Posts by Paul Crawford

Re: What the Chinese did with it?

Maybe Snowden's documents were the source, or maybe this mega-hack. Who is to say the UK has not been popped (or was sharing with the US which clearly has been)?

If I were Russia/China it would make sense to say it was Snowden to disguise being in on this hack, for example.

Similarly if I were the USA/UK it would make sense to use Snowden as a stool pigeon to try and deflect public anger from the piss-poor security in place and/or the lack of appreciation of what such a massive database of all security-checked staff could mean when leaked.

Re: Dear US of A

"the night janiter plops a rasberry computer with a wireless modem"

If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work.

Also if they take security seriously they would put all the crappy never-patched network things like printers, web cameras, etc, on a separate VLAN/IP range (and without external access in the sad case they are not air-gapped) so their behaviour can be seen more clearly by intrusion monitoring systems, etc, and they can be blocked from initiating any connection to the "good range" machines (i.e. they only react to a print command and don't get to broadcast or probe the PCs).

A more likely physical attach is to plug 'evil USB' devices in to unguarded machines. OK those systems should also be locked down so USB is not on autorun on anything like it, but that may not be enough if they have a zero-day exploit for the lower level USB hardware/stack used. In the nation-state with insider doing dirty work case that is, of course, possible.

Either way, it is much much harder to exploit a network not on-line, as exfiltrating the data needs some sort of access (USB or similar again) and there is a high risk of the person getting caught if the sysadmins have some regular checking of system logs for device attachment, etc, happening.

Re: There's more to this than identiry theft....

The sad thing in this train wreck was seen to be coming for a long time, as you have:

1) Gov collecting data on its people like a fetishist

2) Gov cutting IT budgets and not holding anyone personally responsible, with power, to do anything about it.

3) Putting stuff on or connected to external networks because its cheaper/easier/more productive that way.

4) Software / OS being so complex and hole-ridden with developers all running after "shiny and new" instead of simple and reliable.

5) Other nations realising 1-4 and the gains to be had from popping said data.

The USA may not be the first, but it sure as hell won't be the last nation to have its dirty laundry sent to China (or Russia, Israel, etc, etc)

Re: Let me guesss...

"Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"

For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?

Re: NTP isn't that much better

NTP is better than Windows SNTP by many order of magnitude

A typical Windows installation (thinking desktop here) has, by default, a time set once per week - so can be out by minutes at times. Even if you set the frequency to once per hour (registry setting) you are lucky to get better than 1 second.

NTP on a WAN typically give you accuracies of 10ms or better (so around 100 times improvement)

NTP on a LAN with decent time servers (e.g. machine with very good hardware clock or local GPS) gives you accuracies of the order of 0.1ms or better, so around 10k times better.

Often the question programmers should be asking is why am I using time, and is that actually the best way of determining order and sequence?

Re: Obviously the sensible solution would be...

No, the UNIX time_t follows UTC and so is not able to perform correct time duration calculations over the leap-second period as there are discontinuities at those points.

Real "Root of the problem"

A more general problem with programmers is they use "clock time" as a substitute for "order of events".

This works well if all events are being recorded with consistent time stamps, say for conditional compilation on a local machine where you can check if the .o file in one location is older then your .c file in another, or when you pressed the "build" button in the GUI, etc.

Things break due to time faults: such as the same conditional process on a network file system where the time stamp of some files is due to the servers' clock, and others locally are from the client's clock which is different, or the file system's time resolution (e.g. 2 seconds on FAT32 as a worst case) is now greater than the interval between steps, etc.

Then we get in to all sorts of debates abut keeping leap seconds to work around dumb programming. But really what the programmers & software architects should be asking is down to the ACID database situation - how do you guarantee correct order of events in a process if the local clocks are not fully in sync?

Re: Root of the problem

Time-obsessives have two things:

1) Atomic time, which is precise and monotonic (the spherical cow).

2) Human/civil/UTC time that follows the Earth's rotation (upon which our concept of time and units were based). And there are differing degrees of the (look up UT1 & UT2 if you want to know more). This is your real cow, and equivalent choice of Frisian, Aberdeen Angus, etc...

NTP handles leap seconds in the "correct way" as far as it is defined, in that it makes UTC follow its defined values. The problem in the more general sense is you have two concepts of time, you have:

(1) The UTC/Civil definition of days being 24 hours, of 60 minutes of 60 seconds always, along with a formulae for dates that make up the Gregorian calendar (lets keep quiet for now about other calendars).

(2) You also want for various reasons staying in approximate synchronisation with the solar time - i.e. that at, say, 0 longitude the 12:00 local is, on a yearly average, the time the sun is overhead.

Now the second is define these days with extreme precision, but the Earth's rotation is variable and, worst of all, not quite predictable due to stuff moving around inside as well as tidal friction, etc.

The correct way to do all of this, of course, already is known and implemented in some systems that really matter, and that is to have you clock keeping "atomic" time that has no discontinuities, and then to apply a leap-second correction to get "civil" time. See:

http://en.wikipedia.org/wiki/International_Atomic_Time

That is exactly how the GPS satellites do it, and their own GPS time was in sync with UTC in 1980 and is now 16 seconds different.

What is a problem for more software when it comes down to second "accuracy" is the most computer libraries are based on (1) and:

a) They don't quite know how to deal with the 59-second or 61-second minutes that happen when you get a second removed/added.

b) Also to perform the conversion to/from atomic time you need the offset values and as they have to be updated as the Earth's motion is observed, so it is hard to do correctly on anything stand-alone. You then would need internet access and the security problem that brings, and the grief caused when in a few years some web developer stupidly change URLs of important data for no obvious reason when tarting up sites.

Finally, there is a project (which I have not checked/tried yet) to give you a local NTP "fluid time Wednesday" effect here:

https://support.ntp.org/bin/view/Dev/LeapSecondTest

Re: "c language, the most important enabler of cyber war"

Fail!

The correct statement is "stopping the use of cheap crap programmers who don't understand what they are doing and fail to apply best practice when coding and the multitude of tools that already exist to help"

If you are really looking for a scape-goat for info sec woes, how about Office and VB plugins?

"What does DHCP have to do with HTTP/HTTPS?"

Don't certificates sign for a given IP address? What if that changes?

"Also, you do a dis-service to systems admins/engineers by repeatedly writing that only developers can manage redirects and handling the nuances of making SSL work"

OK so who patches old expensive colour A3 laser printers to add SSL support? Have you seen much sign of software patching/upgrades even for new/recent printers?

Re: If selling certificates becomes like selling domains...

"they'll still prevent man-in-the-middle alteration"

If world & dog just ignores dodgy or revoked certs (like Google do in Chrome) when so many stink and/or change for no good reason, then what is to stop an ISP doing a proxy with some self-signed cert for everywhere?

Re: ^ This ^

Yes, like the shitty business of defaulting to US Legal paper size on every update on *NIX platforms. That bug has also been open for more than a decade. Maybe a small amount of time fixing stuff would bring more happiness to users than pointless dicking around with GUIs and pushing policies out that break things?

Vaccines have considerably less of a down-side that not being able to access old sites and local printers, router config pages, etc.

Re: Destroying Firefox from within

Forgot to mention network printers - how many of them support https? And how well is that going to work with DHCP?

Re: Report contains several factual errors

I doubt very much that data retention has helped stop terrorist attacks, etc, in spite of all that Gov around the world claim as the justification.

However, I can see some use for normal policing of being able to access recent data (maybe several weeks as the Germans appear to be proposing). For example if someone goes missing in suspicious circumstance to find the last place their mobile was seen at, etc, or if someone is accused of committing a crime in a given location/time window.

The real issue most folk have about data retention is (a) the time-scale and what long term hoarding that means for digging dirt on those who fall out of favour, and (b) access by world+dog in government on the slightest pretence, and (c) feature-creep when it becomes useful for something else that is profitable, etc.

So personally I don't have a problem of short-term retention of several weeks and all access being by a properly justified court order.

Out of curiosity (and really not trolling here) can you point to an example of the agreement so other commentards can judge?