* Posts by Doctor Syntax

16449 posts • joined 16 Jun 2014

TalkTalk attackers stole 'incomplete' customer bank data, ISP confirms

Doctor Syntax Silver badge

Re: It is time for a PSA

"it might be best"

Better to say it's essential.

Caption this: WIN a 6TB Western Digital Black hard drive with El Reg

Doctor Syntax Silver badge

John is reassured when TalkTalk's chief security officer tells him that yes, security of his personal data is important to them.

Doctor Syntax Silver badge

Fred discovers that TalkTalk's customer service agents really are robots.

Doctor Syntax Silver badge

Deep in the basement the boss thought his secret weapon would finally defeat the BOFH. Little did he know he'd already been hacked.

Doctor Syntax Silver badge

The inventor of the first colour TV camera is overjoyed when the quietly spoken constable reassures him that one day someone will invent a colour TV set.

Doctor Syntax Silver badge

Reg Thorpe wrote and starred in the Little Dunny Amateur Player's latest production "Hitch-hiker's Guide to the Daleks".

Doctor Syntax Silver badge

This lone boffin of the 1930s could never have realised what he was starting.

Doctor Syntax Silver badge

The Computer Museum should have realised its new acquisition was the pre-production version of the Dalek.

Doctor Syntax Silver badge

Advice to hitch-hikers

1. Be careful who you thumb a lift from.

Doctor Syntax Silver badge

Ron's demonstration of advanced lift-thumbing technique had an unwelcome outcome.

So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?

Doctor Syntax Silver badge

Re: Is this a legacy problem

"2 seconds would be a long time to wait for each TLS handshake, but we could always pre-calculate keys at start-up. And, in a few years the time needed will drop to milliseconds"

As you say the weakness is in using very few built-in primes everywhere. One remediation, even without going to eliptic curves, would be frequent, say monthly, updates with new and maybe larger sets of built-in primes. According to the times given in the paper this should enable users to keep ahead of the NSA. Another would be to have servers running a background task searching for new primes so each server would be able to offer a different prime each time it was contacted.

Doctor Syntax Silver badge

Re: Questions

AFAIK* the Diffie-Hellman works by agreeing on a prime and then each party performing some computation on it and exchanging results they mutually calculate a key and the crack** actually does work by calculating*** a sort of rainbow table for a given prime. By observing the exchange between the parties, including the prime they agree on, they can calculate the key for themselves. The weakness of implementations of D-H is that rather than search for a large prime at run time they have a limited number built in which makes it feasible to calculate a few tables which will be sufficient to attack most sites.

*And I'm not a mathematician.

**Nobody knows for sure what the NSA do but some boffins worked out that this is how they might have done it.

***This is a humungous calculation but is now achievable by throwing enough CPU cycles at it.

TalkTalk CEO admits security fail, says hacker emailed ransom demand

Doctor Syntax Silver badge

@Chris King

Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?

In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.

Doctor Syntax Silver badge

Re: Ransom demand

"Can they really have only received one ransom demand?"

No, but only one's genuine. They're trying to work out which it is.

Laid-off IT workers: You want free on-demand service for what now?

Doctor Syntax Silver badge

I didn't miss that. But in the circumstances I'd have told them that MyCo wouldn't work for free but they appear to qualify for one of MyCo's special rates, the Over-A-Barrel rate. And the length of time taken would be the length of time to make it worth while.

Doctor Syntax Silver badge

From the Grauniad's article '"Mike McCoy, the company spokesperson, said: “We understand that a clause in our severance agreement was misconstrued versus its use in actual practice"'

"Misconstrued versus it use in actual practice?" What sort of garbage is that? The construction that everyone's been placing on it is based on what it said. Actual practice may usually be something different but the reality was that the possibility was hanging over all their ex-employees. It may have been some careless drafting by HR which said something other than was meant but you really shouldn't draw up legal documents that say what you don't mean.

Maybe whoever was responsible in HR has now been sent on his or her way with assurance that they will not be called in help at a later date, paid or unpaid.

Doctor Syntax Silver badge

Re: Humans fail too often

"In the future I expect to see more automated AI type systems that handle the coding side for you. Entrusting important long term solutions to fleshy meat bags is a lost battle."

Who writes the AI?

Doctor Syntax Silver badge

Re: How to save money in IT

"what happened at SunTrust looks like moving it from one pocket to another"

And possibly the other has a hole in it.

Doctor Syntax Silver badge

"Needless to say my answer, in short, was 'no'."

Bad answer. The correct answer is to name a price that will require authorisation well above the manager's limit so what he's done, and its consequences, will be visible further up the ladder. Only then, unless you're actually available for the gig, do you say 'no'.

Snowden, Schrems, safe harbor ... it's time to rethink privacy policies, says FTC commish

Doctor Syntax Silver badge

"why worry"

Because if you don't see what's coming, you don't step out of the way & the train runs you down.

Doctor Syntax Silver badge

"She pointed out that the decision doesn't dig into the actual practices of Facebook"

That wasn't actually the ECJ's role. They were asked if national regulators could actually do this given that Safe Harbour was an EC matter. Part of the decision was that they could so it's now been tossed back to the regulator by the Irish High Court. In short it's being done by the people who were supposed to do it.

Apart from that she seems to have got the message. Whether she's in any position to act on it is a different matter. Maybe the poke at Europe was intended to distract from this.

"came as a shock to many policy makers and companies in the United States"

If it did they must have been living in a fools' paradise. What other decision could they have expected? Or didn't they know the case was happening?

American robocallers to be shamed in public lists

Doctor Syntax Silver badge

Don't do it. Don't waste time doing it. Just get on with prosecuting them.

Tardy TalkTalk advertised for a new infosec officer 1 week ago

Doctor Syntax Silver badge

"Call me old skool but the Head of Security should already be fired"

Call me even older school but the Board should accept the CEO's resignation. They may need to prompt her for it once they've accepted it.

In VW's case Winterkorn did the honourable thing in quitting although maybe the generous package tainted this. This seems to be an exception, someone at the head of a business which gets thing this wrong should quit, not make the rounds of the media giving interviews. It would ensure a culture in which things are done right, security gets precedence over marketing and customers can begin to trust the business.

Doctor Syntax Silver badge

Is this going to be one of those job interviews where they ask you "how would you deal with...?" and then use the replies to tell them what to do without actually giving anyone the job?

OTOH I think any candidates going to interview are going to ask some fairly pointed questions of their own, ending with "what budget do you have for all this?"

CISA latest: Law urging tech giants to share your info with the Feds shows no sign of stopping

Doctor Syntax Silver badge

Re: Two birds with one stone

"move HQ (extreme, unlikely)"

Unlikely to move it to the EU I agree, but to somewhere with a pleasant climate & very low taxes could be a reasonable probability.

Doctor Syntax Silver badge

Two birds with one stone

Maybe the tech companies should just move to the EU. It would get them out of this and out of the EU privacy concerns.

9 cuffed over £60 million banking scam targeting UK businesses

Doctor Syntax Silver badge

Re: I have always said

"An alternative would be to provide a phone number on their regular contact method (Bills etc), that you can ring and give a reference number to, which puts you through to the person who wanted to speak to you in the first place, possibly via account security checks."

The scammers have already thought of this. They invite the mark to call back to the number on the card & then pretend to hang up by putting a dial tone on the line. When the mark attempts to call the number they're still on the line to the scammers.

TalkTalk shares drop 10.7% despite research that breaches don't cause drops

Doctor Syntax Silver badge

'An article published in the Harvard Business Review earlier this year claimed that data breaches "don't hurt stock prices" due to shareholders lacking "good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value."'

On the other hand shareholders might just notice the company hitting the headlines and not in a good way. The good news is that with all those Harvard MBAs not having good metrics etc, those who decide to sell might still get a good price.

Support scammers target Mac fanbois

Doctor Syntax Silver badge

Re: Just Stop Using Sub-Domains

Nice rant but it omits one small detail. ara.apple.com isn't a subdomain. It's a host address. Try pinging it.

Doctor Syntax Silver badge

Re: Oh, Ohh OOhhhh, oooh pick me! Pick me!!

I've recently had some success in enticing SEO spammers into an exchange of emails but as I've no website to offer them I've not succeeded in wasting too much of their time so far. I'm tempted to work out some complex phraseology that means "don't click this" when analysed carefully but at first glance seems to say the opposite and then drop in a link from whatever phishing scam has turned up recently.

California enormo-quake prediction: Cracks form between US boffins

Doctor Syntax Silver badge

Is this thread the Californian equivalent of the Four Yorkshiremen sketch?

Bacon as deadly as cigarettes and asbestos

Doctor Syntax Silver badge
FAIL

A Reg article sourced from the Mail?

BYOD battery bloodbath? Facebook 'fesses up to crook code

Doctor Syntax Silver badge

"a child in a car asking, 'Are we there yet? Are we there yet? Are we there yet?'"

This seems a fair description of the whole of their users' activity.

TalkTalk: Hackers may have nicked personal, banking info on 4 million Brits

Doctor Syntax Silver badge

Re: CEO Interview on 5 Live

"She said that customers could contact Talk Talk for advice on their security oh the Irony"

Maybe she meant that the customers could advise TalkTalk.

Doctor Syntax Silver badge

Re: Date of birth

@DarkOrb

"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."

So if you only took DoB for credit checking you've failed on that data protection principle.

Doctor Syntax Silver badge

"Credit check"

In that case they don't need to keep it. If that's the only reason and they keep it anyway they fail data protection principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

That, of course, is in addition to failing 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Doctor Syntax Silver badge

"One of the questions is why do they want a DOB?"

Because this piece of information which people are asked for in all sorts of circumstances is a shared secret between themselves and their customers to help identify said customers?

Doctor Syntax Silver badge

"Why, in my mind, does this translate into 'all of our customer's data has been compromised'?"

And why does all the stuff about constantly updating systems seem to be missing 'in the future'?

Sales down, profit up, 1,000 bods chopped: Your one-minute guide to Planet Microsoft

Doctor Syntax Silver badge

"$84.3 million for the financial year of 2014 and $18 million in 2015"

He's going to be broke if this trend continues in 2016.

Shopping mall CCTV gear commandeered to blast websites offline

Doctor Syntax Silver badge

ISTM that the only way round this is to add a requirement for type approval that a device have its default creds only effective for an initial login and at initial login the user must enter new values before it will become operational. A factory reset will restore the defaults and the user must then enter new values again. In order for this to become effective there must be no means of carrying out a remote factory reset.

TalkTalk website STILL down on day TWO

Doctor Syntax Silver badge

@ aidanstevens

You have our sympathy - maybe.

Bracken assembles old GDS crew for Co-op

Doctor Syntax Silver badge

Re: Oh dear god

"3. What ever salaries they are demanding - quarter it."

Even better, double it and demand that that's what they pay you.

Doctor Syntax Silver badge

"won the Design of the Year Award"

Style over substance.

Windows 10 out, users happy, PCs upgraded, my work here is done – says Microsoft OS chief

Doctor Syntax Silver badge

Re: once Windows 10 has completely rolling out?

And it's not completely rolled out. It's on perpetual rolling release.

Doctor Syntax Silver badge

Re: Warning! Incoming - JimS

"Windows 10 however, upon being told to look for printers on the network, found all of them almost instantly and set itself up with absolutely no intervention from me."

Quite the contrary to my experience with the brief insider test. Firstly it confined itself to a subset of my LAN & would never have found the printer. Secondly, once some fixes had been rolled out to change subnet masks it still didn't help because it didn't have a driver for the printer, HP2030. I went to the HP site & downloaded the W8 version which worked OK. Maybe they ported more drivers later but this was getting close to release date.

FBI, US g-men tried to snatch DNA results from blood-testing biz. What a time to be alive

Doctor Syntax Silver badge

"This is going to cause major problems for a lot of European healthcare providers who might use US based or US owned labs for testing batches of samples."

Not necessarily. All they need to do send a sample with just an ID code and keep the patient's details to themselves. Otherwise the ECJ has already caused them major problems.

Doctor Syntax Silver badge

Re: This is the sole reason I haven't had my DNA tested

I'd turn that statement round. I have no reason to have my DNA tested.

Doctor Syntax Silver badge

"I could either co-operate, or they would use a tuft of my hair removed by force and slap an assault charge on in addition."

That doesn't sound like an effective way to get the evidence admitted in court.

Doctor Syntax Silver badge

"Nice idea but for the most part, impractical. Lawsuits cost money "

If this were evidence that the prosecution were attempting to put forward for a criminal offence you'd be in court anyway. They'd have to prove reasonableness in order to get the evidence in. I don't know about US criminal proceedings but I hope that's how it still works hereabouts.

CISA blowup: 'Web giants sharing private info isn't about security – it's state surveillance'

Doctor Syntax Silver badge

Re: @Steven Roper The US goverment is slitting its country's own throat

"And what, pray tell, is wrong with that?"

He didn't say there was anything wrong with it. He just stated the bleedin' obvious.

Biting the hand that feeds IT © 1998–2019