* Posts by MarkSitkowski

72 posts • joined 14 Sep 2012

Page:

They're BAAACK: Windows 10 nagware team loads trebuchet with annoying reminders to GTFO Windows 7

MarkSitkowski

Re: Is it stable yet?

Stable? I've been frantically preparing a Win7 machine and transferring all my data, while the Win10 thing still works.

Windows Upadate ("We're going to make Windows better, and add even more exciting features") has been running for all the hours the machine is switched on, 5 to 7 days a week since last June. It uses 95 - 100% of my CPU and about 4GB of RAM. Since I only use it as an xterm, to connect to a proper computer, it's not completely unusable, but it takes 1-2mins for windows explorer to start, and about half a minute to switch folders in Outlook. Windows won't let you turn off Update, and if you try to kill it or any of the four or five supporting processes, you're told it'll "make your PC unstable". Like that's worse than unusable.

The Win Update 'troubleshooter' is useless. It tells you it's fixed all the problems, except for coquettishly telling you that "Windows Update components must be repaired", and leaving you to figure out the 'how'.

I\ve checked on the Net, and I'm not the only one. There are hundreds of users whose PC's have been taken over by Windows Update, and some believe that it's really a bitcoin miner, although these latter tend to not arouse suspicion, by limiting CPU use to 50%.

So far, none of the "exciting new features" have materialised and, even if they did, I wouldn't have enough CPU power left to run them.

Windows 10 Pro goes Home as Microsoft fires up downgrade server

MarkSitkowski

Consider yourselves lucky!

I envy you guys with unactivated Win 10 Home.

I have an activated Win 10 Pro, with a Window Update that runs 24/7 for four or five days at a time, eating 100% of my CPU, making the whole thing unusable.

If I run wu170509.diagcab it kills the update process, fixes a few bad files, but leaves saying 'Update files were corrupted'. A few days later, Win Update runs again, with the same problem.

I'm painfully transferring all its files to a Win 7 PC, so I can get back to something which works fine, needs no more updates and doesn't need colonic irrigation every few days to make it run again.

Agile development exposed as techie superstition

MarkSitkowski

Re: There were studies ... and a result is Donald J Trump .... an Energetic Distraction?

Stop smoking that stuff - it's rotting your brain...

Here come the lawyers! Intel slapped with three Meltdown bug lawsuits

MarkSitkowski

Here Come The Hackers, too

Now that those clever researchers have told the world about a vulnerability that lay dormant and unknown for a couple of decades, every respectable hacker will be hard at work writing exploits - probably using the sample code issued with the release.

Thanks, guys.

MarkSitkowski

re: lightspeed lawyers

At last! I knew that if I waited long enough, my Z80 and 8080 assembler skills would be in demand...

Open-source world resurrects Oracle-free Solaris project OmniOS

MarkSitkowski

Re: YAWN

Evidently, Oracle doesn't share your opinion, since they neglected to port their own (indifferent) version of Linux to SPARC.

Perhaps, with the advent of Meltdown and Spectre, they'll reconsider...

MarkSitkowski

Re: solaris itself is fragmentation

Nope. SunOs ('Solaris 1') up to 4.1.4 was derived from BSD, Solaris 2 tried to be pure SysVR3 .

MarkSitkowski

Isn't running FreeBSD the same as running SunOs 4.1.4? That was all BSD.

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

MarkSitkowski

Unprofessional Irresponsible Self-Aggrandisement

I hope the jerks who made this public are patting themselves on the back and smugly basking in their new-found fame.

These vulnerabilities have lurked around for 20-30 years, without causing anyone any problems, since the average dopey hacker is clueless about silicon architecture, or how it handles branching in cache execution.

Now, thanks to these self-serving idiots, the world is in turmoil, with Intel users wondering how long before the parasites put together a few hacks - based on the suggestions also published with the disclosure - and give them to a botnet to execute.

It doesn't bother me, since all our stuff runs on Sun SPARC, but it occurs to me that there should be a law or, at least, a protocol, whereby people like Intel get the results of such reports in secret, and the dirt isn't made public until there's a fix in-place.

MarkSitkowski

No Problem

Glad all our stuff runs on Sun SPARC...

Voyager 1 fires thrusters last used in 1980 – and they worked!

MarkSitkowski

Re: CDP1802

"...Hedy Lamarr didn't really invent Spread spectrum..."

She invented band-hopping radar, and even applied for a patent, but the hardware of the time was too clumsy to implement it.

MarkSitkowski

Re: how is assembler outdated and by what?

As far as I remember, it uses a bit-slice CPU (not any Intel rubbish), so the architecture is custom-made, implying a proprietary instruction set.

Windows Fall Creators Update is here: What do you want first – bad news or good news?

MarkSitkowski

Re: Inivitably!

When my 10am presentation slowed to a jittery crawl, I waited the two minutes it took to start 'Task Manager' and, finding a load of Windows Update poison dwarfs eating 100% of my CPU, I tried to kill them.

As with HAL, it silently did the 'I can't let you do that' routine, even though updates had clearly been told to stay away between 9 and 5.

All those settings are just a placebo. Windows downloads its updates in background, without asking you and, later, runs the updates in background. The only clue is the 100% CPU usage.

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

MarkSitkowski

Yes...But Who Stole It?

All that data is sitting on the hacker's computer, somewhere. Have they yet determined where the breach came from?

Unloved Microsoft Edge is much improved – but will anyone use it?

MarkSitkowski

Re: And its only Windows 10?

Our IDS blocks wget as a potential site-scraper hack...

Oracle staff report big layoffs across Solaris, SPARC teams

MarkSitkowski

Does this mean that Microsoft and Intel now own the world?

Time to invoke the same ant-trust laws that saw the break-up of AT&T.

Should Conversion of Bitcoin to Money Be Illegal?

MarkSitkowski

Should Conversion of Bitcoin to Money Be Illegal?

The blockchain financial system is the most radical revolution since money lenders sat at their benches ('bancs'), and is obviously the way of the future.

However, as recent events have shown, the only people who currently use Bitcoin are criminal hackers, money launderers and drug dealers. Should they be forced to use conventional, traceable, means of demanding their ransoms or shifting their ill-gotten gains around the world, so they can be identified and brought to justice?

Feelin' safe and snug on Linux while the Windows world burns? Stop that

MarkSitkowski

Re: What is this OS 'version' thing you speak of

I have applications written originally for SunOs 4.1.0, and they run happily on every version up to Solaris 11.

I have applications written for Windows XP which crash catastrophically on Windows 10. Go figure.

MarkSitkowski

The other O/S's

Windows malware only executes on Intel CPU's. We run Solaris on Sun SPARC servers . Is it okay to feel smug about that?

Australian oppn. leader wants to do something about Bitcoin, because terrorism and crypto

MarkSitkowski

"...we should have specific people in high level government / the cabinet with proven knowledge and preferably qualifications in Technology ..."

That's how they do it in China, and it's done them no harm todate.

One-third of Brit IT projects on track to fail

MarkSitkowski

Re: @Rocket Rabbit ... With maths and syntax like that

"...all of the reasons provided are valid reasons for project failure in some cases all of the above."

I think they can all be summarised in one reason: the project manager didn't understand the technology.

If you're from a development background, then you know the approximate time a given task should take, and you can qualify the estimates given by the staff. If a developer gives you an excessively long estimate, this tells you something about either his technical competence, or his level of commitment.

When you're given the timeframe, you can compare it with your own estimate of project duration and have the management amend theirs. If they won't, you ask for confirmation that they take responsibility for the overrun.

When the marketing people decide to add features in mid-project, you submit a new project schedule, with revised costs, and a request for the confirmation mentioned above.

I'm not saying that all this will guarantee that you run to time and to budget, but it may help your bosses to eventually understand what factors should be taken into account before they say things like "Here's the job, you have five guys and three months to do it".

Huge ransomware outbreak spreads in Ukraine and beyond

MarkSitkowski

How to stop ransomware

Since only criminals use bitcoin, just make it illegal to trade bitcoin for real money. Then they can be traced through any banking system. Too easy, man...

Microsoft says: Lock down your software supply chain before the malware scum get in

MarkSitkowski

The only editor in a proper china cup...

I'm glad I use vi - or vim, if it's a Billyware box. No vulnerabilities.

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

MarkSitkowski

Seems that Bitcoin only exists to enrich criminals and fund terrorists. Isn't it time to make it illegal to trade bitcoin for real money? Or, better still, shut down any organisation trading in it?

Realistic Brits want at least 3 security steps on bank accounts

MarkSitkowski

Re: Like Razors ...

This is even better...

https://www.linkedin.com/pulse/choice-second-authentication-factor-mark-sitkowski

Facebook is abusive. It's time to divorce it

MarkSitkowski

We've tried it your way...

Okay, that's it.

We engineers want our Internet back.

We gave it to you, hoping you'd make good use of it, and all you've done is created stupid 'social media', bred a generation of parasites whose only purpose in life is to make everyone else's a misery by hacking everything, and created a new kind of bank robber.

Enough is enough. Give it back to its rightful owners.

Why Firefox? Because not everybody is a web designer, silly

MarkSitkowski

Re: I recently ditched Firefox.

...FIREFOX FORK...?

It's already out there. Get hold of Pale Moon.

Machine vs. machine battle has begun to de-fraud the internet of lies

MarkSitkowski

Machine vs Machine Battle?

Happened ages ago. About 6 years ago, our website was attacked by a botnet, which ran hack attempt scripts 24/7. Since it was impossible to block its attempts by hand, I wrote an IDS/IPS, which would analyse the content of every connection, identify possible hack attempts, and add a firewall rule, blocking the IP address. It would then look up the owner of the address, and send an email which included the log file extract containing the hack query. The ISP would then cancel the zombie account.

Over the last 6 years, this system has been running unattended, swatting incoming hacks from zombie machines running automated hack scripts, and removing these parasites from the internet.

Everyone should do this - I might even give away the source code to encourage it...

As you stare at the dead British Airways website, remember the hundreds of tech staff it laid off

MarkSitkowski

Re: Correlation is not causation

Wouldn't 'post hoc, ergo propter hoc' be a more accurate reflection of the situation?

MarkSitkowski

Re: I share your concern

I miss the silver service we used to get on BOAC *sigh*...

It's not just Elon building bridges to the brain: The Internet of Things is coming to a head

MarkSitkowski

Re: You humans think very highly of yourselves

Every time you cross a road with traffic coming from both directions, you solve about three second-order differential equations with every millisecond that you're in transit (assuming you don't want to meet the traffic en route). Having programmed computers to solve differential equations, I believe the brain does it faster - because it does it using analogue, not digital techniques. Perhaps some of these researchers should give that a thought...

'Clearance sale' shows Apple's iPad is over. It's done

MarkSitkowski

Re: @ juice - As I have said a million times

Even the French have always used inches for screen sizes, way back when screens had implosion guards and weighed a quarter of a ton (tonne?)

Microsoft's DRM can expose Windows-on-Tor users' IP address

MarkSitkowski

Re: So MS lost the keys already

According to Microsoft, DRM is obsolete, and has been replaced by MS PlayReally (something like that)

Is your Windows 10, 8 PC falling off the 'net? Microsoft doesn't care

MarkSitkowski

Re: Stuff like this...

What?? You mean XP has been replaced by some new release? Nobody ever tells me anything...

DNS devastation: Top websites whacked offline as Dyn dies again

MarkSitkowski

How about this?

Our IDS/IPS automatically inserts a new firewall rule for every incoming hack. It then reports the offending IP address to the ISP owning it. It never sleeps.

During a DDoS attack on our website in 2014, we were attacked by approximately 7000 servers from almost every subnet in Brazil and Argentina, during an attack that lasted a week. Each attacking server was blocked after the first hack query and, over the course of the week, the attack tailed off, as each ISP took the offending IP address offline.

This may not be a perfect solution, but it deactivates each mindless parasite as it removes each attack endpoint. If everyone did this, and ISP's responded fast enough (Best: Brazil, Germany, Russia, USA, Indonesia, Israel. Worst: China, Mexico, France) the hackers would spend their lives constantly looking for new servers running vulnerable WordPress/Joomla installations, as the existing ones were neutralised.

Cats understand the laws of physics, researchers claim

MarkSitkowski

Re: Pheline Physics

I think this was proved ages ago by Schrodinger - although he was never sure whether it was dead or alive...

Why a detachable cabin probably won’t save your life in a plane crash

MarkSitkowski

New angle on old Bad Idea

There was a time when people thought that giving each passenger a parachute was the answer. Having read this article, it seems that it was marginally less loony.

LinkedIn sinkin': $10bn gone in one day as shares plummet 40%

MarkSitkowski

What Jobs?

I joined Linkedin about four years ago, so I could join in the technical discussions and, possibly, learn something. Never occurred to me to use it to find a job.

Since then, the technical discussions have been strangled by the Linkedin Gestapo, which deletes any post containing a web address or product name - even if the post answers a question, like 'Does anyone know where I can get a good network monitor?'.

The technical articles have been strangled by Linkedin's sudden arbitrary limit of 1000 words per post, which paves the way for articles to be replaced by links to self-serving marketing handouts.

There's also the rising plague of links to 'webinars' - most of which occur at 3am, and all of which expect that you have up to two hours to waste, listening to commercial drivel.

I'm not surprised their investors are disillusioned with the site's performance, since it appears to have thrown away the only reasons why people joined it, back then.

Juniper's VPN security hole is proof that govt backdoors are bonkers

MarkSitkowski

Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

Seems to me that, smart, though you may be, you've totally misunderstood the whole picture, and how it all hangs together.

I believe that, early on in the post, I made the point that this was easy to do, and not that it was innovative - except for the matrix driven authentication, which holds a patent.

The point you've missed, is that it doesn't matter a toss, whether AES192 is better than AES256, or whether you can do it with TLS, or any other cryptographic method.

The actual point is that, however weak the cryptography, a pubic key is only used for one session, never stored anywhere, then thrown away. There simply isn't time for a hacker to hack it and, if he did, it would be useless for any subsequent session.

The cryptography is only half the story, the other half being the fact that passwords are not stored anywhere on the system, and not known to, or recoverable by anyone - not even root.

As a complete entity, I stand by my submission, that this kind of system is unhackable in the chain of events between the initial login request and the transmission of data on an encrypted channel.

One vulnerability I'll grant you: If the hacker interposes a proxy between the user and the authentication server, he can pretend to be the user to the server, and pretend to be the server to the user. That way, he can get a legitimate private key from the server, and use that to encrypt conversation with it, and negotiate a legitimate private key with the user, with which to decrypt the matrix solution. He then re-encrypts this with the key obtained from the server, and logs in as the user.

I believe this scenario is indefensible, unless anyone knows better?

MarkSitkowski

Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

You're right. Once the Enemy Within has the root password, there is no defence but, then, if that's the case, you have other problems...

MarkSitkowski

"Juniper's VPN security hole is proof that govt backdoors are bonkers"

What’s wrong with these people?

Is it because mathematics has been dropped from the engineering syllabus at universities, or is it because everyone employs the same incompetent security people to do the architecture of their security system?

Making the whole thing bulletproof is easy, and I’ll explain how it’s done – if only to show how little understanding there is of basic principles.

First, this is a two-part process, so pay attention to the two Important Parts, and how they support each other.

To make it work, you need to store the hash (SHA256, preferably) of the password in your database. So far, so good – this is the way Unix, and even Microsoft does it.

Next, to authenticate the user, you need a public key exchange protocol, the best of which is Diffie-Hellman. Here’s Important Bit Number One: With each connection, you throw away the private keys, and generate new public keys.

Once you have a secure connection, you encrypt the transmission in both directions, using the private key, and AES256, then send the user this kind of matrix:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

1100010010000100000111101110

The user enters the pattern of ones and zeros, which correspond to his password, encrypts the result with his private key. Now here’s Important Bit Number Two: The pattern of ones and zeros is random, and different with each login attempt.

At the server, we take the matrix components, and brute-force the received solution, taking the hash of each solution, and comparing it with all the database entries.

Note the following:

1. There are no encryption keys left on either end of the system

2. The clear password doesn’t exist at either end of the system, and is never transmitted.

3. Theft of the database yields the hacker a lot of meaningless hash values

4. Nobody on the inside – not even root – can compromise the system.

5. If the hacker tries to brute-force the encryption, it’ll take 10^23 years to get the private keys. These will be useless after the current session is terminated and, by that time, dinosaurs will have returned to the earth.

6. If the hacker succeeds in solving the Discrete Logarithm Problem in less than 10^23 years, he then has to hack the password from the random pattern of ones and zeros. If he succeeds, he won’t know he’s succeeded, since he won’t know which of the hashes corresponds to each hack result.

Also, guess what? That solution is only good until the current session terminates. Then, he has to start again

I submit that this is totally bulletproof, and don’t buy the surmise that ‘everyone will get hacked sometime’

This is actually available as a commercial product, but since this is just a technical rant, instead of telling you where to get it, I’ll merely suggest that you drop me an email.

UK research network Janet under ongoing and persistent DDoS attack

MarkSitkowski

What kind of DDoS?

Does anyone know the exact composition of the DDoS traffic?

(like multiple simultaneous HTTP requests, multiple FTP connections, UDP traffic, etc)

Brit mobile pay biz reveals historical cyber attacks, gets smacked in the share price

MarkSitkowski

You're kidding, right?

Words almost fail me - apart from a few very short Anglo-Saxon ones.

a) What kind of a amateur outfit full of incompetents takes 'several years' to discover they've been hacked?

We expect to be informed of a hack attempt within 1 or 2 seconds - not years, seconds - of the attempt.

The fact that these idiots didn't learn about it for so long, is indicative of the fact that there was nothing there to do the warning.

Normally, I'd say fire everyone in security, but in this case, they also need to fire the 'manager' who approved their non-existent security setup.

b) Have they never heard of encryption? Even if you're as thick as two short planks, and know nothing about keeping the hackers out, at least make sure that what they steal is useless.

Can't believe that, in 2015, there are still companies around like this. I bet they also have rooms full of people with quill pens writing copperplate replies to customers.

Rise up against Oracle class stupidity and join the infosec strike

MarkSitkowski

It can't happen to us...

Brilliant article, expressing what I've been saying for years.

My view is kind of biased, since I'm in the security business but, from what I've seen of the attitude of decision-makers in financial institutions, they have everything in common with the guy who jumped off the top of the Empire Stat Building. As he passed each floor, people heard him say, "so far, so good..."

The worst part, however, is that the guy was told by a False Prophet that he would never reach the ground.. A couple of years ago, when the FBI was deciding on an authentication system, I wrote to them to warn them against biometrics (the data is digitised, it's just username and password all in one, and you can't change it, if it's stolen). The fact that they chose to ignore the warning is purely indicative of stupidity, payola, incompetence or whatever but, now that the FBI, Department of Defense and others actually have had their fingerprint database stolen, how confident do you think they will be in the next snake oil salesman?

I think the False Prophets are partly to blame for the attitude of management in many industries.

Windows 10 is FORCING ITSELF onto domain happy Windows 7 PCs

MarkSitkowski

Re: A gift horse?

Having fallen on my head recently, I accepted their gift horse over the weekend. When it wouldn't run the only application for which I use a PC ('Reflection X', which connects me to a Unix box), I hit the Revert to Windows 7 button.

When Win 7 finally reappeared, there was a gloating note in the corner saying 'This copy of Windows is not genuine'. Restoring backups didn't work, with the smug message 'Your system files were not altered'

I now have the choice of putting Win 10 back, or forking out for another copy of Win 7, which will probably trash my disk, if past experience is anything to go by.

How do I get Linux...?

Keep your stupid drones away from piloted aircraft, rages CAA

MarkSitkowski

Or, perhaps, with this?

http://www.sciencealert.com/nightmarish-video-of-gun-firing-drone-to-be-investigated-by-us-aviation-authorities

You'll never love an appliance like your old database

MarkSitkowski

The real worry is, that the marketing message appears to be that you no longer need any technical skills to deploy and maintain a database. This, added to storage and computing power being offloaded to cloud vendors, leads to a situation where the company has less control over its data than a plethora of vendors. I would suggest that, from the point of view of security and control, this is not a Good Thing.

Nasty Dyre malware bests white hat sandboxes

MarkSitkowski

Simple solution?

All this crap is written to run on Intel hardware. Run confidential stuff on a Sun, IBM or HP box - it'll give you a decade or so of security before the parasites learn to write SPARC assembler.

'Bar Mitzvah attack' should see off ancient and crocked RC4 algo

MarkSitkowski

Cost-effective?

Why does everyone assume that hackers will patiently sift through millions of conversations in the hope of decrypting a password? Especially, as the one they succeed in decoding might be that of a guy with $20 in his account.

Doesn't sound cost-effective to me.

US plots to KILL hackers – with bureaucracy!

MarkSitkowski

There is a better way...

There's no need for any more agencies, committees, or bureaucracies. The solution is to do what our company does.

Our IDS/IPS notes the IP address of the attempted hack, enters a rule into the firewall, then looks up the owner in a whois database,and sends an email to their abuse/support line, together with the system log extracts.

It's totally hands-off automatic, and cuts off the hackers' source of zombies. If everyone did this, it would limit each hacker to just one hack attempt.

.

Last June, we were getting 7000 hack attempts a day from a Turkey-based botnet, which had taken over almost every subnet in Argentina and Brazil. The attack died exponentially, as each compromised server was reported and cleaned up by the ISP.

If anyone wants to do something that actually works, I'm happy to give away the source code of the IDS/IPS for free, together with a dump of our whois database. It's written for Sun, so you'll need to modify the firewall rules if you use IPtables.

If this sounds like it'll work for you, send me an email at xmarks(at)exemail.com.au.

Page:

Biting the hand that feeds IT © 1998–2019