* Posts by pmb00cs

27 posts • joined 18 Aug 2011

No fax given: Blighty's health service bods told to ban snail mail, too


Re: Hancock's half hour

Email can be made to be secure, but not within the control of the sender, and at the cost of reliable delivery.

You can enforce transport encryption, but then what happens when none of the receiving servers for a domain support it? Don't send to that domain?

Assume they do, your email is securely transferred to the next hop. Now you have to trust that infrastructure is secure, there could be a dozen more hops, and you have no control over the security practises of any of them.

If everyone secures their email infrastructure then everything is coming up roses. But it's 2019 and my ISP doesn't even offer TLS on imap or pop3 ports for email collection. What hope do the rest of us have that the SMTP transport across the internet both supports TLS, and has it enforced?

Or do you mean end to end encryption like PGP or SMIME? because they require everyone to have keys, and know how to communicate them.

One click and you're out: UK makes it an offence to view terrorist propaganda even once


"likely to be useful to a person committing or preparing an act of terrorism"

Generally useful to "a person committing or preparing an act of terrorism"? Could be anything!

Or more specifically around the actual terrorism? A-level chemistry would certainly fall under that category, I bet a number of other subjects too, electronics, mathematics, physics, biology, and those are just the ones that could be considered dangerous at high school level that I can think of off the top of my head. So much for the government wanting to recruit teachers, they apparently want to lock a fair chunk of them up.

Should the super-rich pay 70% tax rate above $10m? Here's Michael Dell's hot take for Davos


Having been rather unfortunately afflicted with a condition that I could not afford to get treated privately, and that at times put my life at imminent risk, I cannot sing the praises of the NHS enough. My condition was not nearly as bad as cancer, and yet I was treated promptly enough once diagnosed, and when my health deteriorated due to the condition to the point that I was in need of emergency treatment it was freely, and immediately, available.

I am not now burdened with a crushing debt, and I did not need to be vastly wealthy to be seen. How is the NHS not a great thing that the UK should be rightly proud of?

The only problem with the NHS, and one that is outside of it's control, is that successive governments have been desperately trying to kill it in favour of a system of health insurance and private medical care more akin to the rather dysfunctional system the US seems to be obsessed with keeping.

Open-source devs: Wget off your bloated festive behinds and patch this user cred-blabbing bug


Re: From where

It's not just command line usage of wget, wget can be used as a library for other programs to fetch files off the internet. If the resource being fetched is behind a login the details needed to authenticate access to that resource need to be passed to the wget processes somehow. That can be done by prepending the domain with "user:pw" in the URL or by including auth tokens in the query string at the end of the URL. Both of these could be considered sensitive data that should probably not be arbitrarily stored on disk unprotected. So any program, or script, that relies on wget could be effected by this bug.

It is worth noting that chromium is also effected by a very similar bug, and that is not an easy program to use on the command line.

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling


Re: Cat herding

The Web isn't the only use of DNS though. Any service that needs to resolve a hostname to find which IP address to connect too, or what domain a connecting IP belongs too (assuming PTR records are appropriately updated) rely on DNS. The assumption that "The Web" == "The internet" needs to die.

Yes "The Web" is an important service that many people use day in day out, but it is only one of many services that run over the internet.

Take my advice: The only safe ID is a fake ID


Re: Silly first name.

Stuart is an English name, derived from the French name Steuart, which is derived from the Scottish, and correctly spelt, name Stewart.

All because of Mary Queen of Scots.

Tired sysadmin plugged cable into wrong port, unleashed a 'virus'


Odd Network issues

Once worked at a place that had an interesting, and difficult to diagnose, network problem. The network kept going down, and it looked like a routing loop, but would recover on it's own sporadically. Turns out that when you use virtualisation on Windows 10, and team two network interfaces together it helpfully uses spanning tree protocol to prevent routing loops. Unfortunately it uses a very low ID for this, so in this case become to root of the tree, every time the dev plugged his laptop in to the wired network it became the root of the tree, and sent traffic out over the wireless link (that didn't support spanning tree) which was then passed back to the wired network. And when he left his desk for a meeting and unplugged his laptop everything recovered. Took hours of my collegues running around trying to figure out what was going on to get to the bottom of that one (and we all learned the importance of telling your network switches which ports were allowed to use spanning tree protocol, and which switches were authorised to be part of the tree). I dodged a bullet by having that morning off.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats


Damp Squib

The attempt by the authors to hype up this "vulnerability" for exposure is both obvious, and irritating. There are now going to be articles in the mainstream press "encrypted emails are insecure" for a week or so. Any one following reasonable practice with email security is simply not at risk due to this, despite the "turn off all encryption and uninstall the plugins" message that this was first reported with. All that is required to not be at risk from the "vulnerabilities" as described is to not automatically fetch remote content. An option that has been in email clients for ages, and has been good security practice for almost as long. That other vulnerabilities may exist for the second of the two attacks, which only allows the exfiltration of some of the plain text, rather than all of it for the first vulnerability, and is more technically involved than the first vulnerability, is something that is of minor concern, and should be patched against, but turning off html rendering (which has also been good security practice for ages) closes both holes completely.

Yes some of the vulnerable software has default settings that put the users at risk, reading the paper that is 13 of the 48 clients listed as tested, and 10 of those have the option to turn it off.

This meh at worst for those who need the extra protection of encrypted e-mail frankly.

You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!


Re: Unisys screwed up

"A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.

Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list..."

Given he could just run get requests if there was an access control system (which none of the information I have read suggest there was) it was more like the library putting that shelf outside the front door, clearly labelled to say the books are free, with a sign inside the library telling people they need to ask the librarian which books they can take, and a teenager, having never been in the library, but seeing the shelf labelled as a "free books" shelf, helps himself to some books from that shelf, not knowing there is a process to take the books, or that some of the books might not be free.

I'm not saying it isn't a crime, but it ought not be, and the library management should be sacked for gross incompetence.

Maverick internet cop Chrome 64 breaks rules to thwart malvert scum


Re: Legal liability?

Sounds great, but also complicates the matter, and allows both to wring their hands while blaming the other.

No as far as the end user is concerned the Website should be held solely liable.

If the website then wants to sue the Add platform as per their mutual contract, that is a matter for the owners of the website. And if the add platform wants to sue the next party down the chain ... etc.


Legal liability?

This is why websites should be held legally liable for the third party content they choose to include on their pages. The excuse "oh but it was a third party advert that screwed you over" should simply not be tolerated. Whilst the websites can claim that their active inclusion of untrusted third party content isn't their responsibility there is no incentive to clean up the cesspit that is the online advertising market.

Once a couple of good lawsuits bring down a few major websites caught including dodgy adds there will be calls to do something about the dodgy adds that the add brokers simply will not be able to ignore. Websites will start using add platforms that offer financial guarantees, and/or indemnity against lawsuits. This will force the add platforms to vet the adds they include or face bankruptcy when a dodgy add hits the wrong person.

Rolls-Royce, Airbus, Siemens tease electric flight engine project


Re: Elementary dear readers

Indeed. All the comments of "but efficiency" or "battery weight" why are we not happy with a technical demonstrator/research test-bed being used to move the state of the art forward? It's not like any of the partners in this process are saying that they are going to start mass producing this configuration for commercial operations. It is an attempt to develop the technology, and demonstrate it's feasibility.

80-year-old cyclist killed in prang with Tesla Model S


Re: The Man Who Fell To Earth

Reasonable assumptions might play a part here.

The Tesla S 90D is an expensive sports car. It's is likely that it was traveling at a substantial speed, it is possible that it wasn't, but why spend £70,000 on a fast car and then not go fast?

The cyclist was, well, a cyclist. It is likely they were travelling somewhat slower, it is possible that they were travelling at substantial speed, but the cyclist's speed is limited by the limits of human performance and endurance. It is possible they were cycling up to 70km/h but for an 80 year old that seems unlikely.

On balance, it would seem to be more likely that the car hit the cyclist than the cyclist hit the car. Under UK law (and based upon common sense) this would make it the car driver's fault (unless some mitigating circumstances can be found).

What makes you think that it is anything but extremely unlikely that the driver of the Tesla is not at fault?

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'


Re: why would anyone link their bank accnt to paypal

Why would credit card companies hate being paid off in full each month?

They get their funds from the Credit card transaction fees the merchant pays for the privilege of being able to take credit card payments, and they do so whilst accepting the minimum of risk of default from the card holder.

Yes they can make money from your interest payments on any ongoing debt each month, but the risk of default is higher on credit cards than other unsecured debt, hence the higher interest rates. And in the UK the credit card company also has to accept the shops liability on certain purchases, so they get the risks from both ends. Surely anything that reduces that risk (like prompt payments from the card holder) would be positive thing.

ZX Spectrum reboot firm slapped with £52k court costs repayment order


One sports day when I was little a man walked up to my father and asked "Are you Daniel's father?" (my brother) and when my dad said yes, the man turned to his son and said "in future you fight your own battles"

It was pretty awesome growing up with the tallest dad in the school :P

High Court hands Lauri Love permission to appeal extradition to US


UK law ought to apply, surely?

Surely, the default position should be that a UK Citizen, allegedly committing an act that is against UK Law, in the UK, should be tried in UK Courts. I really don't understand how the Anglo-American extradition treaty could possibly allow for it to be otherwise. I recognise the potential for a grey area when the act was committed outside the UK, or potentially by someone who is not a UK citizen (although I would err towards UK laws being enforced in the UK here as well to be honest). But what the man is accused of is a crime in the UK, and he allegedly committed the crime whilst in the UK, we should be pressing for the US prosecutors to present their evidence to the CPS so they can prosecute the man under the law he has grown up with.

systemd-free Devuan Linux hits version 1.0.0


Re: Honest inquiry

if it's a five nines service it isn't running on one single server, and so if one instance goes down it's better it stays down till it can be fixed and brought back up cleanly than it come back up in an indeterminate state and potentially serve corrupt data to your customers, potentially costing you far more than the cost of offering no service for a time. As to "and because it's a holiday or whatever, no one's around to verify its state if it goes down" that's what monitoring and call out rota's are for.

(and if it is a five nines service running on a single server, it won't stay that way for long)

In its current state, Ubiquiti's EdgeSwitch won't have much of an edge on anyone


Re: Not Impressed with UniFi

As a full featured enterprise WAP the UniFi is not expensive, it is in fact very reasonably priced, as a domestic WAP, it's a little pricey, but that's my own fault for wanting to play with the expensive enterprisey WAP in the first place. My current WAP is more expensive than the UniFi, again my own fault for wanting to play with advanced features, but is also, in my humble opinion, better. It still has features that try to tie you into the vendor (hence not being happy enough with it to identify it publicly) but it has been a better purchase for me.

Maybe I was unlucky and got a less than perfect UniFi AP, but the problems all struck me as software type problems rather than hardware type problems.


Not Impressed with UniFi

"Members of the IT community rave about networking kit vendor Ubiquiti. You'll find praises sung both on Spiceworks and amongst vExperts for their UniFi devices."

I too saw the raving about UniFi, and wanted to see what all the fuss was, so when I needed a decent WAP I decided to go down the route of a very expensive experiment with a UniFi AP. I was suitably impressed once I got it, and the UniFi controller software needed to configure it, working. But then all the special enterprisey features appeared to be geared toward an all ubiquity network, and the UniFi software kept telling me my network was broken because I didn't have their switches or routers. I object to that sort of nagging tie-in. And then there were niggles with the AP, it'd work fine most of the time, but at weird times it would stop working for no apparent reason, and then just work again a little while later. Also without the software running the app would last for sometime, and then just forget it's settings altogether (yeah, I should have kept the server up but to just forgot all the existing settings when nothing has told it to change settings isn't great).

Now using a different (also expensive experiment for me) WAP.

Not a fan of Ubiquiti.

Mozilla: Five... Four... Three... Two... One... Thunderbirds are – gone


Interesting Timimng

Until recently I was quite happy with ThunderBird on windows, but I moved away from ThunderBird to use Claws-Mail instead, this being down to thunderbird not liking TLSv1.2 on the IMAPS port.

I even blogged about the problem (but not moving away from thunderbird) here https://www.craig-james-stewart.co.uk/blog/blog/entry/even-further-adventures-in-ssl

Netgear prodded into patching SOHOpeless broadband router


Re: No surprise with Netgear

I have a Draytek 2860n which I upgraded to from a draytek 2820n when I went to FTTC. The VDSL modem works (you do need to set the VLAN tag, to 1 if I recall correctly, but would need to check, to get it working without the openreach modem) Happy with both of them, gave the 2820n to my folks (Still on ADSL) and it's still running fine.

Sony sued by ex-staff over daft security, leaked privates



"This won't take us down," he promised, the LA Times reports. "You should not be worried about the future of this studio. I am incredibly sorry that you've had to go through this."

And that there is part of the problem. A breach this large, exposing this much sensitive data, really ought to be unrecoverable. Sony have apparently had everything exposed, all the personal details of all their current and many of their past employees, and all their confidential business data. Either one of those being leaked at that scale should cripple a business, both, at the same time, should be a death knell for the Board.

Back to the ... drawing board: 'Hoverboard' will disappoint Marty McFly wannabes


Re: How much weight...

Are you sure of that? Yes it would be easier to get moving, but have you ever tried to stop a full pallet on a pallet truck once it's moving? And in that situation friction is working in your favour!

Reducing friction will be good, but it won't negate momentum, and momentum for a heavy object is always going to be a bitch.

How I poured a client's emails straight into the spam bin – with one Friday evening change


Re: Every sysadmin must make one really big screw-up in their career

I think one of the most frustrating lapses of judgement I have had involved too liberal an application of "rm -rf"

I was on call, and one of the app servers disk filled up at 3am. So I fell out of bed, looked at the monitoring system, swore at the devs for not tidying up old deploy folders, changed into the deploy directory and ran "rm -rf *".

Then I got an alert that the app server I was working on was no longer serving content, as the live app was a symlink to latest deploy, that some muppet had deleted.

Fortunately I was intimately familiar with the backup system that was in place.

BAN THIS SICK FILCH: Which? demands end to £1.50-per-min 'help' lines


Re: So misinformed it has to be trolling from Which

I hate to break it to you but the £1.50 (and 20 minute) limits are not (or certainly weren't when I worked in a call centre advising people of call costs) legal limits that cannot be breached. They are simply the limits at which PhonepayPlus (previously ICSTIS) will not add extra scrutiny to your operations for running a premium rate number. There is also a limit of the total cost of a single call, which I cannot currently recall without looking it up. Breach of these limits will add extra scrutiny from PhonepayPlus, and additional requirements on your operations from PhonepayPlus, which may be onerous, and expensive. It is these additional sanctions (including needing to put a clear cost message at the beginning of the the call prior to anything breaching these limits) that prevent companies from setting up with 09 numbers charging more.

T-Mobile UK punters break for freedom in inflation-busting bill row



Me Either. I rang to report what I felt was a fraudulent extension of my contract. One of these companies that ring "on behalf of T-Mobile" called me, and I refused to agree to anything. Then I got a text from T-Mobile welcoming me to my new 12 month contract. After several calls to T-mobile, and being told, on three separate occasions, that their "fraud team" had been passed the details and would ring me back, which they never did, I eventually gave in, rode out the extra 12 months, got my pac code and changed provider.

When they asked why I was leaving I told them. They didn't offer me any incentives to stay, which at least suggests on that last call the person I spoke to had a brain in his head.

Outsourcer says rivals faked stolen database offer


Not just IT

As anyone who has worked in the recruitment industry will tell you, the recruitment business is a cut throat one.

Biting the hand that feeds IT © 1998–2019