 wisdom


Re: Good idea.

As others have mentioned, sudo gives you much more fine-grained control over who is allowed to do what. But there are other advantages over plain su:

- You have an audit trail of who ran which admin command when. For some of us, that is a compliance requirement.

- Communicating a shared password is difficult. Tends to happen via e-mail which is NOT secure.

- When you have 20+ servers, changing the administrator password because Joe Admin left the company is not so simple.

- Passwords can be cracked or leaked, so a security compromise of one server quickly becomes a site-wide problem (unless you use unique passwords, which complicates the distribution issue further).

I try to avoid passwords as much as possible, to the extent that my personal servers do not have passwords (a '!' for the password field in /etc/shadow). Logins can only happen via ssh using SSH keys or certificates, and sudo is setup to require a one-time password or physical token (Yubikey). If you must use passwords, at least make sure you keep them centralized (ldap directory or similar).

In other words, think about how you implement security instead of just bashing some random tool based on a 7 year old forum post.

Rowhammer returns, Spectre fix unfixed, Wireguard makes a new friend, and much more


Re: What's wrong with OpenVPN?

As you said, OpenVPN does what it claims to do - nothing wrong with that. But Wireguard does have some things going for it:

1) It doesn't rely on OpenSSL for encryption, so there is a whole lot less code to audit if you want to check for security problems

2) It is a kernel module implementation (at least on Linux), so the processing overhead is much smaller and it should be able to scale to wirespeed while handling multiple connections. It also means that it works like any other network interface, so the usual configuration files and network scripts will take care of running your VPN.

3) Authentication and setup is much simpler, since it is a trust-on-first-use so no need for setting up your own CA.

Have a look at it, it does work quite well.

Sysadmin hailed as hero for deleting data from the wrong disk drive


Oracle too ...

Had a database server bickering about being short of disk space. Without knowing much of Oracle internals, I found some very large *.log files lying around and promptly deleted them - I mean, there's no need to keep those old system logs, right?

So I learned the hard way what database transaction logs are. And how to convince Oracle to create a new set of transaction log files when starting up.

Fortunately, it was a very quiet database.

Huawei Honor 10: At £399, plenty of bang for buck – it's a pity about the snaps


Just leveling the power balance. Trump gets my data from Google, Xi gets it from Huawei. Let them fight over it ...

BOFH: Give me a lever long enough and a fool, I mean a fulcrum and ....


Whatever ...

Friend of mine called a support droid about some problem. "Do you have an Iphone or a smartphone"?

Somehow that does kind of make sense...

Until last week, you could pwn KDE Linux desktop with a USB stick


Re: I'm going to name all my USB sticks:

Because it won't work. You need "rm --no-preserve-root -rf /" if you really want that, which is longer than will fit in a VFAT volume label.

Who can save us? It's 2018 and some email is still sent as cleartext


Re: Port 465

What you need to do ... may I suggest using an MTA with a sensible configuration language?

Sysadmin jeered in staff cafeteria as he climbed ladder to fix PC


Re: What is this ?

Since it was in the Windows for Workgroups days, TCP/IP was most likely not used. Just some random address assigned by the NIC and running Netbios, IPX or some other abominable protocol.

Personally, I would have made the PC speaker start screaming at the user with a NSFW vocabulary. Guaranteed results much quicker.

Flash... Nu-uh! Tech folk champing at the bit to switch off life support



Judge used personal email to send out details of sensitive case


Re: An idea

They were called "secretaries" in the good old days. They are all gone now, thanks to the beancounters and efficiency experts.

NASA: Bring on the asteroid, so we can chuck a fridge at it


Re: Time to go PaddyPower

7. The fridge, being an intelligent IoT device, will notice that it needs to stock up on fresh milk, but since there is no Wifi connection in the asteroid belt it will fail to connect to Walmart and subsequently the control system crashes with an unexpected error. The thrusters therefore fail to fire, and the fridge crashes back to Earth.

US visitors must hand over Twitter, Facebook handles by law – newbie Rep starts ball rolling


Re: But

No lube, makes the "pain" part easier.

Super-cool sysadmin fixes PCs with gravity, or his fists


Re: Makes me wonder

Consider that a bonus, since it would hopefully mean upgrading from the old MFM based disks to something modern and up-to-data, like PATA

2017 is already fail: Let’s try a Chinese reboot


Re: And one more thing...

Depends on how you managed the leap second...

Windows 10 networking bug derails Microsoft's own IPv6 rollout


Remembering IP's

is about as quaint as remembering phone numbers.

Face it - one of the goals of ANY new IP version is to extend the address range. So no matter how you design the protocol, you end up with more numbers per address. Saying that it is easier to remember than 2a00:1450:400f:802::200e just does not make sense. What you CAN remember is "google.com".

Which is why we invented DNS.

It's not just your browser: Your machine can be fingerprinted easily

Big Brother

Re: Mine doesn't give that data.

Your browser identifying as "Links" is enough to fingerprint you with 99.24% accuracy ...

2016 just got a tiny bit longer. Gee, thanks, time lords


It's the IERS who determines such things ...

not the NPL. You got it right when it was first reported: http://www.theregister.co.uk/2016/10/10/2016_leap_second/

But hey, it's Christmas and beer o'clock so who cares if they are reusing old news. Cheers, have en eggnog on me!

Firewalls snuffed by 'BlackNurse' Ping of Death attack


I agree with the "(most) pen tests are crap" statement, but you should still consider disabling ping responses. It is trivial to spoof the source of a ping request, so pulling off a DDoS with your host (and many others) being used to flood someone else with ping responses is simple.

Same reason you don't respond when someone sends a packet for a closed/non-existing service, but just drop it with no response.

Britain must send its F-35s to Italy for heavy overhauls, decrees US


Repairs? Ha! - we don't even have spare parts

One of the news stories here in Denmark this week (apart from Donald) was that we must buy spare parts for our F-35's now, because production of spare parts for our version of the F-35 will stop in a couple of years.

Oh, and our F-35's haven't arrived yet, it will be some years before they touch down here.

EU turns screws on Android – report


Re: Typical EU

"go after anyone but Apple" sounds a bit hilarious considering this: http://www.theregister.co.uk/2016/08/30/eu_commission_rules_on_apple_ireland_tax_sweetheart_deal/

Not an EU or Apple fan myself, but fair is fair...

A USB stick as a file server? We've done it!


Slow campfire

Definitely no speed daemon. There are a couple of this kind of devices around, for the latest holidays I brought along a WDC My Passport Wireless which has the same features except it uses 1 (or 2) TB rotating rust storage. Just did a simple speed test, which gave me 60 seconds for uploading a 100 MB file, and 25 seconds for downloading the same.

Bought it for backing up the SD cards from the digital cameras while on-the-go (my S.O. is an ex-photographer, so a couple of hundred snaps per day is not uncommon). Works quite well.

But yes - these micro-reviews are nice.

Das ist empörend: Microsoft slams umlaut for email depth charge


Totally agree. Codepage 865 (the danish one, in case you didn't recognize it) had some of the special danish letters mixed up with the symbols for cent and Yen. I still see the occasional bill printed by an cash register running some ancient software with the company name printed as "s<yen>n" instead of "søn".

It was "fixed" by switching to codepage 850, meaning lots of fun when trying to figure out why pc's set for one codepage would print *almost* correctly on printers set for the other ....

UK's climate change dept abolished, but 'smart meters and all our policies strong as ever'


"all households and businesses should be offered a smart meter by 2020"

Offered? So we can say "no, thanks"?

You know how that data breach happened? Three words: eBay, hard drives


Encrypt it

Easiest solution is to just encrypt whatever data you put on the disk. dm-crypt/LUKS on Linux boxes, and I'm sure MS has something similar (the name escapes my mind).

It also works if the hard disk is stolen or goes AWOL in the back of taxi.

Sure, it nips a couple of cpu cycles from your system, but most boxes have plenty of idle cycles to spare while waiting for the spinning rust to settle.

Mushroom farm PC left in the dark and fed … you know the rest



The company I worked for did some custom applications development for a company based in Greenland, who - amongst other things - exported a lot of shrimp which all ended up in a warehouse in Copenhagen. A new release had to be installed right around beer'o'clock on a Friday, and of course it didn't work. Debugging and fixing other peoples code has to be done right there and then, but I got it working. On the way out, the customer thanked me for getting things working and sent me home with 2 kg (about 4 lbs) of frozen shrimps "so I had something for dinner".

Pretty good shrimp, though.

Xen says new patch is 'simple and crude' and warns against using it



Any admin worth his pay puts logfiles on a separate filesystem. Filling that should not cause a DoS of the whole system, only loss of logging (which may be unfortunate, but it will also point a thick finger at which of your VM's has been pwned).

TLS proxies: Insecure by design, say boffins


Re: The only use for SSL/TLS inspection

"1) I can see what sensitive corporate data such as, I dunno, customer database Employee X has uploaded to their HotGmahoo! webmail account and sent to Competitor Y."

Sure, that's what Employee X would do. Copying it to a USB stick and bring it home? Nah ... no way.

Ex-HP boss Carly Fiorina sacked one week into new job


Re: Same old, same old

I think it was good ol' Winston who said: "You can always trust the Americans to do the right thing ... once they have tried all the other options".

Ad-blocker blocking websites face legal peril at hands of privacy bods

Thumb Up

Re: Publishers could simply

Couldn't agree more. When I stumble across a site that seems interesting, I am quite willing to pay them for their efforts - but in return, I expect them to stop forcing ads down my pipe. Or at least give me the option to turn off the darned noise.

But expecting to get intelligent writings for free is naïve.

BOFH: Thermo-electric funeral


Not just the Boss'es that do this

Had a similar experience only a couple of weeks ago. A matcbox-sized, USB-connected *harddisk* sporting a full 2.2 GB, bought at the Copenhagen equivalent of Tesco's went tits-up. Only one problem: It belonged to my SO, not the Boss ... so the usual BOFH remedies for "fixing" it could not be applied.

Thanks to Linux and ddrescue, I managed to salvage the important bits.

(Peltier elements?!? Nice ...)

Read America's insane draft crypto-borking law that no one's willing to admit they wrote


Well, what did you expect -

from the Senate INTELLIGENCE Committee.


Oracle v Google: Big Red wants $9.3bn in Java copyright damages


"Greed is good" ...

Larry and Gordon must be related.

Wait... who broke that? Things you need to do to make your world diagnosable


Re: What about...

What about it? In the words of Mahatma Gandhi (when asked about western civilzation): "I think It would be a good idea".

He wasn't impressed. Me neither.

Change management usually means that updates are slow to trickle out. Just ain't gonna fly these days with developer teams rolling out hourly software updates and managers screaming to get the hottest new whizbang thing on the production systems. So it gets overridden by some PHB ("it's just a small UI change!") and things break.

The article is about cleaning up when things go bad, not preventing them (save for the post-mortem analysis). For that it is a pretty nice list, although I think most experienced sysadmins could write it in about 10 minutes.

FreeBSD crushes system-crashing bug


Out-of-order execution perhaps?

a means for local unprivileged attackers to crash the system before executing arbitrary code

Me thinks crashing the system would prevent any code - arbitrary or not - from running, no?

Google adds worldwide HTTPS info to transparency report


Re: date format?

You cannot. You must visit https://www.google.com/transparencyreport/https/ct/?hl=da#domain=www.abc.net.au&incl_exp=false&incl_sub=false to look up the details.

/me wonders why they haven't been replacing it yet ... 22nd March isn't too far away.

$17 smartwatch sends something to random Chinese IP address


Why not just geoblock anything in China? No big loss here.

No, HMG, bulk data surveillance is NOT inevitable


"the Danes – well, they introduced something very similar to the Home Office’s proposed ICRs only to ditch it a few years later because it proved to be useless, and just meant their police force was drowning in data."

Unfortunately our dear politicians have learned nothing from their previous failure, so they are at it again: http://www.dr.dk/nyheder/politik/pind-om-internetovervaagning-ny-tid-kraever-nye-regler (in danish, I'm afraid).

Let Europeans sue America for slurping their data – US Senate

Big Brother

Re: Feed Our Lawyers

And under whose jurisdiction does this fall? If europeans must file suit in an american court, presided over by american judges, interpreting an american law ... well, let's just say my expectations of a fair trial are pretty dim.

Ban internet anonymity – says US Homeland Security official


So? Make IPv6 mandatory!

Linode: Back at last after ten days of hell


Re: How much does it cost an attacker these days to launch a large-scale attack?

I'd recommend "PasswordAuthentication no" in sshd_config on ANY system, especially those that can be reached from the outside.

Add Google authenticator for 2FA if you are on the paranoid side (like me).

Penny wise and pound foolish: Server hoarders are energy wasters


How about 30 cents/kWh

which is what us crazy danes pay, because converting to "green energy" requires massive subsidies for putting up windmills.

The last post: Building your own mail server, part 1


I'd recommend using a test domain first

Having mail thrown away by accident is really annoying, especially when you only have yourself to blame. So if you are new to this, get yourself a domain to play with, and set everything up the way it should be. And test it properly. Domain prices vary a lot between the TLD's, but the .info domains appear to be cheap at the moment (29 kroner = ~3£ for a year at my local dns shop).

Having done this for 20+ years, my experience is that you shouldn't try this on a home connection. Too much hassle with ISP filtering ports, home DSL IP's being blacklisted etc. etc. And if you end up providing mail service to friends&family (and believe me, it will happen ...) then your home server suddenly needs to be up and running 24/7 - including power and Internet connection.

Much easier with a VPS somehwere, and it is cheaper on the power bill.

My own setup is based on https://workaround.org/ispmail/ - is uses Postfix and Dovecot on Linux. Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again. QMail? Been there, done that - for 10+ years, actually, but it is definitely showing its age now, getting it to do spam filtering and avoiding backscatter mails was just too big a hassle.


Biting the hand that feeds IT © 1998–2019