Posts by Lysenko

Re: Sends a terrible message.

Depends on the jurisdiction but in general it will leave you liable if not necessarily culpable and possibly even an accessory.

Unless you can prove mens rea beyond all reasonable doubt then under English law you're almost certainly looking at a negligence action in tort (civil law) at the most, if you can locate an injured party.

To establish criminal negligence you would have to prove that the specific consequences of the sloppy security were reasonably foreseeable and, in practice, you almost always need a consequence of death or severe physical injury. There are no "Administrative" offences in English law - you're either a criminal or else someone has to sue you for damages.

Re: Sends a terrible message.

Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

The more charitable (though unlikely) interpretation is that she understands plausible deniability. A highly secure password is a distinct liability if you're doing something nefarious that might be detected. Far better to ensure that the login credentials are as widely circulated as possible in such a scenario.

Re: I don't understand this

What's insidious is that this ex copper kept information he was supposed to destroy, then stole it when he left his job, kept it and eventually publicised it.

It's been a while since we've had a decent Contempt of Parliament action. I hope Bob the Plod realises that he can be banged up for this by Parliament itself (i.e. without bothering the CPS and the Courts).

Re: Jet Engine

The UK literally sold the USSR the technology for the early MIG engine.

Yeah, right, because the USSR could never have mastered that technology on its own. The same sort of thinking that lead the Americans to renege on all their commitments regarding nuclear technology with the UK - because the British couldn't possibly build a bomb themselves without access to American designs. Oops.

Human IQ is pretty much the same everywhere. You can't contain an invention once other people have seen it in action because they will always be able to infer most of the operational details immediately and rapidly resolve the rest experimentally if they have enough money and resources.

Licensing jet engine designs to the USSR made a profit an ensured that we had a damn good idea what the operational capabilities of those engines were. Refusing to do so would just have resulted in the USSR ending up with indigenous designs whose capabilities were more opaque.

The F35 paranoia is equally farcical - unless you seriously believe that the guys at Lockheed have genetically bigger brains than those at Mikoyan or Sukhoi. American military supremacy is based on money, and if the Russians can't match the F35 or a nuclear Super Carrier it is because they don't have the budget, not because they don't understand the engineering.

Re: Maybe that POS ClamAV isn't so bad.

How do you know that your Network Card isn't compromised and lying to you?

I don't. If the chipset is compromised then it's game over - but then if I'm facing an adversary with that level of resource then it's game over in any feasible scenario. The point is I know that Win10, anything Google and assorted other stuff will phone home with my data given half a chance. The fact that controlling that also stops other malware is just a useful side effect.

In any case, given RIPA, European Arrest Warrants and "USA, World Police" extraditions, Russian snooping is way down my priority list. When did the Russians last seize a British security researcher at an airport, or attempt to extradite someone to Moscow based on probable cause established only in a Russian Court? Locking out GCHQ, the FBI and the NSA is far more important so, if I were to use any closed source AV (which I don't), it would likely be Russian or Chinese.

Re: Maybe that POS ClamAV isn't so bad.

How do you know your compiler isn't inserting "phone home" code into certain things when it compiles them?

You know because you've got a proper firewall running on an obsolete PC (or cheap SBC) that logs and traceroutes every outbound connection from anything on the network and, if necessary, enforces a whitelist. This has the added advantage of also keeping a lid on GSnooping, MSFT telemetry and providing defence in depth against online adverts.

Re: Downtime is the price you pay.

Once outsourced it will get worse, just look at the banks who already did this.

Once? I thought Nationwide had been progressively outsourcing via CrapGemini and Computacenter for several years now? The latter definitely had a hand in the DC build on Greenham Common Air Base (as was).

Re: @ Lysenko

@DavCrav

It's not appropriate. You think it's appropriate because you are in a state that is a tenth of the size of another. If we have majority rule by states, then Scotland, Wales and Northern Ireland, population about ten million, gang up and outvote England, population about 55 million.

Correct. That's how Estonia (pop. ~=1.3M) can veto Germany (pop. ~=82M) on anything fundamental within the EU. It's also how the European constitution failed - getting a simple majority in a 500M population would have been possible.

You think the "one man, one vote" principle is appropriate because you live in a bigger country. The residents of California likely feel the same way about Wyoming.

As I stated at the outset, I'm not in favour of Scottish independence and I voted against it. However, I'm not in favour of Greater England either - particularly an isolated and internationally irrelevant England. I want to stay in the EU and, if I can't, I want to get back in the EU. That makes Scottish independence (now) a means to an end.

I don't want Holyrood running riot with unfettered legislative supremacy any more than I want Westminster doing it. This thread is a case in point of the ECJ standing in the way of oppressive Westminster legislation. You might be happy to hand ultimate power to May, Gove and Boris but I'm certainly not - and that goes equally for the SNP leadership.

Re: @ Lysenko

The only claim I have to Irish citizenship (which is none) is one great-grandfather - maybe - no one is really sure if he was Irish or not. My point is it is the closest EU country (to Scotland).

Any "one man, one vote" referendum in the UK is a de facto English vote. The appropriate criterion in a federation or union is "one country, one vote" or "one country, one veto". Otherwise, you have majoritarianism which (to borrow from Benjamin Franklin), is two wolves and a sheep debating what to have for lunch. What I am saying is that in a representative democracy you're supposed to have checks and balances to preserve minority rights. With this majoritarian principle now established, only the English vote matters because of relative population size and England can railroad the other three countries in the union any time it so chooses. That's not the union I voted to preserve - it's Greater England.

I don't hate the UK. I hate what small minded, insular nationalists have done to it. I come from a family of sailors and merchants. Nearly everyone (male) in my family, going back at least 5 generations, was born here but was out in the world by the age of 18. Colonies and the Empire mostly, though in my case it was Eastern Europe and Pakistan. I hate the fact that Brexiteers have succeeded in piloting this country into a dead end of isolation and irrelevance not seen since ... probably Henry Tudor. It's been half a millennium since we've been holed up on this island with no meaningful presence abroad, no real geopolitical influence and frankly, no respect worth a damn.

Brexiteers are the ones who hate this country - it is patently obvious from their herculean efforts to destroy everything it used to stand for. I've seen this sort of thing before. Get rid of foreign influences. Take back control of the laws. Expel people who don't share our culture. Make everyone speak Pashto.

Re: @ Lysenko

However I do think it odd that you care so much about the UK (dont know if you are from here, came here or never even visited)

I was born in Scotland to a Scots Mother and an English Father. so I can't still be part of the EU (not without getting Irish citizenship anyway).

That also answers your second question: what England has done to me is revoke my EU citizenship against my will. My opinion isn't the issue: Scotland as a whole voted to remain and England voted to leave. Under this new principle of majoritarianism (as opposed to representative democracy), that means the whole UK has to tag along with whatever England decides from here on in. That's not a future I want to be part of. It's not even the UK - it's just Greater England.

As for your final point: with a British passport and a Father from Yorkshire I'll attack "this country" and the toxic, racist xenophobes it harbours whenever I feel it is warranted.

Aha, it seems we have a little Scotlander in our midst

No, what you have is a European Federalist. I'm not interested in an independent Scotland per se, I'm interested in getting back into the EU. As things stand, that means cutting loose the xenophobic appendage south of the border who want to live under a regime where May/Gove/Johnson etc. are free from all restraint and can enact any oppressive lunacy they like (the subject of this thread being a case in point).

The Good Friday Agreement is a fly in that ointment but the way things are going I can't see that lasting much longer.

I sincerely hope the UK isn't going to last much longer. I voted against Scottish independence last time, but there is no question of me doing so again after this little Englander coup d'état. That has implications for the Irish question as well since Ulster has always been culturally closer to Scotland than England and unionism is primarily driven by irredentism south of the border than anglophilia per se.

Is this some giant pisstake?

What it is is a smokescreen. They want to make out that the issue is technically so big that they can avoid making any progress until they're clear of ECJ jurisdiction. The only constraint left then with be the European Court of Human Rights, and they've got a standing manifesto commitment to repeal the Human Rights Act and thus get out of that as well. All statutory power will be returned to Westminster and our journey to the dark side will be complete.

Re: Just say no ...

FOSS or home brew is the most sensible solution, but no councils have the expertise, courage or resources

Which was my point about austerity. If you're ever going to break the chain then it starts with (at least) doubling your costs as you'll still need Oracle while you invest in developing your exit strategy. As with any organisation linked to electoral cycles, it is improbable you'll secure funding for projects that have an ROI > 3-5 years at the best of times. Add austerity spending and the improbable becomes the impossible.

A Proliant DL580 G4 up for sale, never thought i'd see one of those again.

One of those runs our office IP/CCTV. Built like a tank, noise of a jet fighter on afterburners. I wouldn't be surprised if it's still burbling away in the basement a decade from now.

Re: why don't we:

That "we" up there is incongruously linked to argument made by politicians and instrumented by politicians to sell the no-crypto poison. I am not a politician.

I'm not a politician either, but the fact remains that, if you're a child porn merchant, ubiquitous, uncrackable, end to end crypto would be a godsend. Tor is probably good enough for tech aware paedophiles (most of the time), but the majority of them would likely benefit significantly from law enforcement proof cryptography being a universal default.

I can live with that, just as I acknowledge that any time I support military action I am likely de facto endorsing innocent people getting blown limb from limb. Supporting "our troops" implicitly means supporting child murder in almost all active theatres. As I said, I can live with that. Trying to pretend that crypto issues are only about TLA snooping is mendacious cowardice. If you're going to advocate something that can facilitate terrorism and child abuse (which I do) then you should be prepared to own it.

Re: why don't we:

Partly because we're (yes, I mean us right here) are cowards. We won't generally go on the record and clearly state that "yes" we're prepared to make things easier for terrorists, paedophiles and assorted other nefarious characters. We won't explicitly admit that "yes" I value my personal privacy more highly than the lives of some future terrorist victims and "no" the thought of obstructing the detection of child abusers does not make me reconsider.

Re: Not yet

Are you saying you actually use a Hotmail account professionally? Even if you do, Hotmail has IMAP support so Evolution can work with it and there's also the web-based Outlook of course.

I've got Office365 (because I need Word), but the only version of Outlook I run is the Android version on my phone. On Windows, I just use the default mail app because it's far more reliable (in my experience).

Re: Fails at basic logic...

Zero? In that case, I can revise the scale by moving 1-4 down a place and creating a new "Adequate" rating at position 4 i.e:

0. Ultimate Evil

1. Imbecility

2. Incompetence

3. Sincere effort

4. Adequate

5. Average

... makes no difference to the frontline victims though because it just adds greater granularity of fail. Of course, I'm being honest here. If I actually get wind of someone using this kind of thing to scam specific employees out of their wages then I'll happily be completely dishonest in whatever way is most effective for gaming the system. I'm only honest when the rating is applicable to an organisation as a whole, such as habitually rating EE between 1-2 (on the scale above).

Re: SHA-256 brute force?

Though the worst are the ones that use a short password and do not tell you that they have just truncated the long password you entered!

That's insane though, as with the poster above, I don't doubt it happens. There is no possible excuse for limiting password size unless you're announcing to the world that you plan to store the plaintext (!!!???).

Re: SHA-256 brute force?

Assuming salt was used it would be very difficult to brute force such stored passwords.

Plenty of systems like this use the email address as salt (utility: close to zero, especially in a case like this) so the issue comes down to brute forcing the passwords using rainbow tables. On that basis, you can crack a typical password in seconds and that's without counting the inevitable instances of "qwerty12" and "Password1"[1].

[1] And "p@$$w0rD!" isn't significantly stronger. l33+ speak passwords should be banned. They're a menace. You're much more secure with a long password comprised of only lower case alpha characters because you're less likely to need to write it down. Personally, I've just retired: "isthisadaggerwhichiseebeforeme".