* Posts by YetAnotherJoeBlow

41 posts • joined 5 Apr 2015

Boeing... Boeing... Gone: Canada, America finally ground 737 Max jets as they await anti-death-crash software patches


Re: More than 300 dead is largely worth an abundance of caution

"the CoG is different and now requires software to maintain the AoA"

Is this to say that the 737 max is too difficult to fly manually?

Oxford University reportedly turns off its Huawei money tap



Ah, I see what your were on about. From modem to tower. I have a laptop I use with a special device (expensive too) which logs the packets (made by Huawei too :)

Sorry about that.



"So yes, when you have something real to report from your reverse engineers let us all see it, until then this is nonsense. I somehow doubt we'll hear back from you. Although I must admit I'm really impressed by your technical prowess. Getting Wireshark to tell you not what is on your LAN, but what is going out the 3G side of a 3G modem. That's quite some feat..."

What are you on about? I am not talking about the connection from my modem to the tower only the tcp/ip protocol conveyed to it from my network.

Wireshark did not tell me what was on my lan, I have my networks separated by firewalls and they log dropped packets. These are internal networks and the dropped packets stand out like a sore thumb (The machine I was talking about wasn't allowed in my other networks.)

Your comment is telling, I come across your kind a lot. That's why people hire me. That's why I've been consulting for over 30 years, and that is why they pay me to solve problems that you cannot - but you do now how to complain I'll bet...

For the record I never said Huawei was the culprit - or anyone else for that matter. I just relayed what I observed. Some people might want to look at their setups is all.



About a week ago my home pocket wifi (E5330) - made by Huawei, started acting up. I used wireshark to see what was happening, I soon found the problem. Fixed it. About and hour later when I remembered to turn wireshark off, I saw a reverse connection from Poland to my wifi. After some reverse engineering (3 hours), I discovered that port 26550 was set up for port knocking. It hid a 64-bit knock in the first packet. After the knock, a ten minute udp session was sent over the wifi back to a different IP in Poland than the IP that was used to do the knocking. Most likely I won't be able to decrypt it. I dumped the firmware and compared it to an official firmware image. Hashes were the same. What do you suppose? More than likely I will give it to a company to reverse engineer the entire firmware image. There was nothing worth stealing from the pc it was talking to.

International politicos gather round to grill Dick, head of Facebook policy, on data slurping



So he's the Dick head of Facebook policy. It seems that Facebook employs quite a few of his ilk.

Ex spy bosses: Cyber-warfare needs rules of engagement for nations to promptly ignore



Have a read of the Tallinn Manual 2. It just astounds me of their arrogance to think that people will even read it let alone follow it. One of these days, maybe the governments who pay for this garbage might listen to those on the ground. I know of several people who could really open their eyes - that is if they even care.

Is this cuttlefish really all that cosmic? Ubuntu 18.10 arrives with extra spit, polish, 4.18 kernel


What is the matter, you don't like searching each screen for a minute to find were the the buttons are?

Microsoft Surface Pro 4 owners: So, about that other broken update…



Revert the last firmware? You imaged it before you flashed,right?

Take them to small claims court. It worked for me 6 times in years past when I had to buy their shite. It is the only thing that they understand.

I was once told to wait for an update that never came. When my unit went out of waranty, they then told me to buy a new one. The funny part was that they were also pulling the same stunt on the judges wife... It still makes me laugh to this date.

Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down



I also believe Bb was played like a fiddle.

For a moment, pretend that the story IS true. How do you think the US Government would play their hand?

I have seen devices that lie hidden and passively monitor. When the agency needs to reel it in, they just break in an operators home to plant a device capable of activating and receiving a burst transmission.

That device is then picked up later with no one the wiser.

On the seventh anniversary of Steve Jobs' death, we give you 7 times he served humanity and acted as an example to others


Pass the Kool-Aid.

Quantum: We've got that accounting probe taped. Now about refinancing...



From what I've seen, a case could be argued for criminal charges to be filed.

Nokia: Oops, financials aren't great. Never mind, 5G will solve our woes


Talk about employee incentives...

"A €292m (£259m) operating profit on net sales of €361m (£320m)" - so it costs $28m/year to service the patents?!

Did you have locking down AI and blockchain as possible Intel SGX uses? If so, congrats...


Have you noticed

Have you noticed that when technologies like these are introduced, we think finally they are taking security seriously. Then corporations immediately come back from 180 degrees offset and think "that will keep out those nosy security researchers - pick apart our code will they...."

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke



Donate the keys to Girls who code, and get two new keys from a different company. After all, Yubico wanted to learn from their mistake.

Australia wants tech companies to let cops 'n' snoops see messages without backdoors


Key escrow

Does the US gov honestly think that will work? Everyone I know encrypts before transfer. It is trivial to have an app do that.

I've never had any problems.

Facebook insists device data door differs from dodgy dev data deal


Maybe it's time

Time to make these sorts of transactions criminal rather than civil.

Nadella tells worried GitHub devs: Judge us by our actions



Is there nothing Holy?

Epyc fail? We can defeat AMD's virtual machine encryption, say boffins


Yes, hardware.

@ Brian Miller

Put the microcode up for public comment. Eventually, the code will get to a good starting point. The next time silicon is etched, burn this new code in. No trade secret there. Like I said they pretty much all use similar tactics - and engineers do jump ship. Perhaps one of the reasons why meltdown impacted all the major chips in very similar fashion, no?


Here we go again

Since manufacturers all look at each others patents and reverse engineer each others chips (I personally know that two companies do,) one would think that someone would say wait a minute, why don't we throw this out in a repo and see what becomes of it.

Encryption is not IP anymore. It's a commodity. It's really time to stop all this foolishness before consumer rage catches up with those manufacturers. Lets get it right and stop this embarrassment.

Companies can no longer hide their failures in microcode.

Microsoft, Google: We've found a fourth data-leaking Meltdown-Spectre CPU hole



I'm aware of a group selling a Spectre vuln. They won't disclose the source as that would be giving it away for free. One has to buy on faith. The government would by it that way - who's going to con the NSA? The price is in the stratosphere. The government price is too low.

13 by years end? Easily but we will never know how many there were will we? Best wait for new dies.

Android devs prepare to hit pause on ads amid Google GDPR chaos



I think legal at google said "Do not worry about GDPR, shunt it off to the developers." Compliance is THEIR responsibility. We will still get our revenue, let the devs worry about theirs.

Hurry up patching those Oracle bugs: Attackers aren't waiting


They're quick...

I have a few honeypots scattered around to keep my fingers on the pulse. Both the volume of attacks and the speed that they are released is astounding.

There are still many companies that seem oblivious to this. IMHO, if you provide an online service and do not have full time monitoring by a professional, you are beyond stupid.

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin



Виталий Камлюк was Kaspersky Labs Japan. Chief Security Expert

AI boffins rebel against closed-access academic journal that wants to have its cake and eat it



I'll be the first to admit that without libgen, my whole career would have been a non-starter. Sincerely.

Most of the world doesn't realise the harm that these companies do - and there are a few. They stifle new research unless it comes with a pedigree. I've seen it happen and I've seen the results.

Princeton research team hunting down IoT security blunders


Socially dark

For a large portion of my career I always had to be careful with what I was exposing. But really, hooking up your television to the internet? I'll be six feet under before that ever happens in my house.

Academics: Shutting down Facebook API damages research, oversight, competition



The level of addiction to be able to get at this data is astounding. At some point the pendulum will swing back and knock it all down.

Now IBM turns redundo gun on its Digital Business Group


What's the point?

What's the point of going on IBM? The "innovation" comming out of Watson these days is shite. You got rid of your brain trust and replaced them with some MBA's. But hey look Ginni, you bought back all those shares so Aunt Shiela got her dividend check.

The bright side is that IBM will be in the future textbooks at college - The story of an epic FAIL.

Microsoft starts buying speculative execution exploits


Oh really...

Do they actually think that a "researcher" will burn a Spectre 0d for a quarter of a million?

Facebook gets Weed-whacked: Unilever exec may axe ads over social network's toxic posts


Unilever's Weed

Not available in my country.

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years


Also on a PDP 11/70 DCL in RSTS V9.* & 10.*

New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them


The time has come

I've been in hardware and software design for over 30 years; I cut my teeth on an IBM 1130 and I haven't looked back since.

I am glad these tools come out - the tools that make fuzzing easier make me a better engineer. If an IT pro is worried about how this will impact his/her company then grow the fuck up.

You either pay your staff to make secuity their full time job, or your companies stock drops. It is so easy to let yourself in the back door or even the front door in todays infrastructure, automated sploits should be the least of your worries.

With state sponsored espionage the norm these days, that Fortune 500 companies continue to farm out work to the lowest bidder if at all, I am the person that you shouldn't detest, but be glad that I exist.

Your choice - talk to me now, or see me later.

Equifax fooled again! Blundering credit biz directs hack attack victims to parody site



Several years ago, I told my client that you hire firms like that for PR; ie "The hack was sophisticated and most other companies would fail too." My client didn't believe me. I won't say what I did or when I did it, but I have some very loyal customers now.

How to scam $750,000 out of Microsoft Office: Two-factor auth calls to premium-rate numbers


bug bounty?

"The company gave Swinnen a $500 bug bounty"

OK, right. The next bug I find in your crap software, I just will not bother to tell you.

Neighbour sick of you parking in his driveway? You'd better hack-proof your car


Thank You!

I sent this article to my neighbor - within 20 minutes he moved it. I think he figured out what I do for a living.

Open-source vuln db closes – plenty of taking and not a lot of giving

Thumb Up

Must of happened during that haze of Alprazalom - you know his first script for such a substance - 1mg X 3 daily for daytime anxiety... ah hahahaha.

Have an up vote.

Class action launched against Facebook over biometric slurpage


Re: Hopefully this will open the floodgates...

Anyone notice the elephant in the room?

Google Password Alert could be foiled with just 7 lines of JavaScript



The page can manipulate back -- because....

Wait a minute, they knew that...

The whole idea is wrong, Java based. All this from a company that knows better.

EasyGroup continues bizarre, time-travelling domain crusade


Re: Perhaps we need to bait Easy's lawyers a bit

Would you like TWA coffee or TWA tea?

If hypervisor is commodity, why is VMware still on top?


Re: "Wreck", "wrecking"

I sent this review to a client of mine who switches his opinions and requirements on a daily basis. He called me after reading the article and made up his mind - informed. Thanks Trevor.

Republicans in sneaky bid to reauthorize Patriot Act spying until 2020


What difference does it make?

The letter agencies are going to do it anyways regardless of the passage of this bill. There are plenty of other loopholes. Do not kid yourselves.

Crack security team finishes TrueCrypt audit – and the results are in


"Crack Security team"?

"Crack Security team"?

The first report released - after a fairly long time - could be produced almost completely automated with some simple and free tools.

The final report was even worse: They missed a bug in the Serpent implementation and a few minor issues too. I wonder if they have ever heard of Valgrind?

They then recommend eliminating cipher cascading as being too complex! Cascading is a way to ensure your data is still safe if an algorithm is broken.

As someone noted above, a bit of injustice here. It would frost your balls that all the money they collected to produce the two very amateur reports was given to some auditors instead of the person who deserved it. Reproducible builds were not even looked at. I found out that someone did that for free earlier. I hope they do not throw good money after bad and pay for that as well. Talk about ingrates!

The final insult was that in the summary, the very issues that really needed to be analyzed were out of the scope of the audit! Now they will say when their report is critiqued oh, we did not analyze that...

Sorry about the rant - a very long day.

Biting the hand that feeds IT © 1998–2019