* Posts by sitta_europea

251 posts • joined 29 May 2016


Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet


Re: Your NAS is still infected


No, it's time to find out what's going on. There must be lots of people reading who have the skills to do that. I do, but I'd charge fees. Others I'm sure will do it for the glory.

FWIW I'd never use any product of this kind for valuable data, far too risky.

QNAP NAS user? You'd better check your hosts file for mystery anti-antivirus entries


Re: Debian

"Some Qnap NAS's support installing Debian, highly recommended if your model supports it."

As long as you don't let it install systemd of course...

'Now is the winter of our disk contents'... Decision on Lauri Love's seized gear due next week


First time I've actually enjoyed a Register headline.

Pixaaaarrrrrrghh! Mars-snapping CubeSats Wall-E and Eve declared dead (for now) by NASA bods


"NASA estimated that Wall-E is more than a million miles (1.6 million kilometres) past Mars, and Eve is further away at almost two million miles (3.2 kilometres)."

Er, 3.2 MILLION kilometres please.

I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt


Quoting Anonymous Coward:

"I quit reporting vulnerabilities years ago - it's hard to get anyone to listen to you - most of the time you are ignored."

You're absolutely right AC, my experience is exactly the same, but I still go on reporting. For example I've been reporting to Exertis, British Gas, the BBC and the DVLA, all for over a year. Nowadays though, as they've ignored me, I just like to drop the names...

Ooooh - I forgot to mention The Register! (Guys, see my mail sent to you at 18:37 on 15 Sep 2017.)

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps


Somebody used scp to securely copy something that he had no way of verifying from a server he didn't trust, and he was surprised by the results?


The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit


I fucking hate SystemD.

What happens when a Royal Navy warship sees a NATO task force headed straight for it? A crash course in Morse



Tap tap – clunk. Tap tap – clunk. Morse code letter R.


Hmmm. More code letter R is di-dah-dit.

UK spies: You know how we said bulk device hacking would be used sparingly? Well, things have 'evolved'...


If I wanted to send something confidentially, I'd pop along to the Post Office and buy a stamp.

What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs


Some years ago I replaced the IT manager at a large motor manufacturer in Birmingham.

He left on a Friday.

The following Monday I noticed he was loged in over a modem that he curiously had forgotten to mention.

I unplugged it.

Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office


"We welcome ... diagnostic data ..."

Yeah, right.

Sorry, but NASA says Mars signal wasn't Opportunity knocking


I suppose shining a powerful laser on it is out of the question?

After all, Mars is about as close as it gets to us at the moment.

Did you by chance hack OPM back in 2015? Good news, your password probably still works!


Shame the GOA can't put its own house in order before it prattles on about everybody else's.

Here's a mail to which I'm yet to see any response:

Date: Wed, 10 Oct 2018 16:47:11 +0100 (BST)

From: G.W. Haywood <gwh@jubileegroup.co.uk>

To: chaplainc@gao.gov, youngc1@gao.gov

Subject: Security issue with your DNS records.

Good afternoon from England,

A recent report about a GAO publication (GAO-19-128) prompted me to

look into some aspects of the GAO's own IT infrastructure.

My first investigation took no more than a few minutes and immediately

highlighted a security-related issue.

As you can imagine I am reluctant to send such information in a plain

text email, if you would like to know more please get in touch with me

with the telephone number of a senior administrator for me to call.

Kind regards,

G.W. Haywood, BSc (1st hons), CEng, MIET, MRIN.

Astroboffins spot one of the oldest, coolest stars in the universe lurking in the Milky Way



Just when you think you have a fairly solid theory on the evolution of star formation from the early universe to now. Along comes a little gem like this that causes a "what the..." moment.


Finally, an intelligent comment.

Thank you.

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more


"Another annoying one is the Pensions Regulator. Businesses are legally required to supply them with information about automatic pension enrollment, and this has to be done online, and it requires that you enable Google Javascript and complete a street view captcha."

Well on the bright side, at least I don't have to install Adobe crapware to do my tax returns any more...

Belgium: Oi, Brits, explain why Belgacom hack IPs pointed at you and your GCHQ


"Perhaps they were playing the name 10 famous Belgians game at GCHQ - and it got out of hand..."

That's SIX famous Belgians. You've got to have at least some chance...

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box


Re: Now hang on, please!

"I have a laptop at the moment that refuses to boot ... in an infinite loop ..."

Systemd sucks. It really, really, sucks. I mean I've never even seen anything that sucks so bad.

Jeez it sucks.

Systemd put my backup server into an infinite boot loop too, right after an 'apt-get upgrade'.

God systemd sucks. I hate it with a passion.

Please, somebody, please kill it.

That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia


Well, my firewalls DROP all packets from Russia. And Iran. And Israel. And...

Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage


I'd use OpenWRT if it didn't hang the wireless connection on my six (ahem) WRT54GS2 routers when you try to use more than about 1Mbit/s. After it hangs, the only way to get a service back is to reboot the router. That can be a bit inconvenient if it's on the other side of the industrial estate. Tomato doesn't do it. The OpenWRT authors know of the problem but refuse to do anything about it, claiming that it's a hardware bug. Sure, it might be, but there are several software workarounds and they're not interested. The correspondence is all published in the mailing list.

IMHO OpenWRT sucks.

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then


OpenSSH has nothing to do with libssh does not use it.

That could have been clearer in the article.


"I'm a director of the company so I insist on using the Administrator account!"

For everything. This is a genuine quote from a director of a genuine customer company.

The company went bust, a year ago this month. Obviously I hadn't let the account get in too deep, but it still cost me money.

UK.gov teams up with Five Eyes chums to emit spotters' guide for miscreants' hack tools


Re: Tout a changé depuis hier

Non, non, non!

Plus ça change, plus c'est la même chose!

US may have by far the world's biggest military budget but it's not showing in security


And gao.gov uses qwest nameservers??!!


Re: How long have processors *connected* to a network been part of miltiary systems?


...major DoD applications for things like logistics. Nothing any foreign power would be interested in.


I beg to differ. Wars are won (or, perhaps more correctly, lost) in the logistics.

Sendgrid blurts out OWN customers' email addresses with no help from hackers


The sooner we nail Sendgrid into its coffin the better.

100,000 home routers recruited to spread Brazilian hacking scam


So still no DNSSEC at the banks, then?

Yeah, yeah, you've heard it all before....

Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach


And _still_ no DNSSEC, and the SPF record (never mind it includes salesforce.com) ends with "~all".

I know, I know, you've heard it before.

Solid password practice on Capital One's site? Don't bank on it


Why all this worry about passwords? The banks still haven't cottoned on to DNSSEC so it's all screwed anyway - must be five years I've been banging on about it.

Neutron star crash in a galaxy far, far... far away spews 'faster than light' radio signal jets at Earth


Well all that may be as it may be, but I do find it odd that object that generates the first gravitational wave we ever managed to detect happens to point its poles directly at us.

Just sayin'.

HTTPS crypto-shame: TV Licensing website pulled offline


Does this mean the DVLA will fix their SPF record now? (I know, I know, I've been bangin' on about it for years, but even writing to my MP - Dennis Skinner - hasn't helped.)

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV


Re: This bug cannot be used to infiltrate a network

"This bug cannot be used to ..."

Yeah, sure. Of course it can't. Impossible.

There's a company in Israel I'd like you to talk to...


Somebody bought something from Belkin?

A curse on all their houses.

Facebook flat-out 'lies' about how many people can see its ads – lawsuit


Last year I met an old school friend. I hadn't seen her for more than 50 years.

I asked here what she'd been doing. To protect her I won't say where she had worked, but it was in sales, in a nationally very well-known organization in Great Britain.

"They pay you just to lie.", she said. So that's what she did.

Boffins build the smallest transistor, controlled by an atom


Slight numerical error.

"It requires millions and billions of these transistors to build anything useful..."

Don't you just love it when journalists get hold of technical stuff and then fall flat on their faces?

I still have what we used to call a "transistor radio". This was, for those of you who think a smartphone is a pretty neat idea, the most popular communication device in history.

It has seven transistors in it. The makers were so proud of that, they put it on the box.



Extreme Networks? Extreme Share Price Crash, more like


So how did the net worth look?

Hi-de-Hack! Redcoats red-faced as Butlin's holiday camp admits data breach hit 34,000


Re: "responded to a phishing email"...

"Did some numpty actually send the personal details of 34,000 people to someone outside the company in response to a phishing email, or did they just activate some malware by clicking-on-the-link?"

Does it really matter?

Google Spectre whizz kicked out of Caesars, blocked from DEF CON over hack 'attack' tweet


The airlines are quite clear about this kind of thing. Cracking jokes about attacking their facilities will get you arrested. I don't see why any other business should be expected to put up with jerks who do similar things, and just do nothing about it.

And this is not in spite of, but BECAUSE of things like Mandalay Bay.

You can't always trust those mobile payment gadgets as far as you can throw them – bugs found by infosec duo


"Not all of them are or were vulnerable to attack..."


"Not all of them were vulnerable to the attacks which our heroes so far came up with"

Can we talk about the little backdoors in data center servers, please?


This is news?

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities


Is anybody actually using it?

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners


I've never heard such a stupid idea before.

Oh, wait... well, there was that guy at the FBI...

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher



Action Fraud is the UK's cyber security reporting centre. ..."

And in my experience a bunch of complete wasters.

UK cyber security boffins dispense Ubuntu 18.04 wisdom


Re: Those numbers look a bit suspect.

I'd go further than that.

Those numbers are completely meaningless, and to me have the look of being compiled by someone with an agenda.

I'm disappointed that so august a publication as The Register would dignify them with a link.

Dixons Carphone: Yeah, so, about that hack we said hit 1.2m records? Multiply that by 8.3


"We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us."


Pentagon 'do not buy' list says нет to Russia, 不要 to Chinese code


I don't suppose we could all just get along?

And I'll have some of what the guy from Mars is smoking please...

UK slides from first to fourth in UN e-gov survey


I can't see how the UK ever got to the top of this table in the first place. Government IT is shambolic.

For *months* I've been trying to tell government that the SPF record for dvla.gsi.gov.uk is broken.

I even wrote to my MP (on 25th June) about it.

The SPF record is *still* broken.

Of course if the SPF record for theregister.co.uk wasn't *also* broken (and if I hadn't *also* had no success there either) I'd have more confidence in getting anywhere by writing to elReg.

Mega medical tester pester: It smacked a big one, that malware scam, if indeed it was SamSam


Not to mention "I insist on using the Administrator password, because I'm a Director!"

Brit tech forges alliance to improve cyber security as MPs moan over 'acute scarcity' of experts


For months I've been trying to tell a couple of PLCs about a couple of fairly obvious security problems.

I might as well talk to my dog.

They'll only do something when somebody puts them on the front pages.

Mastercard goes TITSUP in US, UK: There are some things money can't buy – like uptime


Do some people actually rely on credit cards then? Seems a bit short-sighted to me.

Two-factor auth totally locks down Office 365? You may want to check all your services...


Re: Wow. Click bait.

"Exchange allows multiple protocols to connect it it. Including legacy protocols like SMTP, POP3, IMAP etc. ..."

SMTP is a legacy protocol? Interesting.

Exchange can't even get SPF right.


Biting the hand that feeds IT © 1998–2019