Posts by Wzrd1 2274 publicly visible posts • joined 7 Dec 2012
"This doesn’t at all fit into the previously provided storyline, which claimed repeated and serious efforts to hack the election."
When one is dealing with intelligence services and senior leaders of governments combined, very little will ever fit clearly into the previously provided storyline.
Well, unless you've the appropriate clearance and need to know, then the fuller storyline is available.
"She has accumulated the mother of all bills by meddling both in Russia internal affairs and in affairs of states on its periphery in a way specifically geared towards hurting Russia and decreasing its power and influence (the personal spat with Putin was just a minor episode)."
In shorter terms, our protecting our friends in the Ukraine is interfering with Russia's internal affairs.
Frankly, dropping Gazpom sounds more and more attractive.
"You're pretty rich with the 'nukes' thing when it's Hillary and Obama stoking the flames of war-anger against Russia, over something Hillary made up during the heat of political battle."
Odd, when did Hillary Clinton become a CIA analyst?
I'll take the CIA's word over yours, comrade.
"Exactly how America will exact revenge is unclear."
Personally, I can think of dozens of ways, both via network centric warfare and sanctions that could get the point across that the US is rather upset.
Perhaps, targeting a Gazpom distribution facility in winter.
Releasing the names and addresses of known Russian government affiliated hackers.
Releasing the duty rosters of Russian government affiliated trolls, with their names and addresses.
Prohibiting the import of more Russian firearm components into the US.
Fast tracking a replacement for Russian space launch equipment.
Note the conspicuous lack of a nuclear response.
Although, parking a half dozen or more boomers in the Kola peninsula would also express some significant irritation, the chances of escalation would be far too great.
"The email server investigation was dropped before the election wasn't it? I thought the head of the FBI had declared that they weren't going to prosecute."
I see that you get your information from Russia Today and the Russian Troll Brigade morning briefings.
There was Hillary Clinton's private e-mail server that she used while SecState, never breached. No charges, no laws violated, really ancient news.
There was the DNC e-mail server that was breached, using TTP's associated with known Russian actors, who just so happen to be very timely in their "criminal activities" when Russia has a military operation in, say South Ossetia or other area that the Russian government is interested in, as in timely to the minute to drop a network to coincide with military operations.
I'll not go into server logs that I've reviewed that had troll traffic straight out of St Petersburg and I'm not speaking of just a few IP's, but hundreds of IP's.
"Me too, and I'm a pure-blooded Scot who doesn't even speak Russian."
Because the POTUS is endowed with the power to declare war, raise taxes and make it rain upon your favorite parade, right?
WWIII would require *Congress* to declare war, not a POTUS.
But then, we have a President Elect who stated flatly that having unused nuclear weapons makes little sense to him, so enjoy the fireworks display when someone irritates him.
That should take all of thirty seconds.
"Funny you should say that..."
Yeah, our eldest child was at work, working a 12 hour shift at the hospital, when our youngest child went to vote and noticed that her name was signed in the voting log, in handwriting not her own and somehow she had her political party changed as well.
For the first time in my life, I'm seriously considering stockpiling ten thousand rounds of ammunition.
"Trump has indicated that he is an outsider when it comes to the foreign policy elites so can be counted on to do some unexpected actions."
Odd, considering his utterly predictable cabinet choices, which are 'business as usual'.
Well, save for one thing. He did mention how having nuclear weapons remain unused made no sense to him.
Heaven help the world if he tires of Twitter and actually picks up a telephone...
One can build a machine gun or artillery piece as well, but if one sells it to an unauthorized person, one is in trouble for doing so.
If one doesn't pay the making tax for that weapon, one is also criminally liable.
Interestingly, one can build semiautomatic firearms legally, provided one isn't adjudicated mentally incompetent, a substance abuser, domestic abuser or a felon. One need only provide a serial number if one is building such weapons for resale.
Yeah, US laws are a bit weird.
"It's almost an official admission that tax rates are too high."
We just had that argument on a US news program, where the corporate talking head went on and on about the US having "the highest business tax rates in the industrialized world", then attempted to link that and "mom and pop" (small businesses) enterprises and the anchor for a change, calling him on it.
Small businesses, such as those involved in this story, are taxed at an private individual rate, not at a corporation rate.
The anchor also called him on the fact that corporations never pay that "huge rate", as they write off so many expenses and costs in such a way that they frequently pay precisely zero tax.
We have extremely tight data center access control, only the minimum personnel, aka engineers have access to the data center. Anyone else has to jump through everything from information security through change management, even to get a tour.
Needless to say, being in the information security department, I've successfully avoided a tour. I've lived inside of data centers long enough to happily skip that bit. Copious signage reminds the engineers to not leave anything that isn't a server or switch and such being authorized to be there inside of the data center. Paper and boxes are outright forbidden - devices are brought in without boxes or dunnage whenever possible.
About two months after I had arrived at the facility, having recently transferred there, one of our information security engineers wanted to retrieve a removable hard drive from a server, where some patches were installed from the device remotely.
He also wanted to sidestep change management in order to more rapidly retrieve the device. I wasn't having any of it and put it through change management, speaking personally with the manager in charge of change management in order to escalate and facilitate speedy removal of the offending device.
Said engineer then attempted, to surprising success, in having our management seek authorization for me to gain access to the data center.
A quiet conversation over lunch with the change management manager, suggesting an attempt to end run around the change management process put the kibosh on that access.
With a bootnote from myself through the entire management chain, "If you want me to have engineering access to the data center, you're going to pay me engineering wages, grant engineering access to our systems and title me an engineer, otherwise I'll have none of it, as it's above my pay grade".
"There have been some cases of fire alarms literally killing disks due to the siren - apparently mechanical disks do not take well to 120dB of sound."
Well, there was that time that the LAN/WAN shop supervisor and I were working in the main server room, when after a bit, we happened to work our way toward the end of the room that was close to the door and we noticed some odd noise.
Upon opening the server room door, we noticed that the fire alarm was going off and we later learned, it had been going off for at least 20 minutes before we noticed it.
Obviously, the server room had no siren, no annuniciator or any other form of signaling device to notify anyone within the server room that an emergency was ongoing.
Of course, the entire data center was one that was hastily installed, so it was a converted warehouse with a wet pipe fire suppression system that was shut off, lest a leak turn into a multi-million dollar disaster.
Once, we had a new installation fire marshal want to charge the system and test it, which all admins refused to permit, the country manager refused to permit and when authority to overrule all was sought from The General, well, it wasn't all that long after a major communications outage (see the UPS story above). Sir's response was both memorable, brief and negative.
"Intended to be manufactured, not to be fault traced or understood."
Indeed.
A handful of years ago, our building UPS, where backup power was supplied by a room full of batteries until the generator kicked in, had a veritable room full of defunct batteries.
When a utility transformer blew, leaving prime power offline, the building UPS promptly went offline. Fortunately, nothing critical was offline - only all war communications to and from both Iraq and Afghanistan. Telephone service, offline, data services, offline.
Suffice it to say, the staff meeting was quite lively with explaining to the General why his telephones and e-mail didn't work.
The common meme was, "no budget for that room full of expensive batteries". Something I had placed in my weekly status report since my arrival in theater. Those in charge, who glossed over in pointy haired boss mode were sent scurrying into the shadows, lest they never be promoted again.
Needless to say, our budget increased sufficiently, if only for a one time event, to replace that room full of expensive batteries.
Six months later, the batteries finally cleared customs and were to be installed in the UPS room. The facility manager then decided that he'd switch the UPS into bypass mode - without reading the manual or consulting an electrician.
Off went the power.
He then decided to read the manual, set it properly into bypass mode and begin re-initializing all cryptological devices and noted that the primary routers for the entire enterprise remained stubbornly offline.
I happened by to get a status report, as well as to ascertain just what in the hell was going on and I was brought swiftly up to speed on events that had just transpired.
So, my first question, "Do you have an electrical diagram of the power circuitry?". Amazingly, the answer was a resounding affirmative and off to the diagrams, rolled out over the middle of the facility floor I went.
I swiftly traced the power to the racks with the main routers back to their breaker and asked, "So, where is (not the actual circuit number) L18Y7 breaker?
A befuddled look later, we went off to the racks and racks of breaker panels, locating L, then 18 and finally the proper breaker, which was thoughtfully installed behind one of the larger racks of batteries and out of sight unless one knew it was there to be found.
I asked, "Do you want to await the arrival of the electrician or do *you* want to flip the breaker? It's not my responsibility and I won't be responsible if something goes wrong when it's flipped by an unauthorized person.", he flipped the breaker and the routers came up.
The moral to the story: Keep the damned manager away from the damned UPS!
We once had a house in Philadelphia that was built in the 1920's. Featured, knob and tube wiring, old gas pipes in the walls from the now long gone gas lights and a fuse box.
No wired fuses though, screw in and cartridge fuses only.
We promptly installed a breaker box, segregated the circuits and blown fuses became a thing of the hopefully to be forgotten past. And honestly, hanged if I could find a fusible wire in the US.
" Nobody else uses fuses in appliance plugs, for example, but then they don't usually run 32A to a wall socket either, as we do in the UK."
Well, many appliances also have thermal fuses within. Most motorized appliances have them inside of the motor windings (I've bridged more than a few to get them operating again at home (yeah, I know, not the optimal solution, but it's a coffee grinder)). Hot plates also tend to have thermal fuses.
As for relays, I've burnished my fair share of relays before they overheated and melted. I've even separated welded contacts, burnished the contacts and set them back into service, pending a replacement relay for the next maintenance cycle.
Indeed, churn out vaporware, use competitors real hardware and software in place of the vaporware, albeit with standard sized samples (requiring new samples be acquired from the patient, resulting in a delay in diagnosis and care), it's obviously not the testing company's fault.
It's Walgreens for not flogging over another $140 million.
Or something.
"... it's to pile in as much bullshit phrasing as possible."
Precisely, the telling part is when one is speaking with HR and there is no real, concrete (or even general) duties description.
Several times, with the hiring manager and HR, right in the middle of the interview and nothing but buzzwords were sent my way, I finally gave up and walked out.
Leaving one of my previous employer's rejected security androids in the elevator, as a parting gift.
"You change the Computer Misuse Act to let us shoot back."
And when that shooting back involves GCHQ or US Cybercommand to shoot back at Russia, let the chips fall where they may.
As that could be construed as an act of war, oh well. There were a lot of vacant old buildings in those cities, now we'll have a construction boom.
"Follow that with idiot sysadmins who can't be bothered to change the default password."
Erm, most of those IoT devices were consumer grade devices. Most consumers don't have sysadmins.
But, not a lot of people need most of the current crop of IoT devices on the damned DMZ. Seriously, if you can't figure out how much goddamned milk you have in the fridge, you should just stay at home where you can look inside the thing yourself, you're too damned stupid to be allowed outside alone. We don't need to see inside of your nursery, the kid's ugly.* Oh, your printer? Sure, I'll happily print 200 pages of black.
Seriously, most consumers don't have a clue what a DMZ is, there is no reason that any automagic configuration should stick an IoT device onto a DMZ. Ever.
*Honestly, I am actually quite fun in parties.
"It's worth keeping up with Pen Test Partners via their blogs because they are rattling through shonky IoT trash as quickly as they can."
Yeah, but Christ, that's only the tip of the iceberg! There are so, so, so many more out there.
Enough that even I am having trouble keeping up and both my reading rate and retention are legendary and I'm infamous for not having a personal life, as we've been married for 35 years. ;)
Hmmm, next time a bunch of us get together, I'll bring it up with my peers. It *is* becoming difficult to keep track, perhaps we can get a board together to track things and keep us up to date via a dashboard of novel things. We've gotten blindsided a couple of times with annoyances, we don't want to miss something important.
And while we're at it, we'll share our toys. Well informed is well armed. :)
As the malware is designed to hack into routers, web cams, DVR's and assorted other IoT devices, "just one webcam" is about the stupidest thing I've heard since Trump responded to this "a new thing called a cyber attack".
For The Donald, there is this new thing called fire. Fear it.
For you, the same general chipset can be used in a camera, router, DVR, garage door opener, light bulb or sex toy. As that implementation can also contain a reference filesystem and OS, if they're also using the same inane admin|admin username|password, that same malware will work on each and every device - even grannie's computerized back scratcher.
Oh well, back to doing some things the old fashioned way, remembering all of those IP's that I *really* have to connect with.
In this, the market can actually come to the rescue.
When those large client organizations get tired of this robbing them of the ability to conduct their business of making money, they'll create enough pressure for some form of backbone rapid response.
Let's face it, if the C2 traffic was sent to the bit bucket, the attack would've gotten nowhere very fast. I mean, seriously, two flipping Cloudflare IP's?!
Meanwhile, TOR was broken long ago and the control station remained connected to the botnet C2 for the entire attack. Someone's going to get nicked for it.
The Edsel was never pulled, it sold so poorly, due to a number of issues, from a poor economy through it was unreliable, that it was shifted over to Lincoln-Mercury, where it did sell under the Comet model name.
Hell, the infamous flame mobile Pinto was never pulled either, one of the worst models was my wife's very first car.
The IoT very nearly got someone killed, someone woke me up to complain that Netflix was broken and I was sleeping, as I was on midnight shift. ;)
Ah, RaNdOm capitalization, ever so useful. After all, volume proves one's point, rather than logic.
OK, I'll bite. How do I sue Foscam in China from the United States?
Hell, who died because DNS failed? They have a stroke because Netflix didn't resolve? Amazon withdrawal?
50 page disclaimers? WTF are you smoking? Get rid of mandatory arbitration is what you really should have said.
How about you try two things.
1: Get a clue about what you're going on about.
2: Figure out how to make a clear and concise statement about what you just got a clue about.
It is far better to remain silent and be thought a fool than to open one's mouth and remove all doubt.
The Edsel failed due to reliability problems, a recession and it's flat out weird look.
You're thinking of the Pinto, the model that was infamous for bursting into flame when rear ended being my wife's very first car. It was never "pulled".
As for regulation because it killed people, yeah, that'll work in today's US, where ten million in campaign contributions makes everything all better.
"The only time that anything will change is when it hits the decision makers in their pockets."
Not always. We had a breach in our company network, interest was finally taken when financial servers were breached and a series of Sarbanes-Oxley audits ensued. With the CEO facing potential criminal prosecution, the breach was finally terminated.
During the post mortem, it was learned that the breach was all of five years in length and started in a computer lab in Canada via a forgotten test server on the DMZ.
That resulted in a massive inventory being taken...
Now, here's the million dollar question: Whyinhell does a baby monitor, home security camera or fridge need to be on a DMZ? I'll not even go into routers with standardized username/password combinations.
Both of which were at the heart of this entire debacle.
"In June, a surgeon placed a St Jude CRT-D in my chest and I can now walk briskly for an hour before my arthritic pain begins to slow me down."
You lucky bastard! I can't quite get anywhere near an hour before my arthritis grinds me to a stop.
Oh well, at least I can still walk those four miles to work, while wearing my laptop bag.
I'm anticipating needing a CRT-D later though, a heat stroke makes me throw PVC's often enough to actually toy with v-tach, plus LVH, secondary to hyperthyroidism induced hypertension that very nearly blew my aorta out.
I do have a reasonable expectation that the damnable thing is at least secure enough that I don't have to worry about someone trying to screw around with it. It's entirely possible that there is a debugging that bypasses the magnet requirement.
Lemme check the software catalog. Ah, here it is, McAfee endpoint protection for implantable medical devices. "Don't let malware become the end of you"...
No, there really isn't such software. Yet.
Here's to hoping that this outfit enjoys a call from both DHS and the FTC. DHS, because, "A terrorist could stop by a cardiac clinic and claim a victory" (that wouldn't be noticed) (yeah, they'd do that, if they hear about this story, as that *is* how they think).
FTC, as this is stock manipulation and fraud.
"How come its always his grubby fingers yanking the other end of all the strings in this shitty little conspiracy addled world?"
Indeed, why Obama also showed me where to park my car when I came to work in a building that he'll never hear of, in a city that he's likely never even heard of.
He then jimmied the lock at my house and did the dishes for my wife.
Feeling his good works for the day were completed, he proceeded to the meadow behind my data center, where he stampeded the women and raped the cattle.
Seriously, these wankers really do need a reality injection. And they'd probably benefit from some lithium salts as well.
Perhaps then, they could return back to their job as living advertisement for birth control.
"Don't risk having a child that turns out like this! Use our protection product."
" The problem is the feral DA is apparently not interested in the case and his chain of command is not willing to make him do his job up to Obama."
Ah, so now the POTUS makes decisions on even relatively minor stock manipulation and fraud. Does he also oversee parking tickets in the Bronx?
What a fucking idiot.
"I'm wondering how long before the idiots in the community get tired of this, and those who need pacemakers can sleep easily at night without wondering if some fool is messing with it."
Anyone who gets two meters or less from me while I'm sleeping and that individual isn't my wife is someone that, if they're fortunate, gets shot.
Unfortunate means, I'm using a knife.
"What is it you don't understand about needing to switch the device into receive mode with a magnet?"
Actually, it's placed into communicate/programming mode with the magnet.
The rest of the time, the device is read only. It can transmit telemetry, but it won't receive any instructions unless the magnet in in place.
To be specific, a ring magnet suspiciously like a magnetron magnet that's encased in plastic.
Still, a debug mode for developers *might* be able to bypass that protection. Still, if they're within two meters, I'm more than comfortable. That's both knife and cane range. :)
"I know it's the wrong side of the pond but this appears to be a fairly major hack."
So, now a DDOS from a bunch of cameras and home routers is a hack.
My, how some people have low standards.
The only real hack was against those insecure IOT devices.
Or as I call them, IdiOT owned devices.
"This last hack got several of my accounts hijacked."
Oddly, neither my Yahoo account, nor my wife's account got hijacked in the Yahoo breach.
Somehow, I suspect the common factor was our information was already compromised during the OPM breach.
But hey, at least I know that I can get a security clearance in China...
"Yahoo's part since the NSA will go into "we can neither confirm nor deny" mode."
No, this appears to be Yahoo's salvage, after both revelation of the kernel module *and* Congress wanting to know precisely whatinhell is going on.
"We can neither confirm nor deny" can and has resulted in termination of an agency's budget. Failing that, I'm reminded of the Air Force defying a Congressional order (in the form of a law), repeatedly, resulting in precisely zero officers being authorized until they complied.
Long story told short, a certain Colonel, who openly defied that law, was instructed to retire - or else be involuntarily terminated from his commission. The latter would have endangered his pension, so he wisely complied with both orders, retiring and complying with Congress.
@Mk4, I can't agree more.
This, from a US citizen who spent five years in various GCC states, much of that time, with my wife happily in tow.
Act and feel like you belong, be accepted as belonging. Act and feel like you're special and an outsider, be embraced by one and all as that outsider. Just realize, the latter has the cost of not being allowed to play with the locals kids. ;)
I've actually played Santa in Arabian homes. The downside, it was 28 degrees C outside and that Santa suit was a bit... Warm.
Still, smiling kids and all. :)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
