* Posts by SotarrTheWizard

43 posts • joined 14 Jan 2016

Freaking out about fiendish IoT exploits? Maybe disable telnet, FTP and change that default password first?


Years ago. . .

. . . a friend was holding a house-warming party, the week before Christmas. Her DSL hadn't been connected yet, **AND** this was an audience of geeks. So, out of 10 singles and couples, we had 7 laptops.

We went searching for open access points. . . .and found 20+. Every single one either admin/admin or admin/password. And most had Win9x or XP PCs behind them, also wide open.

So we locked down all the networks, and left a note on the desktop of all the PCs, from "Santa's Elves", with the new username and password for the wireless routers.

Apparently, the next day, it was the talk of the neighborhood. . .

Hacking these medical pumps is as easy as copying a booby-trapped file over the network


Honestly, at least in .us. .

. . . .you CAN'T secure medical kit. Changing the software requires a vendor to TOTALLY re-accredit the kit and any software.

. . .which is why, at the hospital my eldest daughter worked at, the password for EVERY SINGLE MEDICAL DEVICE was. . . "password" . . .

Could you just pop into the network room and check- hello? The Away Team. They're... gone


Ah, memories. . .

. . . .the time: 1998

The place: Capitol College, Lanham, MD (just north of DC)

I was teaching a course to develop the first set of Windows Admins/Engineers for a large, unspecified Federal Agency in the Fort Meade, Maryland, vicinity.

Part of this was A+, part was Windows NT4 MCSE, and part was Linux and Cisco.

I jokingly referred to "magic smoke" being the key to computing. One of the students demanded I show them some "magic smoke".

Luckily, we were in the lab, I had a whole stack of discarded AMD K2 motherboards, and a number of variable power supplies.

Wired it up. set the 5 volt feed to 30 volts, and the 12 volt feed to 75 volts. Inside of 5 seconds, hilarity ensued. Capacitors were popping with little bursts of flame and large bursts of. . . "magic smoke".

But as I was pointing out the "magic smoke" to the class, I had neglected to power down the supplies.

And someone asks, "Is the CPU supposed to do that ?".

I take a look back at the mobo, and the CPU has deformed about half an inch. . . and suddenly BANG, burst of flame. . . and no CPU. Well, at least on the mobo: it had embedded its' remains in the ceiling, 10 feet above.

Now, **THAT'S** entertainment. . .

Senator: US govt staff may be sending their smartphone web traffic 'wrapped in a bow' to Russia, China via VPNs


So why do PUBLIC servants. . .

. . . use a VPN to hide their traffic on GOVERNMENT-issued phones ?? Personal, no worries. But their issued phones ??

If servers go down but no one hears them, did they really fail? Think about it over lunch


This happened to me, sort of, late 1990s . .

. . . . .but the blame is purely on the manufacturer. They shall remain nameless, but it was a top-of-the-line LaserJet 5. We checked that it could handle 220, spec said it was 110/220.

What PrintZilla ***didn't*** say was, the 110V was one stock number, and the 220V was a separate stock number. And you couldn't buy the 220 version in North America, where we sourced everything else (all of which was dead easy to change over, flip the switch on the back of the Power Supply, and locally source the power cords to match local outlet configuration. . .)

We had to re-pack and ship the 110 version back to the States.

But the story does not end there. We were doing the install at HQ NATO. So, we called *(redacted)* Belgium, asked who their local resellers were. They named a company whose nearest office was in Antwerp, and another whose office was, conveniently, right next store to the US Support Activity. And we even had an account with them.

Or so we thought. I make a call, half in English and the rest in French, for an appointment the next morning. I get there. . . and they hand me an application form to become a customer. I was told to fill it out, and they'd get back to us in 4-6 weeks. I told them, that I needed to buy a printer now, and pulled out a wad of cash, ~180,000 Belgian Francs. Got told they didn't accept cash payments. Pointed out we already had an account in .us. Was informed that the .us was a different organization, and we needed to be an approved customer of **theirs**. I walked out.

Grabbed the Pages Jeune, and started calling companies that had HP logos in their ads. About a third, 10 or so, had the printer we wanted in stock. I got a name, a voice number, and a fax number.

Got a list of vendors, made a standard bid request. Model XYZ printer, with accessories A and B, for cash, delivered to HQ NATO C/o my employer's Company and the US Mission. Best price, taxes and delivery included, reply by fax with bid NLT 1400, Friday (this was a Tuesday afternoon).

Got one bid on Wednesday, after lunch. And then nothing. Called the outfit that bid on Friday at 1410, and we arranged delivery and payment for Monday morning. Easy peasy, installed as per the book, no circuits popping. Up and running by COB.

Rest of the network install continued over the next two weeks. But two weeks after we sent out the bid, a second company responded, with a much higher price, and delivery in 20-30 days. Ignored it. Next morning, the guy called, and asked when we could work payment for his bid.

I pointed out that bidding had closed ~10 days prior, someone had been selected, the printer paid for AND INSTALLED for a week-plus.

Guy flips out, did we not know who he was, he would complain to NATO, I pointed out that NATO wasn't buying it, a private US company was, supporting an activity based in the Pentagon. He said he would complain to the Ambassador. I gave him the Embassy switchboard number and wished him luck. . (turns out he had done this before, the Embassy had him on their "cranks" list. . .). The next day, the team flew back to .us.

2-3 weeks after this, we get a call from the US Mission. Seems that the original reseller had approved us to be a customer, and they wanted to discuss when we could take delivery of the printer. . . .Apparently, they weren't amused when I emailed them, and told them that it was overcome by events. And in any case, their proffered price was about 10% higher than what we paid. . . .

Do Not Track is back in the US Senate. And this time it means business. As in, fining businesses that stalk you online


Track me all you want. . . .

. . . . for 50% of the gross, not net, revenue you derive from my data. Don't want to pay me ? Zero Tracking.

Giga-hurts radio: Terrorists build Wi-Fi bombs to dodge cops' cellphone jammers


Re: WiFi Routers can be anywhere; cell towers are generally in fixed locations

. . .and then this shows up in the email today . . .


Apparently, there's a repeat-fire capability. . .


Re: WiFi Routers can be anywhere; cell towers are generally in fixed locations

Actually, there are any number of ways to generate an EMP. Any sufficiently large explosion is the "easy" way, but a one-shot "focused" EMP bomb is apparently possible:


. . .which suggests, in turn, that the major powers already have them.

Or, just focus microwaves tightly enough, although that tends to leave signs. . . like cooked meat in the beam path. Alternately, that's a cheap way of training managers, they didn't need those higher brain functions to start with. . . (evil grin)

White House issues Executive Order on cybersecurity, including hacker Hunger Games


Ever TRY to work for Uncle Sam ??

. . . .the process is lengthy and byzantine. No, you can't use your regular resume or CV. Instead, you have to write a custom document addressing required "KSAs" (Knowledge, Skills, Abilities) for each and every point of the job description. And then wait. In one case, I waited 14 months for a response, got a phone interview, and 6 months after THAT, got an email telling me I was not selected.

All for lousy pay (compared to the private sector), but excellent benefits. Including being effectively layoff-proof. . . .

Oh, and a list of certifications ? Department of Defense has had that for 11 years: why not use theirs ??

All in all, the pain and hassle of putting in for a Federal Job in us.gov is pretty much not worth the payoff. . .

User secures floppies to a filing cabinet with a magnet, but at least they backed up daily... right?


Now, mind you. . .

. . . . in my younger days, I got REALLY pissed at a particularly stupid user. One who would, for example, complain that the system wasn't working, when they hadn't powered up the box . . .

. . . . so I mounted a inch-long piece of self-adhesive magnet tape just under the slot on the 5 1/4 floppy slot. . . (evil grin)

Uncle Sam charges Julian Assange with conspiracy to commit computer intrusion


Re: Good

I was always under the impression that Assange was an Australian national.

Also, pardon me for demanding historical accuracy, but the files were leaked by BRADLEY Manning, who later transitioned to being CHELSEA. But was still Bradley at the time. . .

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach


Re: Interesting, but. . .

60 days. high complexity and multifactor. Remember. security is about MANAGING risk. I know you WANT me to use an epic passpoem, detailing the life and works of seven mythical Norse heroes.

But I'm not Bruce Schneier . . .


Re: Interesting, but. . .

And I rather suspect you work for 1password.com. (grin)

The companies in question sell contact lists in industry, and I **know** that data is compromised, because I get at least one targeted spam a day, and generally more. . .


Re: Interesting, but. . .

Actually, I'm on a forced 60-day password change cycle with high complexity AND 2-factor authentication.


Interesting, but. . .

. . . tried my work email on it. Said I was compromised three times. One of them was a 2013 breach. Problem is. that email account was created in late 2015.

The other two are companies I've never heard of, much less created an account with.

And, gee, if I want more details, I have to sign up for their pay service. . . .

I'm thinking of this as maybe 20% informative, 80% Biz dev for their paid product. . .

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)


Exchange takedown from a single message isn't new. . . .

. . . .it was a different vulnerability, but you could take Exchange down with a single, specially-crafted message, but it was there in 2005.

Automated Weather Source didn't see this cloud coming: Amazon snatches up AWS.com


Re: Today a domain...

(cue "Pinky and the Brain" theme song. . . )

Hey Jeff, what are we going to do tonight ?

The same thing we do every night, shareholders. . . . Try and Take Over the World!. . .

EU-US Privacy Shield not up to snuff, data tap should be turned off – MEPs


Perhaps it's a silly question. . .

. . . .but how do EU Laws bind the United States ?

Comcast's mega-outage 'solution'... Have you tried turning your router off and on again?


Re: Running around like chickens?

In other words, as usual, Comcast's "service" has laid an egg. . . .

I've got way too much cash, thinks Jeff Bezos. Hmmm, pay more tax? Pay staff more? Nah, let's just go into space


Congratulations! (was : Re: I disagree...)

You just repeated the argument against colonizing the New World. Half the point of new worlds, be they continental or planetary, or asteroidal, or, hopefully some day, in another solar system. . . . is a fresh start.

FDISK /MBR and install the OS of your life from scratch, as it were. . .

US mulls drafting gray-haired hackers during times of crisis


Service guarantees citizenship. . ..

. . . Would you like to know more ??? (evil grin)

Learn client-server C programming – with this free tutorial from the CIA


MIPS ? PowerPC ?

. . .I realize those architectures have survived into the 2000s. . . But I simply cannot recall and servers produced using either processor since the late 1990s.

So, isn't it likely this is nearly 20-year-old code ?

Obama's intel chief says Russia totally tried to swing it for Trump


Clapper's not a asshole. . .

. . . that orifice has a USE. . .

Enterprise patching... is patchy, survey finds


And that also assumes. . .

. . . .that we actually USE Internet Exploder. Since we can't uninstall it. . . .

I simply have removed the icon from my desktop and taskbar at home on my Win7 Gaming box. And the gaming box has STILL not completely recovered from the rollback after the uncommanded Win10 upgrade.

Of course, my WORK box at home runs Mint. . .

Australian Taxation Office named as party preventing IT contractors being paid


We OBVIOUSLY are missing big chunks of the story. . .

And no experience with the AUSTRALIAN Tax authorities. . . . but Tax agencies are fairly well known for "grab first and ask questions later". In .US, you're considered guilty and must prove innocence in Tax Court. . .

Biggest security threat to US healthcare? Loose lips and lost hardware


My oldest used to work in heathcare. . . .

. . . . and she noted that most systems in the hospital had a shared password.

That password was "password".

600 beds, sprawling campus. . . .and two IT guys. Neither of which were over 30.

Don't listen to the doomsayers – DRM is headed for the historical dustbin, says Doctorow


I know plenty of authors. . . .

. . . who specify "No DRM" on their ebooks, and the vendors comply. Hell, every single Baen ebook is DRM-free, and that's an entire publishing house. . .

EFF dinks HP Inc finks in rinky-dink ink stink


The precedent of Auto Repair. . .

. . . . likely holds here, that you cannot be forced to use a dealership for repair or service, or OEM parts for your car. . .

Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes


Microsoft has cutting-edge customer support. . .

. . . .that they learned from United Airlines. . ..

Oh my Microsoft Word: Dridex hackers exploit unpatched flaw


Oddly enough. . .

. . . . no sign of ANY Patch Tuesday releases, so far. . .

Yee-hacked! Fired Texan sysadmin goes rogue, trashes boot business


Someone I knew. . .

. . . .back in Netware days, had a "Pearl Harbor" process running on his network. He would have to reply to a prompt with the correct passphrase every (14+RND) days, or it would start another (14+RND) day timer.

He never had to use it: the Boss let his nephew "inventory" the server room, and there was enough damage done (these were the days when a sudden power-down could crash disk heads. . . ) that the company went out of business. . .

USA can afford golf for Trump. Can't afford .com for FBI infosec service


That the Fibbies are less than competent is a given. . .

. . . but why the Presidential Golf reference, considering the massive duffing of the previous President ?

If you were cuffed during Trump's inauguration, cops are trying to crack your smartphone


Re: erase option?

. . . or just use a burner phone ??? If you're going to go where your phone is likely to get hacked, legally or not, you get a burner with minimal information on it.

Anyone who's ever been to DEFCON or Black Hat knows that, otherwise you're likely to end up on the Wall of Sheep . . . .

User lubed PC with butter, because pressing a button didn't work


Back in the mid-1990s. . . .

. . .I had the misfortune of working at the Pentagon's Helldesk for the Air Force.

And I actually got a "cupholder" call: a 3-star (fighter pilot, of course) had called in to report that his "cupholder" had cracked.

Yep. He was using the CD-ROM tray for his coffee cup.

I get there, diagnose the problem ("What, you can't glue it back together ?? How about replacing the tray ?"), call it in to order a new CD drive. Mind you, at the time, a CD Drive was a several hundred dollar piece of gear. And I mark it down as Customer Misuse of Equipment, which meant he PERSONALLY got the bill for parts and labor, about 400 bucks.

General blows a gasket, demands I retract the report. General ALSO had signed a waiver for training on the box, accepting, under his signature, personal liability to all damage to the computer beyond normal wear and tear. Never got to the end of the matter, as I left for a better job shortly thereafter. . .

Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command


Re: To err is human...

Funny that you mention punchcards: I recently pulled one of my old boxes of code stacks out of the cellar, to let my grand-daughters make the quintessential early-70s craft project: the Punchcard Christmas Wreath.

I had forgotten the joys of card stacks, and the multiple marker and highlighter lines across the top of the deck to help quickly restore the deck if you dropped it.

Good times, good times. . .

You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do


Of course, when a major newspaper. . . .

. . . prints a request for leaks and provides a how-to for the uninitiated user to download, install, and use a TOR browser, and an anonymous file-transfer utility. . .


'Hey, Homeland Security. Don't you dare demand Twitter, Facebook passwords at the border'


Mind you, I'm a US Cit. . .

. . . and even 20 years ago, noticed it was far more of a hassle to enter the US than any other nation: mind you, my experience is with Europe, Japan, South Korea, Australia, and New Zealand. LONG before the TSA.

I can't even imagine what it's like now. . .


Dammit, if you want into my social media accounts. . . .

. . . .at least use the gorram backdoors that No-Such-Agency has installed. . .

Trump signs 'no privacy for non-Americans' order – what does that mean for rest of us?


People. . . . the Privacy Act applies to data held by the ***US Government***. . . .

. . . not commercial entities. Relax.


Verizon is gonna axe its 'unlimited' data hogs


Re: To all the wireless carriers...

In related news, Verizon is re-branding itself as the Ministry of Truth. . . .

If you bought a dildo in Denver, the government must legally be told


Re: Remarkable


(evil grin)

Cats, dogs starve as web-connected chow chute PetNet plays dead


And it's not like it's either hard OR expensive. . . .

. . . to add an offline function. I mean, it already has a small computer in it. . .

Let me guess: Manglement pooh-poohed it, as they couldn't offer "pet-feeding as a service" if you could set the timer and let it run by itself. . .

No escape: Microsoft injects 'Get Windows 10' nagware into biz PCs


I made the mistake. . .

. . . of upgrading during the "Preview".

Suddenly, my Printer (a 3-year-old Epson all-in-one) wasn't recognized. Neither was my Radeon video card. The USB 3.0 ports on my mobo stopped working.

Needless to say, I rolled back almost immediately. . . . And even THAT killed some functionality.

Box now dual-boots Mint and Win7. Because, alas, Fallout 4 hasn't been ported to Linux. . . .yet. . .

Biting the hand that feeds IT © 1998–2019