* Posts by SolidSquid

676 posts • joined 13 May 2013


Let's shut down the internet: Republicans vacate their mind bowels


Re: "Vacated their mind bowels" - a lovely phrase

Brain shart? It would have been a brain fart but a bit more than they really wanted to leaked out?

Big Brother is born. And we find out 15 years too late to stop him


Given the seriousness of this, I'm curious what their justification is for not informing MPs of it, given that MPs are supposed to be the ones who decide whether to allow it to continue, pass an Act to legalise it or pass another to ban it. Apart from the obvious "they might ban it" excuse, which basically admits to knowing it's illegal, or "they might talk about it", which would be covered by the official secrets act

GOP senators push FCC to kill support for local broadband


Private companies give a better service at a cheaper cost than government ever could, so of *course* they shouldn't have to actually *compete* with government

Seriously though, if the local governments are able to give a better service and pay for it through the fees people pay, why not let them go ahead and do it? Hell, they could charge a bit more than the costs and have the extra go into the state budget to subsidise other responsibilities they have rather than having to increase taxes to do so

HMRC aims for fully digital tax system by 2020. Yeah, whatever


Good god, this is going to be bad isn't it? Tax rules are a good example of how IT infrastructure *could* provide a lot of streamlining and better functionality, but trying to change the whole thing over and having a fixed deadline like this is probably not a good approach, and given how badly previous IT has gone I seriously doubt they'll even ask the right *questions* on how to do this, never mind actually doing it right

Microsoft to OneDrive users: We're sorry, click the magic link to keep your free storage


Re: The Problem Seems To Be Both Simple And Predictable.

Most NAS storage drives have some kind of cloud functionality these days, but you need to leave it running and you're capped at the upload speed of your connection (which generally is significantly lower than your download speed), making it often less practical than things like Dropbox or OneDisk

Assange inquisition closer after Sweden, Ecuador sign pact


Re: One Swedish Charge left

The charges expired due to duration, but I'm sure I remember them saying that they had to have him in custody before he could actually be charged as part of his due process under Swedish law, it's why they were so insistent that he be returned to Sweden for questioning rather than them questioning him in the embassy. Even if the questioning confirmed their suspicions the most they could do is fill out another warrant unless Ecuador revoked his asylum status

US government pushing again on encryption bypass


Re: They just can't stop themselves, can they?

There's also the alternative, everyone is screaming "DO SOMETHING!" at the government so the government, knowing they can't actually do much which will show results quickly, turns to an easy scape goat to pin the blame on. "We can't do anything if they encrypt things! It's their fault really!" etc

National Crime Agency: Your kid could be a nasty interwebs hacker


Re: Signs for Parents

Eh, getting it in first isn't that great when you forget to add the link to source for anyone who hasn't seen it before


In fairness I heard/read similar stories when younger, although I suspect now that the industry is becoming more structured (with training courses etc) it's going to become higher risk for less reward than just going to uni and studying security. It also depends on what kind of hack it is (DDOS isn't going to get you anywhere) and who the people you hacked were (could end up being blackballed because you targeted someone with clout in the industry)

A better approach would probably be to point them to the Pwn2Own contests, where there have been some fairly young winners who made good money doing the kind of hacks which could get you picked up by an agency later on in a high profile and positive way (having a Pwn2Own winner on the books would probably be good PR for a company), while at the same time removing the risk of jail time


Re: Slightly less silly than it sounds

I don't think they were intentionally pushing for that, but I do think they could have made a positive mention of the self-study side of things, maybe recommending some resources the kids could look at themselves (ideally with the parent's support/help). I just worry that their focus of "If your kid is doing this they could end up as criminals" and "Here's some ways to do it commercially" might result in parents (who largely aren't familiar with the field) trying to stop their kid from doing things which could be genuinely beneficial to the kid's future because they take this too literally


Is your child using "Quake"? Have they become obsessed with "Lunix"?


Re: Slightly less silly than it sounds

Is there really a need to talk about "using your powers for good" though? A lot of kids are probably just working with computers for fun, or maybe just looking to keep a Minecraft server running for their friends.

This kind of reads as "If your kids are interested in computers you should make sure they stick to the approved learning paths, as being self taught or a hobbiest risks becoming a criminal!", which I worry would result in parents pressuring their kids to start doing classes/certification they're not interested in because it's the "right" and "safe" way to learn it, resulting in a kid who might have developed an interest to the point they did it professionally instead burning out and losing interest in the field

Basically, while talking with kids about career paths is good, and making parents aware of what they can do to help their kids, this seems to do so at the cost of stigmatising people just doing it for fun

Obama calls out encryption in terror strategy speech


"The Qu'ran and the Hadith are quite clear that all non-believers are to be either converted or killed.

The 'moderates' are the perversions."

From what I remember it's apostates rather than non-believers, with that being something introduced by Wahabi-ism (which originates in Saudi Arabia, one of our allies). Also, by the same reasoning pretty much all forms of Christianity are perversions since they don't include the whole stoning for adultery or the wide range of other crimes punishable by death. Pretty sure apostasy is a crime under biblical law too now I think of it

So yes, the moderate may be considered a "perversion" of the original, but that doesn't mean the moderates aren't the majority of the religion, much like the majority of Christians don't follow the bible literally

Infosec bods rate app languages; find Java 'king', put PHP in bin



"If you aren't passing parameters into a prepared statement then you are doing it wrong. It is the DB's job to handle the parameters."

That's the approach that PDO uses in PHP for exactly this reason. If you're using it then really the input filtering is largely going to be focused on filtering out things like cross site scripting attacks rather than sql injection. That said, a lot of sites don't use it, or use it wrong (technically it's possible to pass a full query through it rather than using prepared statements), in which case the sql injection prevention which is still part of the input filtering will kick in. It's not ideal, but it does add an extra layer of protections just in case it's necessary (the security, not the raw SQL which really isn't necessary)



Unfortunately, it's not uncommon for those filtered methods to have exploits found in them, and when they are it means every site built using those frameworks (since they largely assume the filtering will work) are sitting ducks until they're able to apply patches or upgrade, which depending how heavily modified the rest of the system is might take a while to achieve


Given that even ColdFusion was included, I'm surprised there's no data on Python web apps, especially with the recent large scale compromise of Patreon

Microsoft encrypts explanation of borked Windows 10 encryption


It's as much a "platform" as Windows is, offering a desktop environment as well as lending itself to a variety of types of server environments to provide services from. Arguably they even have an "app store" via their repositories

Although you have a point that the term "platform" is vague as hell and isn't really good at explaining what it does

Sysadmin's £100,000 revenge after sudden sacking


Re: James is a dick...

Obviously can't know for sure, but if I were in his situation I'd have assumed my line manager was aware of what was going on with this and was going to be dealing with it. The fact his line manager was made redundant immediately after him (which he might not have been aware of at the time, and I would have to assume *also* without handover meetings) would probably explain why they weren't aware of it and he didn't think he had to contact them about it

Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat


Re: Hmm...

Somewhat contrary to that, Germany has generally been pretty strong on the whole personal privacy and was the target of hacking by the NSA, which apparently they got quite annoyed at. It wouldn't surprise me if they were having an audit done for internal use and someone suggested making a public statement of the results to try and counter some of the bad press from being part of Five Eyes

Hillary Clinton: Stop helping terrorists, Silicon Valley – weaken your encryption


Hillary Clinton: " "So we need Silicon Valley not to view government as its adversary."

Reuters article in May: "A U.S. spying program that systematically collects millions of Americans' phone records is illegal, a federal appeals court ruled on Thursday"

Maybe the tech sector will stop viewing the government as its adversary when it stops behaving like an adversary which customers need to be protected from criminal acts by

Tor Project: US government paid university $1m bounty to hack our networks


Re: tor should be happy

Given that this was a third party asking another third party to try and compromise the network without ever running it by the target and putting a fair bit of money into doing so, I don't know if this really counts as "white hat" at this point. Grey hat at most, but doing it without the target's knowledge/consent and having a sufficient impact on their infrastructure that they caught it and had to release a patch might be enough that it slides into black hat.

It depends a lot on what the university was to do with the research afterwards, if it was to be shared with Tor then fair enough, that's probably enough to push it back to grey hat, but if they were only going to share it with the FBI department that paid for it, that's basically no different to selling exploits on the darknet except you know who's buying

TPP: 'Scary' US-Pacific trade deal published – you're going to freak out when you read it


Re: Another site disagrees

Worth mentioning that the review wasn't done by Naked Capitalism, but rather they've based their article on a press release by Public Citizen, who actually have lawyers on staff who deal with this kind of thing and would be better placed to review it than journalists generally would


Re: Source code

What it applies to will depend on what is considered under TPP as "critical infrastructure" and "mass market". If someone provides a piece of monitoring software for power plants which is available for purchase by anyone who wants it, rather than bespoke for a specific client, does that count as being mass market? This would probably be considered covered by critical infrastructure, but I could see cases where lawyers could leverage it to cover things which you would expect to be classed as "critical infrastructure" but technically aren't under the TPP definition

Linus Torvalds targeted by honeytraps, claims Eric S. Raymond


Re: Sh...it happens

Julian Assange is trying to avoid charges being brought against him for criminal conduct and jumped bail in the process, Charlotte Proudman made a kind of daft comment about an interaction with a colleague online, it's not exactly comparing like for like is it?


Re: History proves

Wait what? Clinton wasn't taken down through a honeytrap, he was taken down due to perjury in front of a Congressional committee ("I did not have sexual relations with that woman" and all that), and the Straus Khan case fell apart because he *did* get due process, which Raymond claims men don't get any more. Or are you claiming the later charges against him in France were part of some massive international conspiracy spanning several years?

UK's super-cyber-snoop shopping list: Internet data, bulk spying, covert equipment tapping


Hell, for the price of those shares you could set yourself up as one, it's not exactly expensive to set up a VPN with free software and there's plenty of documentation out there on how to do it. Costs are basically the hardware and marketing


Re: They always want more

Actually, with DRIPA ruled illegal (after being pushed through at the end of parliament to prevent any debate on it), they are looking at a loss of powers by March or so. Powers they shouldn't *have* and which were part of an illegal bill, but loss of powers all the same


Re: Security Theatre and/or Snooping

Al Quaeda were already found to be using staganography to hide images in videos/images rather than talking directly, which this would do nothing to combat (hell, I'm sure I remember the FBI publicly stating their existing systems couldn't handle having to scan through every image uploaded to Facebook and then trying to find messages hidden in them)

KeePass looter: Password plunderer rinses pwned sysadmins


Re: When spelling is important.

Since this is a proof of concept I suspect it would work with either one, but considering the name Keepass is probably the one they used for demonstration purposes

Evil NSA runs on saintly Linux, Apache, MySQL


Re: Um....so?

It's not a problem that the NSA uses open source, it's just an interesting bit of information made slightly amusing in that it shows a great example of how scalable the tool chain is but probably the majority of those involved in producing the software would be opposed to what it's being used for


Re: "why don't we try to insert our own covert backdoor code into the Linux kernel"

There's a difference between a bug which hasn't been noticed and an intentional backdoor which has been added to exploit things. The latter of these by definition is something at least someone is aware of right from it's creation and is intended to be there, the former is quite rightly considered a mistake and will be patched out when discovered. Using closed source just makes it less likely that the bugs will be found and that any intentional backdoors can be kept hidden much more easily (since there's a much smaller pool of people looking at the code and they can be made to sign confidentiality contracts)

Open source isn't perfect, no system is, but it *does* show a drastic improvement over closed source with regards to this kind of thing


Re: Well...

Generally the infrastructure, including things like database and backup servers, are run on *nix based systems which the Windows workstations are then plugged into. So in a solid setup the mission critical systems will be *nix but the machines people generally use will be Windows (workstations not being "mission critical" because you should be able to restore the whole thing from the backup servers if it needs replaced pretty quickly)

European Parliament votes to grant Snowden protection from US


Re: is it only me

Eh, they're generally slow to act and can rely on the fact that none of their rulings are actually enforced to pass bills which would be politically difficult to do in most of the member states (like this one). They are generally pretty good though, and the ECJ and ECHR are generally pretty solid within their limited scope, with some fairly solid rulings being passed

The story of .Gay: This bid is too gay! This bid is not gay enough! This bid is just right?


Re: To the "they took away my gay word" brigade

Thing is, the whole reason for the last rejection is that they were trying to cover more than just people who were homosexual, but also included things like transexual. As a community they generally are pretty closely associated, but .homosexual would work for everyone they were trying to bring under the umbrella as well as .gay would


Re: @AC Religion really has become a very "special" form of politics....

So more people supported it than opposed it? I'm not sure how this makes it somehow invalid, just over 1/3 of people supported it, less than 1/3 supported it and the rest were, in one way or another, happy to let those people decide it for them by not voting. Hell, most elections are won with a smaller proportion of the population than that

UK.gov plans to legislate on smut filters after EU net neutrality ruling


Maybe he's hoping to find out what other people are into so he can undermine attempts to use his own... interests against him politically


Re: "I think it's absolutely vitally important that we enable parents...............

"I think it's absolutely vitally important that we enable parents to have that protection for their children from this material on the internet,"

More accurately, we have to enable parents to do nothing to protect or monitor their children's use of the internet, because why should parents be expected to show any interest in raising their kids?

Ex-Microsoft craft ale buffs rattle tankard for desktop brewery


Re: If it's fully automatic ....

Considering this is intended for home brew, wouldn't even a Tennants clone made in it qualify as "craft beer" under this definition?

US Senate approves CISA cyber-spy-law, axes privacy safeguards


Re: Goodbye Cloud

Not quite, there's still the question mark over what happens with non-US hosted systems owned by US companies. I believe there's currently a court case with Microsoft over whether they have to hand over data from an Irish data centre which will probably decide this (Microsoft is understandably fighting it tooth and nail), and if it goes in favour of "companies are required to provide the data" then the EU will not be able to use *any* US company's services. Hell, even companies offering co-location like Rackspace might run into issues with this since the data is in their data centre and they have access to it

TalkTalk attack: Lad, 15, cuffed by UK cyber-cops


Re: Are we to believe this is the work of a 15yr old ?

I messed about with Metasploit on a test VM a while back (was looking at possibly doing security stuff as part of the day job, test VM was part of a learning series) and it's pretty damn easy to use. Avoiding detection when running it on someone's site and then actually using the exploit are the bits that might be fiddly, and a 15 year old would have plenty of spare time to work it out

I do think it's less likely that a 15 year old would be doing a DDoS attack to cover his tracks along with the ransom threat though. It's possible, but it seems more likely a 15 year old would go the direct route of just hacking them rather than setting up a more coordinated scheme like this.

Twitter CEO Jack Dorsey hands out shares to remaining staffers


Question is whether the staff members are able to liquidate those shares or are stuck with them as a way to manipulate them into doing more overtime work in a desperate attempt to make the company profitable

Oh dear, Microsoft: UK.gov signs deal with LibreOffice


Re: The economics just don't stack up

French Gendarmerie seems to be happy enough with the savings they've made, also I suspect that month of reduced productivity is somewhat exaggerated. With training you're looking at more like a week of down time. There's also the fact that the government isn't using Office 365, or at least in cases where they are they're going the self hosted route for security purposes, which adds significantly to the costs. In cases where they're not using 365 you're looking at a licence per machine rather than per person

Oh, and if you can wean people off of Office then that then opens up the possibility of moving to Linux too, since they'd be using the same software, with minimal retraining. This could then reduce the number of windows licences which are per machine rather than per person, much like non-365 Office, and is a significantly higher bill than MS Office is

You also have the question of where the money is going. If you're giving Microsoft £1.5 million for licences and support that does very little for the countries economy, but giving £1.6 million to local businesses to provide training and support for Libre Office, while slightly more expensive, is keeping the money within the national economy which benefits the country more

There's a lot more to the economics of procurement than just the base licencing costs, and you haven't cited sources for any of the numbers you've provided either (the 28 days, the 10% reduction in productivity, the cost of Office, the cost of training). You also have to consider that hosting things on Microsoft's servers is currently a no-go with the recent ruling on US safe harbour rules, and even without that a lot of information couldn't be put on there


Re: continued Open Source Adoption

This is something I hadn't actually considered. Since most of the costs of open source office stacks (OS, Libre Office, etc) are the support contracts, how much of that is going to companies within the country rather than foreign entities? Even if it were a little more expensive, if you're keeping it in the local economy it might still be a better option


Re: Cue all the usual stuff about incompatibility etc

OK, much of a fan as I am of open source projects, it *really* hasn't been all that long that Libre Office has been roughly on par with Office in terms of it's feature set, and there are still limitations on things like Impress vs PowerPoint


Re: Cue all the usual stuff about incompatibility etc

It's always going to be a slow process weaning people off of MS Office, but this is certainly the first step. France's Gendarmerie got around this (when they switched to Linux) by mandating file format in contract and having a small number of licences to deal with cases where outside agencies can't provide a file they can use. The more government bodies using non-Office based suites the less of a problem they'll have with this and the easier the migration will be

WikiLeaks leaks CIA director's private emails – including his nat sec clearance dossier


While it might not necessarily be a *good* thing that these emails have been leaked this way, let's be honest. If he was using an AOL account for classified information and some kid managed to hack it and get all this data, chances are it was compromised a *long* time ago and rival governments are well aware of what it contains. Much like when people were invited to try and hack an electronic voting booth a while back as a statement of confidence, and not only were people successful but they found it had *already* been compromised before they got anywhere near it

CISA blowup: 'Web giants sharing private info isn't about security – it's state surveillance'


Re: @Steven Roper The US goverment is slitting its country's own throat

From the perspective of people outside the US nothing, in fact it's a great opportunity, but for Americans this is their government literally piling on the damage to a large and growing industry in a way that will undermine confidence in them for years to come

Microsoft's top lawyer: I have a cunning plan ... to rescue sunk safe harbor agreement


Microsoft can agree to whatever they want, but unless Congress agrees to pass a bill supporting it (actually passing bills being something the current Congress is famous for... not doing?), this is still going to fall afoul of the ruling in German courts that US based companies can't legally guarantee protections if the government can override them, and the US companies can be held liable

No change in US law, no data transfer deals – German state DPA


Re: Let me get this straight

There's nothing saying they *have* to change those laws, it's just that US based companies will have a major obstacle if they want to operate in the EU unless they do

GCHQ can and will spy on politicos, rules tribunal


Re: Transparent

The public might be though. If, y'know, they really needed to know about it. Like if the MP was sponsoring a bill to constrain GCHQ. They wouldn't *release* that information though, that would be unthinkable. There might just be a... leak, that such information should be requested via FoI between certain dates. Or maybe not even anything criminal, maybe just some interests the MPs have which might cause embarrassment or hurt election chances and they'd rather weren't made public knowledge

The point of the Wilson Doctrine isn't just to protect the public from being spied on, but also to prevent intelligence services from being able to build portfolios which can be used to pressure elected officials into towing the party line on security, whether directly through warnings about "national security threats" to places they know that MP cares about to third parties who the information is "leaked" to


Biting the hand that feeds IT © 1998–2019