* Posts by GnuTzu

71 posts • joined 1 Feb 2015

Page:

Victoria's educational apps-for-students let creeps contact kids

GnuTzu
Stop

Watch Out: Monopolies Will Try to Dictate Your Security Policy

Yup. If Google or Microsoft say that it's cloud apps are safe to use, then they must be safe for all possible use cases--right? Seriously, they use language like; "you have to...", just as if they were saying: "you 1) must use our product and 2) you must adjust your security policy to enable the application." I repeatedly find myself saying: "no, your technical requirements do not dictate the security policy of this organization, and your product will not be permitted here until it can be made to conform with the security policy of this organization." Gotta stay vigilant.

1
0

LocationDumb: Phone tracker foul-up exposes world+dog to tracking

GnuTzu
FAIL

Security Controls Need to be Server Side -- Period

Web Security 101. Wake up people.

3
0

Mining apps? We're cool so long as they admit to it, says Canonical

GnuTzu

Truth in Labeling

Other commenters have effectively already covered the ethical argument.

But, the fact that manufacturers and marketers (not to mention politicians and lobbyists) get away with, and keep getting away with, so much misrepresentation, misdirection, misleading packaging, and outright lying may very well be the reason our culture might be brainwashed into thinking products aren't obligated to certain levels of disclosure and transparency. Caveat emptor is, after all, a very old expression.

But, that begs the question, do we really know the boundaries between little white lies, defensive social lying by an individual, and massive organizational deception. If we could just get that pinned down a little better, we might actually get to roll back some of the special protections that companies and agencies enjoy.

1
0

Shining lasers at planes in the UK could now get you up to 5 years in jail

GnuTzu

Does This Mean Cyclists Are Protected As Well?

The article read "drivers of road vehicles" rather than motor vehicles. And, what about off-roaders? This warrants some clarification. Law abiding cyclists deserve this protection as well. No comment on other kinds of cyclists.

0
0

New law would stop Feds from demanding encryption backdoor

GnuTzu

Re: laws vs laws -- I Gag at Gag Orders

Had to say it.

2
0

IBM bans all removable storage, for all staff, everywhere

GnuTzu

Re: Laptops

It's all about full disk encryption now., so our laptops are safe for now. If we lose that, they'll lock us all in vaults with cameras hovering over us to manage our every little move.

0
0
GnuTzu

Re: Trust your staff -- But Verify

Unfortunately, this perspective of hiring only those you trust is not practical. One does not fire a person for clicking a link they shouldn't have, because you'd have to fire half the company. People develop bad habits, and they make mistakes. This is all part of the behavioral management aspect of infosec. Yes, banning USB sticks is extreme. Other places just force all USB sticks to be encrypted. But, thinking you can do infosec by only hiring trusted people underestimates their fallibility and forgive-ability.

3
0

Android P to improve users' network privacy

GnuTzu

Re: Great, there go the useful Wifi utilities

@Jamie Jones, yes; agreed. I hate being Harrison Bergeron'd. Voted up.

2
0

Second wave of Spectre-like CPU security flaws won't be fixed for a while

GnuTzu

When...

When will it be safe to buy another CPU? {insert-rant-here}

4
0

NSA sought data on 534 MILLION phone calls in 2017

GnuTzu

Excuses -- Unexcusable

Whatever the current technical limitation preventing de-dupping, there must be a way to fix it so that excuses are impossible, and they must be required to fix it.

They can't be allowed to have technology if it has limitations that allow them to make excusses. They must be required to fix the technology so that there are no excuses--whether it be de-dupping issues or otherwise.

0
0

Cookie code compromise caper caught and crumbled

GnuTzu

The Thing about Code Repositories

There are many, many code-repository services; and they can't all be doing security the same way. Some will inevitably be infected by bad actors. I'm worried that conventional ratings services, which depend on historical data, won't do anything to deal with an initial planting of infected code. It would be really nice if the repositories--the ones actually making an effort--would set out to create a community-driven effort to reach out to other repositories and establish a set of conventions, or even an actual standard, for securing code repositories. And, some basic questions need to be answered, such as: who moderates submitted code, how do you ensure accounts are legitimate and aren't compromised, what kind of scanning can be done to detect bad actors, etc.

1
0

Quit WebEx now if you want to live! (Bad bugs, not killer slideware)

GnuTzu

Users Are The Bigger Vulnerability

Meh.

We only allow WebEx in a segmented virtual environment that spins up fresh images every time a user logs in. If a user shares a desktop and things go wrong, the VM is simply shutdown and destroyed. And, there's no sharing of any data in or out of the internal business environment, so there's no chance of a reckless-user mistake.

Of course, if there was a way to disable the reckless features at the firewall or proxy, then we wouldn't have to do it that way.

0
0

Vlad that's over: Remote code flaws in Schneider Electric apps whacked

GnuTzu

Deja Vu

I'm pretty sure Schneider Electric has been here before, and I expect we'll be seeing more.

1
0

AWS sends noise to Signal: You can't use our servers to beat censors

GnuTzu

@regbadgerer

I had to look up what the malicious use was myself, and the summary explanation is this: The malicious use is to appear to direct a victim to a site of good reputation while really sending them to one that will infect or otherwise compromise them.

0
0

Ozzie Ozzie Ozzie, oi oi oi! Tech zillionaire Ray's backdoor crypto for the Feds is Clipper chip v2

GnuTzu
FAIL

Making Non-compliant Encryption Illegal

I'm still not seeing the discussion about how they plan to keep people from using encryption that doesn't have back doors. Surely, they'll be illegal, but there are enforcement problems with that, and only criminals will have strong encryption. How much work is it going to be to force everyone to hand over keys; or rather, hunt down those who don't voluntarily hand them over?

And, what will this do to students who want to write their own encryption algorithms, even weak ones (as if students and researchers matter)?

36
0

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

GnuTzu

Pushy People are a Security Risk

Yeah, it's that simple. The more you push, the more we infosec bods investigate you and the garbage you try to push through.

65
3

No way, RSA! Security conference's mobile app embarrassingly insecure

GnuTzu
Flame

Re: I RSA defence - a very minimalist defence -- Outsourced Crap

Damn right. Thumbs up. Conferencing apps are forbidden here, and we have a sandbox environment for web meetings. Consumer marketing has addicted the World to a marketing strategy of getting consumer loyalty and addiction by getting consumers to download an app for every little service. But, I'm not buying it. If a service doesn't have a solid web site, then they're not getting my business--because I'm not downloading their crap app--period.

5
0

Oracle whips out the swatter, squishes 254 security bugs in its gear

GnuTzu

Re: wait wut

Yes, and those of us who get stuck with it suffer.

3
2

Millions of scraped public social net profiles left in open AWS S3 box

GnuTzu
FAIL

Hall of Shame Just for S3 Buckets

How long would the list be now?

2
0

Google to add extra Gmail security … by building a walled garden

GnuTzu

Avoid the Traps

I think I just up-voted half the comments here. The traps are so transparent. Like others here, I've been using a paid IMAP email service for over a decade; only costs me about $3 a month--for the deluxe package. The features a wonderful. I think I'll write a rule to dump all @gmail addresses into a spam learning folder.

2
3
GnuTzu

JavaScript

@fluffybunnyuk, Sadly, this will almost surely require JavaScript compliant browsers. I wonder how this will look in F12 Developer Tools. It'll be interesting to see if they can code around that.

1
1

Imagine you're having a CT scan and malware alters the radiation levels – it's doable

GnuTzu

Re: Imagine..

Well, perhaps. But, I'm under the impression that dosage is exponential. So, with 350msv is between 2^3 and 2^4 times 30msv. I don't think it's that much of a difference. But, don't quote me; I'm no radiologist.

Also, I think they try to limit CT scans to once a year, as they do produce more radiation than regular x-ray.

1
0

No password? No worries! Two new standards aim to make logins an API experience

GnuTzu

Re: OpenSSL -- HTTPS And Proxies

This is also possible for proxy authentication. I think the thing that's different with this is that it will standardize what happens on the browser end. Currently, they all handle it a little differently (well, Firefox variants vs. IE variants and those that use Windows handling like Chrome).

0
0

There's security – then there's barbed wire-laced pains in the arse

GnuTzu

From the other perspective, there are those that go out and purchase IT products without consulting security professionals are even doing a feasibility study--let alone a risk analysis. And, when the security people say that it will actually break existing security controls--and they then get told that the new product was already paid and that they'll have to go ahead and spend more to make it work.

And, this is happening with professional acquisitions people and departments. Oh, the dysfunctional organisations are everywhere. And, the responsibility of getting the departments to work smoothly with each other is at a pay grade well above that of those who must suffer such nonsense. You would think a higher paid executive would have better sense, but so many of them seem totally oblivious to the inefficiencies created by the crap they keep rolling down hill.

6
0
GnuTzu

Well, you could include a password manager in your base image, and provide training for it's use. There are now even password management systems that rotate the login credentials for the user, and will even log users into configured systems for the user.

0
0

Is it a bird? Is it a plane? No, it's a terrible leak of drone buyers' data

GnuTzu
Black Helicopters

Possible Intelligence Value

Keep this up, and we could start seeing purchases for black projects.

4
0

Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards

GnuTzu
Flame

3rd Parties Don't Come With Cake

Having a third party might sound like fun. But, having a third party ask you to open arbitrary ports and white-list hoards of domains, including blanket CDN's, happens way too often. It's as if they want to tell you what your security policy should be. With all the third parties that you could have, and you could have hundreds, what kind of security policy would you have if you just went ahead and did whatever they told you? Third parties need to conform to your security policy--not the other way around.

1
0

One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools

GnuTzu

Re: X-T&C header -- Make it Stick

In previous posts, I've argued that the do-not-track header should be granted the same protection as the DMCA. But, people aren't getting it. Corporations could put in the most trivial of protections for their content and then be able to take people to court for bypassing it, yet corporations can effectively ignore our protections, using things like super cookies and such. If corporations can have the DMCA, then we can have legal backing too. Otherwise, we've just proven that corporations have more rights than real citizens--which is clearly a constitutional violation--and therefor, Un-American.

26
0

Internet of insecure Things: Software still riddled with security holes

GnuTzu

And, The Children

Oh, we'll see such an outcry when the stuff made for children results in something truly too horrible to describe--even on El Reg.

1
0

How a QR code can fool iOS 11's Camera app into opening evil.com rather than nice.co.uk

GnuTzu

Is This A Feature?

There are lots and lots of people on this planet that actually know how to parse URL's. You'd think Apple would have hired one. So, did Apple actually pay for this feature, or did Apple just get screwed by an insider threat?

1
0

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

GnuTzu
Stop

Block The Laggarts

I vote the Internet starts blocking those that fail at Qualys SSL Labs server test (https://www.ssllabs.com/ssltest/). I'm using this now for every security review I do, and it's amazing how many sites do business or health care related services on the Internet get bad scores there. Everything from 3DES and SHA1 to lack of secure renegotiation and lack of forward secrecy. It's unforgivably lame.

1
0
GnuTzu

Re: The client says hi

Voting up: "Leon: The Professional". Meh on the joke.

0
0

YouTube banned many gun vids, so some moved to smut site

GnuTzu

Guns: I've enjoyed a few of those vids.

Sex: Can't say I'm against that..

Sex, Guns, and Violence: Sorry, the combination of these I see creating weird subconscious associations and possibly encouraging all kinds of nonsense ranging from domestic violence to snuff flicks. It's just too creepy.

4
0

Mozilla pulls ads from Facebook after spat over privacy controls

GnuTzu

Re: If you want privacy...

Some people have been decent enough to ask my consent to use pictures that include me and my name on Facebook, and I sometimes say O.K. to the pic and first name only. And, I've never been on Facebook either, so I've never consented to their EULA. Are there third-party restrictions? There should be.

3
0
GnuTzu

Source of Malware

Since advertising had been tagged as a source of malware, little has been done to sanitize scummy advertising. And, why should they? The way advertising currently works, the advertisers have control over the way advertising is delivered because it's hosted on their systems--not the systems that users are visiting. What the bigger services like Facebook should do is require their clients turn over their advertising to them to sanitize and moderate. And, because the advertisers won't have to pay for their own hosting, they'll be able to pay Facebook and such more.

You see, the more I work with HTTP, HTML, and JavaScript, the more creeped out I am by the notion that I can go to a web site and see background requests to garbage sites all over the World. Advertisers who host their own content in that way are just the creepiest thing out their, and that's long been the default on the Internet. It's time to change that.

1
0

Apple moves on HSTS abuse in Safari

GnuTzu

Re: dblck -- same-origin

Geesh, I haven't check this setting in over a decade. Time for an article on how all the browsers are going to deal with this.

3
0

BOOM! Cambridge Analytica explodes following extraordinary TV expose

GnuTzu
Black Helicopters

AI Groomed Candidates

Yesterday, it seemed the story was about big data. But this wet-ware machine is bigger than just that. What happens when big data becomes AI, and AI starts to run these companies. How much more amoral or immoral will it become, when it's run by something inhuman? And, when they groom the political candidates--how much less will we know and understand the people running our countries? Time for the deluxe tin-foil hat.

5
0

1 in 5 Michigan state staffers fail phishing test but that's OK apparently

GnuTzu

Re: about right -- Monthly Phishing Exercises

We're ramping up for monthly phishing exercises.

Wet ware is the hard part of InfoSec. It just is.

0
0

Facebook suspends account of Cambridge Analytica whistleblower

GnuTzu

Re: Please pathetic libtards stop the whining you lost big time

@DCFusor, you emphasized: "which are designed to *engage* you, not make you happy"

Pity more people don't understand that. Marketing, of which politicking is a form, is designed to make you want, and it does so by sewing the seeds of discomfort.

0
0
GnuTzu
Stop

SPAMMERS

Alt-right spam is getting ridiculous. I've been an anti-spam warrior for a couple decades, and my tools are quite fine tuned. The right-wing spam is going to an old email address that I've marked for spam learning, one that has been a spam-learning address for over a decade. That means they are sucking up any old spam list for their campaigns. These spammers are truly morally bankrupt. I wonder if we can soon expect the same b.s. from the alt-left.

2
1

Facebook confirms Cambridge Analytica stole its data; it’s a plot, claims former director

GnuTzu

What They Wanna Hear

Telling people what they want to hear--to get them to do things the don't understand.

This is what it's come to. Breaking up the population into little groups and whispering different messages into their ears. Then, no one knows why that other group is so angry at them--because they don't know what's being said about them. And, you know these messages are now so distorted that the really do constitute lies.

We have finally reached the point in which cultural perception is completely disconnected from reality.

If you're being told something that is political and it isn't broadcast to everyone, it is surely a lie.

And, when spraying the cockroaches loses it's effectiveness, they spray all the more.

2
1

Yahoo! Can't! Toss! Hacking! Lawsuit!

GnuTzu

A Company Called "Oath"

That's like saying "trust us; we're a corporation." I'm going to be chuckling about this for the next week or so.

0
0

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

GnuTzu

Running as Root!!!

A resume generating event...

3
0

Dutch name authority: DNSSEC validation errors can be eliminated

GnuTzu
Coat

"And, they might blame..."

Oh, they'll definitely blame their proxy administrator.

1
0

World's cyber attacks hit us much harder in past year – major infosec chief survey

GnuTzu

Naturally...

Isn't NIST taking a budget cut, just as their preparing standards? How many other unbiased non-profits are going to take these things on. There will always be more research by those seeking a profit. And, could we expect to see a standards board from the private sector--one that lacks the conflict-of-interest problem that the PCI Security Standards Council created?

1
0

US govt staffers use personal gear on work networks, handle biz docs on the reg – study

GnuTzu

Re: Simple but bad explanation

The gear isn't all that bad; it's loaded down with end-point security programs. Still, to run all those security tools, they should be spending at least as much on horsepower as users do on their home equipment.

2
0

UK Home Sec Amber Rudd unveils extremism blocking tool

GnuTzu
Big Brother

Re: The terrifying alternative ...

Simple, they can't control those with critical thinking. Wait, did you not know you were being controlled?

4
0

IBM melts down fixing Meltdown as processes and patches stutter

GnuTzu

Red Hat on AIX virtualization

Are the AIX people happy, or did I miss something.

1
0

TalkTalk banbans TeamTeamviewerviewer againagain

GnuTzu

Too Bad

It's too bad that services and tools that allow remote access fail to provide a way for firewall and proxy administrators to limit the remote access feature. Desktop sharing alone isn't so terrible; it's the ability to allow unknown external actors to run roughshod over your binaries that has infosec bods putting a halt to the whole tool.

It's a similar problem with network storage services like box.com. They lack a way to restrict uploads, even where downloads are not considered too much of a risk.

4
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018