* Posts by mmccul

39 posts • joined 10 Sep 2017

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT


Re: DoH

Just checked current vivaldi (vivaldi://flags) and it is hidden, but doable to ensure the DoH protocol is disabled, at least according to options. Without something like burpsuite, hard to know if it is actually honored (and I'm not yet ready to waste a demo on just this test.)

Now there's nothing stopping the PATRIOT Act allowing the FBI to slurp web-browsing histories without a warrant


Re: "No it won't"

HTTPS does not encrypt the SNI at this time, so a network snoop will still know where you are going.

Stop pushing DNS over HTTPS (a privacy nightmare as others have pointed out) and realize it is actually the worst designed of the options. Literally, DoH results in lower privacy than no encryption at all, because a third party that would never have seen who you are visiting now gets that information in a nice pat log. As I keep reminding people, your ISP knows where you go just from the network traffic -- if they care so much. With that and SNI, they don't need your DNS except for pushing ads.

Microsoft doc formats are the bane of office suites on Linux, SoftMaker's Office 2021 beta may have a solution

IT Angle

Most technical workers I see in IT departments (network administrators, SREs, Windows administrators, etc.) cannot handle even simple markdown formatting correctly. I believe that expecting such individuals and the non-technical business analysts and finance analysts, etc. to use TeX is an unrealistic goal.

It's bad enough getting these supposedly technical people to write four coherent explanatory sentences in a text editor or email. Ask for even elementary formatting like a simple three column table, and I'm regularly asked to write it for them.

UK snubs Apple-Google coronavirus app API, insists on British control of data, promises to protect privacy


Re: "Details" are irrelevant

They don't need to steal data to monetize this. They've built a way of recording who spends time at a booth or in a particular section of a store. Then they can send those people targeted advertisements, "oh, we don't actually record this location data, your phone just calculated that it was near this advert system, and thus pulled the relevant advertisements".

Why does the message have to be just "you may have been exposed to COVID-19" instead of "buy our product"?


Re: Difficult choice

"I see you stopped by our booth on $PRODUCT recently. I realize the framework we are using to contact you was intended to track people who may have been exposed to a dangerous disease, but we decided to leverage this functionality to notify you that we are offering a sale on our product that you already said you were interested in by walking by our systems."

Microsoft decrees that all high-school IT teachers were wrong: Double spaces now flagged as typos in Word


Re: Kerning

MS Word does not change the space size after sentences.


Re: spare disk space

When I learned manuscript format for submitting writing material for possible publication, I found it interesting that the explicit format was "Times New Roman, 12 point font, double spaced, one inch margins on all sides, two spaces after sentences," and failure to follow that format would result in your submission being tossed unread by many journals. Yes, some journals were different, but that was the most common standard, and it wasn't just what the instructor taught, it was demonstrated by the specified submission guide for the various places I looked at. I would not say it is just "because the teachers were taught that."

Word was, and remains, a typographic neophyte. Word uses the same sized space between words as it does between sentences based on my testing in the common fonts (e.g. Arial, Times New Roman, Verdana, Calibri).

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North


Anti-privacy under privacy name

DNS over HTTPS is a privacy nightmare. Now, one place will see all your DNS queries, even if not intended for them. As many have pointed out, your ISP already knows where you are going just by looking at the IP headers and the unencrypted part of https requests your browser sends that includes little things like the domain name you are requesting (SNI).

I've noticed a lot of anti-privacy initiatives, like DNS over HTTPS, advertised in the name of "enhancing privacy" when really, it's just about encouraging people to log all their activity at yet another data aggregator that isn't normally in a position to capture any of the traffic at all.

The real question is not the confidentiality of DNS requests, but confidentiality of where you go. But the ISP, to route your traffic, has to know where you are going. Until https is rewritten, they always know the domain name you are requesting, even without looking at DNS queries. This is a solution in search of a problem, and considering who has been advocating it (various organizations that often make money by such), I am not convinced their motives are altruistic.

Welcome to life in the Fossa lane: Ubuntu 20.04 let out of cage and Shuttleworth claims Canonical now 'commercially self sustaining'


Re: @ErroneousGiant - I still don't see the purpose of WSL

It allows users like me who routinely need a POSIX *nix user environment for routine tasks, to use Windows instead of a mac. I know people who write Fortran code that they can run for testing inside WSL, but it's a lot more of a nuisance for them to run that in Windows.

Tea tipplers are more likely to live longer, healthier lives than you triple venti pumpkin-syrup soy-milk latte-swilling fiends


Fermentation is not oxidation

The article mixed up how black tea is made (fully oxidized) with how pu-erh tea is made (fermented, in some cases over many years).

(As I finished a cup of loose leaf pu-erh (vs cake or tuo cha form) while reading this article).

LibreOffice 6.4 nearly done as open-source office software project prepares for 10th anniversary


Re: I'm not so sure that options are the answer to why Office is so popular

You missed another key problem with LibreOffice. Track changes. Maybe it's improved, I don't know. But I had to give up on using LibreOffice for any usage involving change tracking. The usage model was bi-directional, I created files and sent to them for them to mark up and send back; they created files that I got, marked up, and sent to them. The changes were not reliably marked, and comments were often not coming through. Those using only Word had no issue. Oddly, docx vs odt didn't seem to make a difference on change tracking. (Sometimes I'd accidentally send them odt, which generated a warning for those using Word, but that was about it.)

I consider Word's change tracking incredibly primitive, but this is a case where it isn't good enough to work with your own product (and I wouldn't consider LibreOffice passing even that low bar on the inserted comments), you have to work with what others around you use.


Re: I think you underestimate it...

$100/year is considered highly competitive for decent automatic backup tools. O365 has more storage than most of the ones I've evaluated, better accessibility, better agent for doing the backups, etc. Oh, and you get access to the office suite as a part of that same cost.

I pay for O365 for the Onedrive storage as a remote backup service. Is it the only copy of my files? No, it's the backup, automatically maintained, and now if a family member deletes a file they didn't mean to, they don't need me to come over and show them the arcane methods to restore that one file. I don't get complaints about their computer being too slow to discover that the backup agent is taking 100% CPU, every other week.

Every remote backup service has similar terms, I just find Microsoft to have the best deal right now.

Hyphens of mass destruction: When a clumsy finger meant the end for hundreds of jobs


Re: One way to prevent accidents

: Invalid function name

I know, bash ignores that restriction that functions start with only specific characters (alphabetic, but may be alphanumeric). This is one of many reasons why you should never write shell scripts to run in bash. Use a scripting shell.

Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls


Re: Due diligence

Tell that to Nixon. Couldn't he authorize a breakin in the country of the United States?

County and state are different jurisdictions, and state governments do not own county buildings.

What do you get when you allegedly mix Wireshark, a gumshoe child molester, and a court PC? A judge facing hacking charges


Re: Oh come on...

And most pentesters I've cleaned up after ignore the statement of work and agreed upon scope, definition of critical system assets, rules of engagement and do whatever they feel like anyway.

How bad is Catalina? It's almost Apple Maps bad: MacOS 10.15 pushes Cupertino's low bar for code quality lower still


Re: No problems here!

Actually, iTunes works well for me -- for organizing and listening to music. The grouping feature and shuffle by grouping allows me to organize my multi-movement pieces of music correctly, listen to them in the correct order when I want, or separately when I want, without breaking albums. I have never owned an iPhone, never an iWatch, and my last iPod was discarded over ten years ago.

The mod firing squad: Stack Exchange embroiled in 'he said, she said, they said' row


Re: Is this just an English thing ?

Tell that to Shakespeare who used it in the singular.

Are you a Nim-by? C-ish language, gentler than Go, friendlier than Rust, reaches version 1.0


1977 called

It wants its whitespace sensitive languages back.

Allowlist, not whitelist. Blocklist, not blacklist. Goodbye, wtf. Microsoft scans Chromium code, lops off offensive words


Yes, because there's no such thing as green tea or white tea or yellow tea ... (okay, oolong and pu-erh aren't given color names in English typically).

I'm told that what most call black tea is referred to as red tea in some places, and black tea in those places refers to pu-erh.

Docker made itself popular with devs. Now it has to make itself essential for biz. But how? Ah ha! Pay-as-you-go enterprise features


Re: Yep. Docker Con.

You mean like the containers on mainframes used 40+ years ago?

You like JavaScript! You really like it! Scripting lingo tops dev survey of programming languages


Re: Oh dear! Nothing is perfect

The very reason I find myself willing to work with javascript comes down to two reasons.

First, I recognize it is a purpose built language, not a general purpose language. Just like awk is purpose built to stream process text files. Sure, I can use awk to calculate mathematical problems, but that isn't the design of it. Javascript is similar, in that it is designed to be used for a specific use case.

Second, because I recognized long ago that Javascript is functional first, object oriented a distant third. Even the scoping rules make more sense in that context.

I think if Javascript didn't have those first four letters in its name, no one would care about OO in it or not, except the OO zealots who insist that everything be OO, even if it makes no sense for the problem to be solved.

Encryption? This time it'll be usable, Thunderbird promises


Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

Exchange is, whether people like to admit it or not, one of the top integrated enterprise calendaring tools available. It supports plugins for various web meeting tools (e.g. BlueJeans, WebEx), and a very effective scheduling tool. It even supports managing conference rooms.

Forget the email. It's the calendar that keeps Exchange so popular with managers.


Re: That's nice dear ...

I tried Outlook. It failed the Google Calendar test, unable to display all the calendars shared with me. Thunderbird was the first client on Windows that could work with Exchange, Google, and local calendars. (On macOS, the native calendar worked).

For me, the killer app was calendar, not email. I have to be able to display all my calendars (and those of family members that are delegated to me) in one integrated view. Talking to a few of my peers, they ended up using their mobile phones for such, but given the "we own any android/iOS device that connects to our calendar" trends, that's not very attractive to me.

Mourning Apple's war against sockets? The 2018 Mac mini should be your first port of call


mini TOSLINK gone?

When I looked at it, the specs seem to imply that the combination headphone/microphone/mini-toslink port is now just a headphone/microphone port. That means my only option for digital audio output may be the HDMI port, which is a lot harder to split into two channels to send into both zone A and zone B of my stereo system.

I like several aspects of the unit, but that item does concern me if confirmed.

Of course, my late 2014 mac mini shows no sign of needing replacement any year soon, so by the time I do replace it, Apple may have another unit out, and my (already ten year old) stereo may be ready for a replacement as well.

If you have to simulate a phishing attack on your org, at least try to get something useful from it


Removing the stigma against false positive reporting is important. If you aren't reporting false positives, you aren't reporting real phishing events. Err on the side of reporting. Build that culture of acceptance to presume *any* unanticipated email with links or instructions from the outside is a phish and you'll drop your click rate significantly.

Yes, it's annoying to have to email your team and say "You will receive an email from such'n'such place. It will be about this topic. Please respond to it", but it helps.


What's the metric?

In any effort like this, one of the things a good manager wants to know is how do we measure this so we know if it is effective? What is the method to measure improvement? Number of clicks? Number of repeat clicks? As the article says, someone will always click. In one phishing training I saw, the security team member clicked on the link and was literally typing in their live username and password, "to be helpful".

I argue that the critical missing metric is time based. How long until that first report? How long until that first click? Can we get people trained to report these things quickly, alerting the trained staff fast enough that they could actually respond and block the malicious URL before the first click? It's ambitious, but it gives you a real measure of your window of vulnerability and your ability to contain the damage.

Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies


Ask black hats how common black hats are...

When I've talked to companies, the executive leadership are so terrified of insider threats, so out of proportion to the actual risk, that often they create a bigger security risk by giving the security team, the very team most likely to go black hat, massive access to every piece of intellectual property in the company, even if they don't actually need that access, because security.

Then I talk to the black hats of security, penetration testers, and they talk about insider threats as the number one source of problems.

Then I sit down and look at the company, and see that the top source of risk isn't a malicious actor at all, and often isn't even adversarial, but structural due to their failure to invest in basic IT. Surveys like this aren't very useful except for fear mongering and encouraging further black hat activities by people with security jobs.

Most staffers expect bosses to snoop on them, say unions


Re: Legal Requirements??

In my experience, keystroke loggers violate the very rules that they claim to enforce because they always end up capturing passwords.

It's nothing but a black hat in a management suit trying to find a way to capture people's login credentials to corporate resources that the person who setup the logger isn't authorized to access.


Location monitoring

With companies sometimes providing corporate phones, or if you use your personal phone, requiring that they load their hooks into it that gives them administrative access to it, one of the most evil monitoring forms is 24/7 location monitoring.

Especially with personal mobile devices where many users are not aware of just how many companies market as a "feature" the ability to know where every person's personal phone is at all times and their location history.

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all


Pen testers are not risk assessors

I've had to clean up the mess a pen tester left more than once. They create artificial flags that have nothing to do with the actual valuable data of the corporation, declaring complete success when they get to a resource that is relatively low value (not SOX, not the primary product of the company, not publicly available,...), often engage in dodgy business practices like stepping outside the confines of the test (e.g. engaging in the pen test before they're supposed to start), rarely emulate specific threat actors, often mixing techniques from one threat actor with methods used by other threat actors, completely ignorant of the actual risk profile of the organization, all in an effort to scare people to pay them more money.

In one case, the pen testers required me as a defender to actually not engage in normal defensive actions that were part of my everyday job, like blocking attackers detected through automated reports and systems. Often, pen testers are given these blank check views by requiring the security teams to temporarily disable key defensive systems, at least for the attackers' source IP block.

It's long past time to recognize that a pen test is not a replacement for an actual risk assessment that evaluates all types of risks, adversarial, structural, envrionmental and accidental. Management that I talk to is getting risk fatigue, where they start to see pen testers as chicken little, so the theoretical value of the pen tester, to shock management into paying attention to security, is having the opposite effect, blinding management to a more detailed and strategic view of where the security dollars can be most effectively spent to reduce the overall risk to the company.

Leave it to Beaver: Unity is long gone and you're on your GNOME


GUI is minor

The GUI changes may look big, but they're really a minor thing compared to the systemdos conversion that is rapidly approaching completion.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Except to the RFCs which actually make clear that it is permitted to do such.


Re: Although...

Well, RFC 822 section 6.2.4 seems to disagree with you.


Re: "Google, however, has promoted it as a useful feature"



Unvalidated email is the problem

Why no one seems to be identifying the real source of risk, which is that Netflix allows you to use an email for contact and billing without verifying that the owner of that email address actually intended to do such a thing is beyond me.

This is simply, Netflix failed to perform due diligence on the account when it was created.

Official: Perl the most hated programming language, say devs


Perl is a tool

Because perl doesn't dictate that people *must* do things in one way or another, but embraces the notion of empowering the developer, I find people dislike it. Because it allows me to solve problems, I use it. It's also by far the best tool for the problems I'm solving.

Perl has another advantage. It's on every system I need to run my code on, unlike a consistent version of Python.

Also, I find I have a much easier time reading perl code six months later than I can python or ruby because the sigils tell me immediately what is being done. Yes, the very feature that some people hate allows me to much more readily re-read the code *months* after I last looked at it.

Survey: Tech workers are terrified they will be sacked for being too old


Employee when just starting, consultant when mature

What I've seen in Silicon Valley is that those who are younger tend to be employees of the various companies. When the person gets to have outside obligations such as family, they become consultants. So it isn't that those over 28 aren't working in IT. They're there. The younger generation, comes in and makes the same mistakes that were made ten years ago. Then the consultants who have more than ten years experience step in and clean up, but charge consultant rates to do so.

Outside Silicon Valley, you're "too young to get a good rating" until you're at least 30.

Everyone loves programming in Python! You disagree? But it's the fastest growing, says Stack Overflow


Which airplanes flew back

Asking Stack Overflow which posts get tagged with which language is like looking at the airplanes that returned from battle in WWII to determine where more armor is needed. It looks at the wrong thing. SO is known as the place to get help with Python. If I'm looking for Perl help, I wouldn't go there, but a Perl forum. Similarly with a number of other languages.

In my career as a consultant, I go to new shops and have to ask what language I should be writing security and system admin scripts in. Thus far, I've never been *permitted* Python, because I was the only one who even began to know it, or it wasn't installed on the systems I needed to run code on. I've nearly always been allowed to use Perl because everyone knows it and it is consistently available on all systems. Those few times when Perl wasn't an option, POSIX awk + POSIX sh was the language pair I had to use.


Biting the hand that feeds IT © 1998–2020