Posts by Lotaresco

Unhearing government

I have been in the position of giving advice to UKGOV about the security implications of their interactions with the public. They even have copious documentation on the subject such as the 2012 Requirements for secure delivery of online public services. Although the focus there is more about how the government sets out to avoid being scammed by the public. Yet repeatedly when there's a "government initiative" they fall flat on their face and constantly try to engage the public in ways that look like phishing, smishing etc. I had an invitation to an InfoSec conference that I ignored because it had all the paw prints of spear phishing on it, sent from a non-UK hosted domain using a no-reply From: address, poor grammar and spelling, talked in vague and inaccurate terms about security, asked for advance registration through a poorly designed http-only site with a long questionnaire about personal details and also requests for the applicant to state their security clearance(s) and provide the details of a referee from a client.

It turned out to be genuine and from NCSC who had farmed the work of taking bookings out to a particularly clueless contractor.

The financial industry is better at providing contact details and extra information to verify that a communication is genuine. The Government Communications Service exists with the mission statement "Supporting ministers’ priorities, enabling effective operation of public services and improving people’s lives." Either it's not very good at its job or it's not consulted for these mass-communication efforts.

An annual problem

Long before SARS-CoV-2 raised its receptor sites above the parapet we had an annual "music festival" within hearing range of home. Admittedly that hearing range is six miles, but the noise is loud enough to prevent sleep. Which is no problem at all if you're attending, woo! We're not teenagers, we're adults and we can stay up to 4AM with banging choons, man! More of a problem if like most of the people in the rural area your working day starts at 5AM.

The great news is that thanks to the virus the event is cancelled.

SARS-CoV-2, I love you man, you're like rilly, rilly my best friend.

Wrong demand

She should be demanding that the app does not store and forward personal data. Not requesting better protection for that data once in government hands.

Oh well...

Cancels order for OnePlus phone.

A few years ago

I worked on a huge payroll system. We had a user who cost us a lot of time and money because he was phished with an Excel sheet that contained a macro virus. So security insisted on the introduction of code signing. Which was good. Within an hour an angry user appeared in my office screaming that I had "ruined" that weeks payroll run. I couldn't get much sense out of him so followed him to his desk where many excitable payroll people yelled at me, at lot.

It turned out that there was an issue with how the payroll system presented dates. To work around this the shouter-in-chief had designed his own Excel spreadsheet with a macro to change the date format and prepare a CSV file that was exported to the secure print system to print out the payslips. He'd then insisted that his minions use his spreadsheet. Only now it didn't work because his greyware had never been tested or approved by anyone and he sure as heck couldn't get his code signed.

I pointed out that it would take one of our DB people about, oh, fifteen seconds to change the database to display dates in the format they wanted and probably half a day maximum to get that through QA. But since it would be a trivial change that I could authorise the use of the code now and QA could follow on at their own pace. Not good enough for Mr Shouty. He wanted his code running *now* and wasn't prepared to accept that someone whose job it was to make changes could do a better job than him.

He took it to the CEO. I lost, in the worst way possible. I was told to revert to permitting unsigned macros to be run because that way Mr Shouty could continue to "Add value to the business" with his homebrew. I think they still use the cobbled together mess.

Home delivery

Unfortunately I'm trapped in the UK at the moment, and have been since the end of February. When I do finally get to go home to Italy the good news for me is that our local microbrewery swapped to a home delivery service. The brewery is run by a group of young people who constantly come up with new ideas and fortunately for me they are within staggering walking distance of home, even though we live way out in the sticks with the nearest house being about a 10 minute walk away.

M/Cr CDC Cyber 170-720

It was definitely overkill for the purpose, but I can remember playing Zork and other games on the Manchester CDC Cyber 170-720 supercomputer between 1981-1984. Years later I met (meatspace) the guy who ported many of the games to the Cyber, obviously done for this own amusement. We still keep in touch from time to time over various nertnet systems.

Taking the rap...

Two decades ago a customer decided to interrupt my holiday, insisting that I had fouled up their client's document storage system with "unauthorised changes". Since I had made no unauthorised change, I was sceptical. The manager in question tried to insist that I drop my holiday and return to the UK at my own expense and "fix the mess you made". I declined pointing out that I was 2,900 metres up a mountain and implying that I was bravely clinging to a cliff to answer the call at severe risk to my own life. I was actually enjoying the apres-ski in a nice warm bar but, I didn't actually lie about it, just a bit economical with the truth. I then removed the battery from my phone and didn't use the phone again until I got home.

At work the same manager shouted himself hoarse at me, insisting that I had failed, his company would sue me for every penny of the costs (etc.) I checked the system it was failing as the end client had observed. The search engine couldn't find several documents by keyword or content. I checked the source documents and superficially they looked OK, but the timestamps all dated from about two days after my holiday started and the metadata had all gone. Hence keyword search not working.

I looked carefully at one document that I knew well and found that the phrase "non-blocking inputs" that had been in the original was now "non-lo10cking inputs". All of the documents that I checked had similar errors. This was why some searches for body text were failing.

I found the manager and asked why the entire document set had been replaced with OCRed copies. He called me names and called me a liar and hen threatened to get me thrown off site with a "You'll never work again!" threat. I documented what I had seen and mailed copies of my report to him, his boss and the end client. The end client investigated and discovered that the manager in question had been "playing with the system" and had deleted all the originals with a classic rm -rf /docdir when what he intended to do was to delete the cache and free up some disk space. He'd then tried to restore from the R/W optical drive "backup" and had managed to overwrite that data with an empty directory by getting his arguments the wrong way round. Fortunately all logged by the system. He'd then forced his staff to work all weekend OCRing the paper copies to cover up his blunder but they had no time to fix the errors.

He was escorted from the premises, my contract was reinstated. Victory of a sort.

Work is a big M$ only shop and we cubicle dwellers tend to use M$ and Seattle Cowboys as terms for the company. Recently given their woes with security vulnerabilities they have become "GIF-prone". Although that's more descriptive than a name, as in "Yes we would use their products but not for secure work because they have been rather gif-prone of late."

Behind the curve

Generally it's safe to assume that by the time a politician starts to get the vague idea that a stable should really have some element of physical security that the horse will not only have bolted but will currently be charging along the Silk Road intending to be in Samarkand by evening.

So what about...

Greylists, they haven't mentioned those. Do I need to get a Zeta Reticulan to write a letter of complaint from Roswell?