* Posts by GnuTzu

330 posts • joined 1 Feb 2015

Page:

Linux.org domain hacked, plastered with trolling, filth and anti-transgender vandalism

GnuTzu
Bronze badge

Re: Windows vs Linux

I keep saying: Linux has been around and proliferated successfully enough to become a target. It's no longer just a patch Tuesday World.

13
4

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

GnuTzu
Bronze badge
Trollface

Re: In other news...

Yes, and the Earth is clearly flat.

I fear this disease will spread, as it is clearly contagious.

7
0

UK Supreme Court considers whether spy court should be immune to legal probes

GnuTzu
Bronze badge
Unhappy

The NSA's Ugly Uncle

There's just something about secret bureaucracies that just has the weird putrid smell. And, it seems to be there throughout most of the Anglosphere. They cannot claim to serve the people if they have no accountability that the people can trust. The courts are supposed to provide that. Here in the states, we get to have secret courts, as if we actually trust that. I'm really sad to hear that in the U.K. there would even be the consideration of no court involvement whatsoever. It's just the same putrid bureaucratic disease everywhere.

13
0

Talk about a GAN-do attitude... AI software bots can see through your text CAPTCHAs

GnuTzu
Bronze badge

Re: American imperialism

Fair enough. It's not as if they can't tell what country you're coming from. It's not as if computing standards have only recently been addressing internationalization. Seriously, this is easily fixable, so what's Google's problem? Why the hell are they taking so long to fix this? Oh right; too big for their britches.

6
0

Windows 10 security question: How do miscreants use these for post-hack persistence?

GnuTzu
Bronze badge
Facepalm

It's 2018, And...

"...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."

"Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.

And, it can be done by way of the registry. I... just... don't... know... what else to say.

6
0

UK spies: You know how we said bulk device hacking would be used sparingly? Well, things have 'evolved'...

GnuTzu
Bronze badge
Big Brother

Lotta Waffles

Oh, just that use of the word "bulk" creeps me out.

24
0

More data joy: Email scammers are buying marks' info from legit biz intelligence firms

GnuTzu
Bronze badge
Meh

Re: At what point...

Given that passive reconnaissance has been the first step since the beginning, this should be no surprise. If anything, buying data from legitimate services has been around for longer than we can know.

Yes, we might hope that these services vet their customers, but why would they care? Yet, even if they were willing, crims are in the business of shrouding themselves, and there's little hope of guaranteeing that this practice would never happen.

0
0

He's not cracked RSA-1024 encryption, he's a very naughty Belarusian ransomware middleman

GnuTzu
Bronze badge
Stop

Re: I see the Russian trolls are out -- of Rented Jets

"...for the ethically challenged..."

I knew a guy who was truly ethically challenged. He would out-and-out say that it would be perfectly fine if certain things were not revealed. He used to do one of those infomercials selling money making schemes. He'd rent business jets and present them as his own in his infomercial, along with other shady claims. And yes, he went to jail. And not, no one in my family who knew him is in touch with him, as it's all just too damn disgusting.

It's not about whether you can or cannot be a broker of sorts; it's about misrepresentation and fraud. What you sell must be what you claim it to be (or at least sufficiently to stand up in court); and if you're going to omit certain facts, you better be very careful what facts you omit. I am not a lawyer, but some of you might what to get educated on some of this stuff before the law comes knocking on your door.

7
2

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

GnuTzu
Bronze badge
Megaphone

Re: Is anyone using UPnP anyway?

That would be a topic for a statistical study. But, using it or not, it's exactly the kind of thing that would be on by default--something that too many users wouldn't even know to turn off.

And then, none of this is shocking. When this thing was created, it was a given that automatic configuration is a chicken or egg problem that requires to much broadcasting of "please come and be my mommy and tell me who to be." So, there is no surprise that any technology along these lines is rife with vulnerabilities.

I'd like to blame all this on the nature of consumer technology, but it happens there's a protocol (name escapes me at the moment) for administering servers in enterprise environments that just as bad or even worse. Security will never be easy, and we need to be wary of those offering short cuts, which was in fact a topic of discussion when UPnP was created. So, this counts as a "we told you so." Hah!

1
0

Q: If Pesky Pepper had a peek at patient papers, at how many patient papers did Pesky Pepper peek? A: 231

GnuTzu
Bronze badge
Megaphone

Training

This kind of thing is covered in annual training, and agencies are required to have such training--at least where I work. Just think; there are places where private information of celebrities and government officials can be looked up. Not only must there be training, but these things need monitoring and enforcement. I guess there are areas where these regulations need to be fortified just a bit.

3
0

Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years

GnuTzu
Bronze badge

Re: Card numbers

This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.

19
0

Healthcare billing biz AccuDoc 'fesses up to breach that blabbed 2.65m people's data

GnuTzu
Bronze badge
Thumb Down

"We take health care privacy very seriously."

Insert usual rant about this phrase here. Do they realize this is coming to mean the opposite of what it should?

3
0

Sorry, we haven't ACLU what happened in sealed 'Facebook decryption' case, but let's find out

GnuTzu
Bronze badge

Gendered Connectors

"Someone once asked me why were some connectors denoted "male" or "female""

I do wonder about how this came to be the dominant language, given that the terms "plug" and "socket" go back at least as far. And, while I'm not the biggest proponent of political correctness, I am concerned that with the proliferation of technology, this will come to affect children at younger and younger ages. "Mommy, why is this thing that I stick into that thing called male and that other one female?"

2
7

GCHQ opens kimono for infosec world to ogle its vuln disclosure process

GnuTzu
Bronze badge

Re: Careful wording there....

Hmm... Let's see. If there is no hope of ever prosecuting a target, then there's no hope of ever bringing a target to court. And, if there's no hope of ever bringing a target to court, then why bother with any manner of court order? I guess that's one reason that warfare and policing aren't conducted the same way.

4
1

US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That'd be the UK

GnuTzu
Bronze badge
Big Brother

1984

And, the nationality of that author... Could that be saying something about his prescience?

Anyway, good point on the throwing stones stuff and such. This has become a global issue and, we need to be vigilant about reigning those that say our governments need more powers to be, um, more vigilant. These things have to balance out, but they'll quickly get out of balance if we don't continually insist on balance.

7
0

Oz opposition caves, offers encryption backdoor compromise

GnuTzu
Bronze badge
FAIL

Re: That's OK then -- Not The Master Key

"...the key to one room, not the 'master key of the hotel'"

Um, who's going to manage the keys? Is this going to be some kind of key escrow? Do they not understand that anybody can generate a key independent of such nanny-state management?

Clearly, these things are going to end up in the outlawing of various forms of encryption--along with any methods to hide it.

And, they'll also end up having to outlaw cryptographic research that isn't government sanctioned. Imagine having to get a license to learn.

7
0

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)

GnuTzu
Bronze badge

Re: What's the Count So Far?

"its not node.js specific."

Oh, I wholeheartedly agree. And, that makes more work for those of us who have to work as gatekeepers. But, rest assured; we're keeping an eye out for these things.

2
0
GnuTzu
Bronze badge
Megaphone

What's the Count So Far?

It's NPM repos again. Anybody keeping track? Anybody got a fix? Sorry Node.js devs. I like Node.js too, but there's got to be room for improvement.

15
0

Using a free VPN? Why not skip the middleman and just send your data to President Xi?

GnuTzu
Bronze badge

Re: As usual, when it's free... -- as in Service

"Just like what you get with Linux."

Linux is not a service. You don't sign up for it, and you don't send your data through somebody else's server in order to use Linux.

(@MMR, voted you up, but I just had to go and at least explain the key difference, in case other don't get it.)

1
0

German e-government SDK patched against ID spoofing vulnerability

GnuTzu
Bronze badge
Mushroom

It's 2018

How the hell... URL parameters... validation... you gotta be kidding me... oh screw it.

1
0

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

GnuTzu
Bronze badge
Thumb Up

I Love It

Enforcement of laws against stupidity. Yeah, if you've got people's data and you don't even use minimally reasonable security practices, smack up side the head. 'Nuff said.

24
0

Malware scum want to build a Linux botnet using Mirai

GnuTzu
Bronze badge

Re: It's 2018...

"Yes, I am expecting my downvote counter to go through the roof."

Not so much. At the time of this comment, you're up 8 and down 0.

The simple fact is that they'd eventually come after Linux. It was inevitable. But, notice it was more about badly administered boxes than Linux itself.

5
0

Infosec's Thanksgiving turkey triumvirate: Tesla, Tumblr, Trump (as in Ivanka)... and tons more

GnuTzu
Bronze badge

Survey of Private Services used by Public Officials

"...on a domain owned by her and husband Jared Kushner."

Um, ownership does not equate to administration thereof, because you just know that that domain wasn't setup by them directly (or at least if would be shocking if they did).

Given the impulsive nature of the way email and such are used, I'm wondering if something preemptive can be done about these things. It brings to mind so ideas that are a little out there, but I think that a survey of what private services our public officials--and their spouses--would be worth a study of some kind, at least a journalistic one.

0
0

When selling security awareness training by email, probably a good shout not to hit 'reply all'

GnuTzu
Bronze badge
Thumb Up

Re: Holland was clearly making a point.. -- Button, Button

"...but moved everyone except the original sender to Bcc"

Ohhhhhh, I definitely want a button for that.

I'd make one--if only VBA were not one of the most horrendously dangerous features of Outlook (and Word, and Excel, and...).

BTW, voted up this entire chain of comments. Email interfaces need to be designed for safety and not enable, even foster, impulsively dangerous behavior. I'm sure many of us have fallen pitfall at one time or another despite reasonable levels of vigilance--the very reason I've so pissed off that UI designers need some training in social engineering. Imagine how dangerous it is for those with no restraint what-so-ever.

5
0

Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you're visiting

GnuTzu
Bronze badge
Black Helicopters

Completely Different Browsers

I'm glad that I have the option to have private tabs and such; but just because I do security work around HTTP, I much prefer completely different browsers--each with it's own script-restricting addon, cookie-restricting addon (including Flash cookies), and tracking-control addons (Ghostery and Privacy Badger).

Besides, there's a difference between paranoia as an affliction and paranoia as a hobby. I thinking of getting a really fine tin-foil fedora.

1
0

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

GnuTzu
Bronze badge
Meh

Re: WTF? -- BCC

That was worth half a chuckle, but it's at least nice to know that Amazon knows how to use BCC--given that others have caused damage by not using CC instead of BCC.

14
0

Britain may not be able to fend off a determined cyber-attack, MPs warn

GnuTzu
Bronze badge
Megaphone

Dual Threat

"...facing a dual threat of more aggressive overseas hackers and a lack of funding for cyber defences."

O.K. everybody. It's seems we're finally getting through. Don't back off; shout even louder.

3
0

Germany pushes router security rules, OpenWRT and CCC push back

GnuTzu
Bronze badge
Headmaster

Re: Routers are not firewalls -- Well...

First, I'm definitely on board with the points about WiFi, and I definitely go in and disable that nonsense right away.

But, however minimal, most of these things do include some means of limiting incoming connections, at least as far as what ports are open (I did say minimal), and some allow filtering for outgoing connections--not that the average home user would ever bother with managing outgoing filtering. Still, I wouldn't regard one of these little boxes as being on par with an enterprise-grade firewall--along with what can be done with filtering rules that are properly managed.

O.K. so I'm being a bit pedantic. But, just like there are different grades of locks, some of which can be picked with a bump key and some can't, there are different grades of firewalls. I think maybe we need some new terminology--as if we don't already have enough of that.

3
0
GnuTzu
Bronze badge
Stop

Re: ISP? -- "...easy to manage clients."

"...easy to manage clients" seems to be something that could be interpreted in dystopian terms. I'm pretty sure I don't want Comcast to manage me, either directly or through my devices--power user or not. And, what they do manage, I want to know about so that I can deal with it accordingly.

11
0

A little phishing knowledge may be a dangerous thing

GnuTzu
Bronze badge
Megaphone

Re: E-mail Client -- New Characters

Someone needs to come up with a special font that guarantees that all characters appear distinct, and mail programs and browsers need to guarantee that only this font can be used to display URL's (or at least not be altered by the email formatting.)

4
0
GnuTzu
Bronze badge
Boffin

Attachments

Um, there are business procedures for these things. And, when forwarding a suspected infected email to an infosec analyst, you do it as an attachment, right?

Maybe someday, I'll share my Vim syntax highlighting for email headers, because it's just fascinating to see how far a serious phishing campaign will go to make an email look as if it's coming from inside your own business, which can involve a pair of malicious MTA's and a malicious DNS server to spoof your company's domain name in the email headers. I've seen just this sort of thing singled out by Proofpoint mail filtering.

But, if you're afraid of opening an email in your mail program, then get a new mail program. Just don't click any damn links, and make sure your email program doesn't display remote images. And, if you're in an enterprise environment, I would hope the relevant mail settings are already correctly set by GPO. Here, we even have a report phishing button in the Outlook ribbon, and it just makes everything so much nicer.

8
0

SMS 2FA database leak drama, MageCart mishaps, Black Friday badware, and more

GnuTzu
Bronze badge
Boffin

Re: What a load of bull -- Numbers

Computer scientists are supposed to be good with numbers, and they're supposed to know how the numbers for this sort of thing relate.

Yet, it's true that the numbers for chess are constants, while the numbers for hackers are constantly changing. I suppose you'd have to create categories to pigeon hole things in to get the numbers to map.

0
0

Washington Post offers invalid cookie consent under EU rules – ICO

GnuTzu
Bronze badge

Re: Other solution -- Privacy Badger + Ghostery :)

I like the way the EFF's Privacy Badger does this, and I use it in concert with Ghostery. They make a good team.

3
0

Vision Direct 'fesses up to hack that exposed customer names, payment cards

GnuTzu
Bronze badge
Trollface

"...how this heft occurred."

Oh, the typos. Was it really that weighty an issue.

7
0

Scumbags cram Make-A-Wish website with coin-mining malware

GnuTzu
Bronze badge
Childcatcher

"so the charity gets the mining cycles"

As long as it's opt in; otherwise, it wouldn't be a charity. Imagine if a government decided to do such a thing as a kind of tax but kept it secret.

Anyway, stealing from a charity, particularly one involving children, is just perverse.

8
0

Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts

GnuTzu
Bronze badge
Childcatcher

Re: Finally... Icon

Yes; and if you'd logged in, you could have used this fine icon--which I've been aching to use for such a long time.

1
0

MIT to Oz: Crypto-busting laws risk banning security tests

GnuTzu
Bronze badge

Re: Politicians -- Territory

"It appears even politicians down under are moronic."

I think there's a personality type in the DSM for that. Politics obligates politicians to forfeit all reason other than that which is associated with political interests.

2
0

Michael Howard: Embrace of open source is destroying 'artificial definitions' of legacy vendors

GnuTzu
Bronze badge

Re: Did he catch a bad case of biz-speak?

@AndyS, I thought "Create more velocity in our revenue attainment" meant "make money faster"; but hey, close enough. Yeah, I heard talk like this just last night on NPR, talking about Amazon's explosive growth and why the totally overwhelmed Seattle. And anyway, that's the problem with business speak; it seems intent on bamboozling investors with a severe lack of clarity, or at least for the novice investors who would be much served with plain language.

Anyway, I like the other points, so voted up.

1
0

Oz telcos' club asks: Why the hell do Australia Post, rando councils, or Taxi Services Commission want comms metadata?

GnuTzu
Bronze badge
Megaphone

More Paraphrases and Quotes

"First they came for our metadata, then they came for our encrypted communications, then they came for...... us."

First it happened in one country. Then it happened in their neighbor's country. Then it happened in the entire anglosphere. Then there was no more free world.

"Those who would give up essential Liberty, to purchase a little temporary Safety..." -- Ah, you know the quote.

But, what is it these who argue for more safety and security think they are doing? Are they just over zealous? Are they trying to get more bang for their budgetary buck? Or, are are they just asshole authoritarians pretending to serve the people? Perhaps it's a mix of these, but I fear those who are so bought into the bullshit that they have no concept of balance.

12
0

It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

GnuTzu
Bronze badge

Re: I'm tired of making this response as well -- Hell

One day there will be no more vulnerabilities -- and then Hell will freeze over. But, they've been asked just to try a little harder for way to damn long. Maybe they'd try a little harder--to get Hell to freeze over--if they were subjected to a bit of Hell fire.

7
0

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

GnuTzu
Bronze badge
Unhappy

Re: America always waits for class action suits -- Damages

"...and aren't likely to see any significant damages when you win..."

Well, I think many would agree that increasing the degree of punishment is a much more significant issue than any political orientation (as this question of leaving it up to class-action suits seams to be about). Get something together that actually effects major positive change--and can't be blocked by monopolistic, plutocratic, big-corporation lobbyists (Monsanto), and I could give a flying f**k what political orientation it comes from--um, short of fascism, communism, or some other extremist perspective.

8
0

SMBs: We don't want to spoil all of this article, but have you patched, taken away admin rights, made backups yet?

GnuTzu
Bronze badge

Re: Office 365? -- Subscription Service Bundles

O365 uses the same business model as all the other cloud services, which is to get you to sign up for as many of their services as possible--regardless of whether they would all be acceptable for a particular customer's security needs, such as the remote desktop features of many meeting and communication apps. And, once a customer has been strong armed into allowing something dangerous, there's no way to control it. So, whatever anybody says about being able to secure cloud services, these big cloud-service bundles are more in the interest of Microsoft and other cloud-service providers that want to stop selling software and move everybody to a forced subscription model are not in the interest of the very variable security needs of individual enterprises.

(BTW, SME also stands for "subject matter expert". After all, we are now in an age when acronym collisions are inevitable.)

1
0
GnuTzu
Bronze badge
Megaphone

"We Sell Hammers"

I expect a major factor in this is that it depends very much on the willingness of leadership to hire the right kind of infrastructure support and then actually listen when they point out the weaknesses--because when the CEO of a major national retail chain is said to have replied to warnings with "we sell hammers", then there is faction in the corporate culture that is really doing leadership wrong. Yeah, those of us in the trenches are really never going to forget that one.

0
0

We don' need no stinkin' bounties: VirtualBox guest-to-host escape zero-day lands at GitHub

GnuTzu
Bronze badge
Unhappy

Last Time I Tried Running VirtualBox...

Last time I tried running VirtualBox, there were compatibility issues. Having not revisited it, I'm wondering what progress has been made since. Not being a fan of monopolies and monopolistic corporate behavior, I'd really like to hear that there's more healthy products of this sort, ones with a future, ones able to dislodge themselves from the likes of Oracle (@DJV, voted up).

BTW, I was fine with Oracle when they were just Oracle. But, these "portfolio" companies appear to, shall I say, dilute the focus of their workforce and thus the quality of their products. Yes, they get more customers with a portfolio of products, but those customers eventually end up with lesser quality products. I fear it's not a healthy aspect of the market.

5
2

Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim

GnuTzu
Bronze badge

Re: You missed and obvious one...

"User Training and Education"

Sadly, vigilance is not innate to the human condition, and social engineering seeks out the lazy and impulsive. So, yes (voted up), and do the homework to get a really good training program.

0
0

I know what you're thinking: Outsource or in-source IT security? I've worked both sides, so here's my advice...

GnuTzu
Bronze badge
FAIL

Re: Vicious Circle -- Hierarchy

I've seen IT security outsourced because a CIO didn't like the infosec team's complaining that certain PCI DSS security controls were missing or inadequate. That was a place that was too small to have a CISO, so the infosec team didn't have the clout to establish and enforce reasonable policy.

I've also witnessed an IT manager bargaining with and browbeating PCI auditors, which I suspect is common--as under PCI there is a conflict of interest created by the requirement that a company gets to choose who they pay to audit them. And, if infosec is under the IT department, you can expect to see the infosec team seriously hamstringed by conflicting expenditure choices. So, hierarchy is also important.

I personally am predicting that the insurance industry will eventually have a role in this, as insurance companies would surely have an interest in the selection of auditors for the companies they insure--and thus also have an interest in whether the infosec team has the clout needed to do their job. Unfortunately, it will take time and many successful class-action lawsuits before we'll see this.

4
0

£220k fines for dodgy dialling duo who didn't do due dil on data

GnuTzu
Bronze badge
Unhappy

Predictive Dialers

I once got to see a call center using a "predictive" dialing system. That was in the late '80's. Yeah, this crap has been around that long. Call center workers sit in front of a terminal with a head set on. Information on the person being called is pulled up in front of them automatically. The computer predicts when the current call will end--and starts dialing the next call with the objective to have call center worker talking to the next party before they have a chance to take a breath. That way the call center can pound out the calls like a machine gun.

I've seen a number of call centers, political, corporate, non-profit; they're all very depressing places.

4
0
GnuTzu
Bronze badge

Re: Mass Dialers -- A.K.A Robo-callers

Well, they are used for political campaigns, often call robo-callers. Yet, some would think that's just another way to extract money from the populace.

3
0

Check this out: Radisson Hotel Group 'fesses up to 'security incident'

GnuTzu
Bronze badge
Facepalm

"cry seriously"

I know that's a typo (yeah, and we know that's supposed to be that nauseating public relations B.S.), but somebody seriously should make them cry.

3
0

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare

GnuTzu
Bronze badge

Re: Another Company That I've Never Heard Of

@Dabooka, "You've really never heard of Cathay Pacific?"

I'm afraid so. But, then I avoid flying like the plague and will make every effort to take the train in business class instead. Yes, cramped seating is harder to take for some, and I'm one of them (hsperson.com).

0
0

Page:

Biting the hand that feeds IT © 1998–2018