Re: It is time for a PSA
"it might be best"
Better to say it's essential.
16449 posts • joined 16 Jun 2014
"2 seconds would be a long time to wait for each TLS handshake, but we could always pre-calculate keys at start-up. And, in a few years the time needed will drop to milliseconds"
As you say the weakness is in using very few built-in primes everywhere. One remediation, even without going to eliptic curves, would be frequent, say monthly, updates with new and maybe larger sets of built-in primes. According to the times given in the paper this should enable users to keep ahead of the NSA. Another would be to have servers running a background task searching for new primes so each server would be able to offer a different prime each time it was contacted.
AFAIK* the Diffie-Hellman works by agreeing on a prime and then each party performing some computation on it and exchanging results they mutually calculate a key and the crack** actually does work by calculating*** a sort of rainbow table for a given prime. By observing the exchange between the parties, including the prime they agree on, they can calculate the key for themselves. The weakness of implementations of D-H is that rather than search for a large prime at run time they have a limited number built in which makes it feasible to calculate a few tables which will be sufficient to attack most sites.
*And I'm not a mathematician.
**Nobody knows for sure what the NSA do but some boffins worked out that this is how they might have done it.
***This is a humungous calculation but is now achievable by throwing enough CPU cycles at it.
Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?
In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.
From the Grauniad's article '"Mike McCoy, the company spokesperson, said: “We understand that a clause in our severance agreement was misconstrued versus its use in actual practice"'
"Misconstrued versus it use in actual practice?" What sort of garbage is that? The construction that everyone's been placing on it is based on what it said. Actual practice may usually be something different but the reality was that the possibility was hanging over all their ex-employees. It may have been some careless drafting by HR which said something other than was meant but you really shouldn't draw up legal documents that say what you don't mean.
Maybe whoever was responsible in HR has now been sent on his or her way with assurance that they will not be called in help at a later date, paid or unpaid.
"Needless to say my answer, in short, was 'no'."
Bad answer. The correct answer is to name a price that will require authorisation well above the manager's limit so what he's done, and its consequences, will be visible further up the ladder. Only then, unless you're actually available for the gig, do you say 'no'.
"She pointed out that the decision doesn't dig into the actual practices of Facebook"
That wasn't actually the ECJ's role. They were asked if national regulators could actually do this given that Safe Harbour was an EC matter. Part of the decision was that they could so it's now been tossed back to the regulator by the Irish High Court. In short it's being done by the people who were supposed to do it.
Apart from that she seems to have got the message. Whether she's in any position to act on it is a different matter. Maybe the poke at Europe was intended to distract from this.
"came as a shock to many policy makers and companies in the United States"
If it did they must have been living in a fools' paradise. What other decision could they have expected? Or didn't they know the case was happening?
"Call me old skool but the Head of Security should already be fired"
Call me even older school but the Board should accept the CEO's resignation. They may need to prompt her for it once they've accepted it.
In VW's case Winterkorn did the honourable thing in quitting although maybe the generous package tainted this. This seems to be an exception, someone at the head of a business which gets thing this wrong should quit, not make the rounds of the media giving interviews. It would ensure a culture in which things are done right, security gets precedence over marketing and customers can begin to trust the business.
Is this going to be one of those job interviews where they ask you "how would you deal with...?" and then use the replies to tell them what to do without actually giving anyone the job?
OTOH I think any candidates going to interview are going to ask some fairly pointed questions of their own, ending with "what budget do you have for all this?"
"An alternative would be to provide a phone number on their regular contact method (Bills etc), that you can ring and give a reference number to, which puts you through to the person who wanted to speak to you in the first place, possibly via account security checks."
The scammers have already thought of this. They invite the mark to call back to the number on the card & then pretend to hang up by putting a dial tone on the line. When the mark attempts to call the number they're still on the line to the scammers.
'An article published in the Harvard Business Review earlier this year claimed that data breaches "don't hurt stock prices" due to shareholders lacking "good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value."'
On the other hand shareholders might just notice the company hitting the headlines and not in a good way. The good news is that with all those Harvard MBAs not having good metrics etc, those who decide to sell might still get a good price.
I've recently had some success in enticing SEO spammers into an exchange of emails but as I've no website to offer them I've not succeeded in wasting too much of their time so far. I'm tempted to work out some complex phraseology that means "don't click this" when analysed carefully but at first glance seems to say the opposite and then drop in a link from whatever phishing scam has turned up recently.
In that case they don't need to keep it. If that's the only reason and they keep it anyway they fail data protection principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
That, of course, is in addition to failing 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
ISTM that the only way round this is to add a requirement for type approval that a device have its default creds only effective for an initial login and at initial login the user must enter new values before it will become operational. A factory reset will restore the defaults and the user must then enter new values again. In order for this to become effective there must be no means of carrying out a remote factory reset.
"Windows 10 however, upon being told to look for printers on the network, found all of them almost instantly and set itself up with absolutely no intervention from me."
Quite the contrary to my experience with the brief insider test. Firstly it confined itself to a subset of my LAN & would never have found the printer. Secondly, once some fixes had been rolled out to change subnet masks it still didn't help because it didn't have a driver for the printer, HP2030. I went to the HP site & downloaded the W8 version which worked OK. Maybe they ported more drivers later but this was getting close to release date.
"This is going to cause major problems for a lot of European healthcare providers who might use US based or US owned labs for testing batches of samples."
Not necessarily. All they need to do send a sample with just an ID code and keep the patient's details to themselves. Otherwise the ECJ has already caused them major problems.
"Nice idea but for the most part, impractical. Lawsuits cost money "
If this were evidence that the prosecution were attempting to put forward for a criminal offence you'd be in court anyway. They'd have to prove reasonableness in order to get the evidence in. I don't know about US criminal proceedings but I hope that's how it still works hereabouts.
Biting the hand that feeds IT © 1998–2019