* Posts by Crazy Operations Guy

2513 publicly visible posts • joined 29 Jun 2009

Plod wants your PC? Brick it with a USB stick BEFORE they probe it

Crazy Operations Guy

Split Key

On my machines, I only know half of the key for file server, the other half was set by my lawyer (He lives down the hall from me in my building). I also fix some of his systems, and as such, I have a couple disks with highly-sensitive information on them (I have all the proper NDAs and contracts set up to allow me to posses such things). So in order for the police to get at my data, they'll need to get a warrant for me and a subpoena for the lawyer, in addition, they'd have to get a third party involved to ensure that the evidence they are gathering doesn't violate the rights of my lawyer's other clients. Any wrong step by the police and the full weight of the ACLU and several other lawyers will come crashing down on them.

The volume locks on reboot and it just so happens that the power cord for the file server is under my desk, where it can 'accidentally' get tangled up around my foot and pulled out when I get up to go answer the door when the police come knocking...

I do have the advantage of not having done anything the police would want to come talk to me about, but I'm not going to give up my data without them going though the proper channels and making sure they've dotted every 'i' and crossed every 't'.

Crazy Operations Guy

Re: Automatic bricking...

I use a collection of weird / extreme pornography for that purpose, since even the UK bans that stuff, it gives more than plausible deniability, it also gives a reason for acting nervous when the customs folk poke around my electronics. The most trouble I've gotten into by doing such stuff was that I was forced to delete the data before being able to proceed into the country.

HP wag has last laugh at US prez wannabe with carlyfiorina.org snatch

Crazy Operations Guy

After 2005, I noticed a dramatic change in quality of HP servers

After 2005 I stopped buying HP boxes, the quality of the ProLiant series went right into the crapped after the lay-offs. They became a colossal pain in the ass to maintain and broke more often. My local Dell sales guy loved me afterwards (I much prefer a privately-traded company over publicly traded since they're focused on long-term growth than getting rich quickly like all these "activist investors" that are plaguing the stock market)

'Rombertik' malware kills host computers if you attempt a cure

Crazy Operations Guy

Re: Goodie

I'm surprised they haven't just scrapped OS-X altogether and replaced it with a bloated version of iOS...

Zuck'ed up: Facebook opens up free internet in India – but bans HTTPS

Crazy Operations Guy

Re: Worst of both worlds

Umm, the 90's were more than 15 years ago...

Crazy Operations Guy

Re: but, but, but, ...

And that it requires JavaScript...

Ubuntu to shutter year-old clock unlock bug

Crazy Operations Guy

"I don't see a way for an attacker,..."

Just because you don;t see it, doesn't mean that there isn't something waiting to bite you in the ass... Blase attitudes towards security are why I abandoned Linux some time ago in favor of BSD.

Google Password Alert could be foiled with just 7 lines of JavaScript

Crazy Operations Guy

Re: How did they fix it?

Normally extensions are restricted to a specific DOM, but this is Google, they can do whatever the hell they want since Chrome trusts Google code enough to run outside of the sandbox.

Crazy Operations Guy

Re: Stop using the web!

Meh, Gopher is just a bastardized version of UUCP...

Wordpress munching contagion turns Linux servers into spam bots

Crazy Operations Guy

Targeting platforms not OSes

I'm assuming that this exploit is targeting PHP rather than Linux or BSD. I think this is the future of server-based malware; easier to just write an exploit for a badly-made plug-in and leverage a powerful language rather than trying to install binaries on the machine layer. With the wide-range of plug-ins available for PHP, its not surprising to see it exploited in this way, since it can remain undetected for some as it isn't creating any suspicious processes and can hide in the massive tangle of PHP files things like WordPress are made of.

*The same thing can be said of any other similar-enough language: ASP, .net, node.js, Ruby-on-Rails, Python, etc.

Snapdragon 810 chip doesn't overheat, jilted Qualcomm sniffs at LG

Crazy Operations Guy

I think phones might be getting a bit over-powered

8-core, DDR4 memory, and 64-128 GB of SSD... These things are boasting more resources than my 3-year-old luggable workstation. Seems that phones are going with the model "don't bother optimizing code because the hardware will make up for it" that has been plaguing desktops for the past few years.

SECRET PROTOTYPE iPAD 'stolen from RANDY Apple employee'

Crazy Operations Guy

Re: Legalise Prostitution

"But also $7500 CASH?"

I'm assuming that a lot of that was intended for "Services to be Rendered", but that's an awful lot for a prostitute off of a self-produced ad rather than from an agency... If you're planning on spending that kind of cash, there are more than a few agencies that will cater to pretty much any desire and properly vet both client and 'service provider'

Google officially doubles EU lobbying – but true figure is surely higher

Crazy Operations Guy

Re: Do no evil

You mean like the nameless "Rogue admin" when it was obviously the fault of whoever architected the network and policies, or just bad procedure.

Crazy Operations Guy

``privacy in a report marked “Who Has Your Back”''

Depends on who they mean by "Your"...

MAYHEM in ORBIT: Russian cargo pod spins OUT OF CONTROL

Crazy Operations Guy

Re: Plan "M"

Jack Ripper was the base commander, you're thinking of Major 'King' Kong.

Jeez, AT&T. Billing a pensioner $24,000 for dialup is pretty low

Crazy Operations Guy

Retrovirus is already a thing... its a virus that infects a host cell and replaces the host's DNA with its own RNA.

Fondleslab deaths grounded ALL of American Airlines' 737s

Crazy Operations Guy

Why not both?

35 lbs is nothing when you consider the variability of passenger's weight... Even fresh-off-the-line 787s come with two sets of instruments: the glass cockpit systems and a mechanical Altimeter, compass, and air-speed gauge.

FT and Guardian eagerly grab Google's 30 pieces of silver

Crazy Operations Guy

I don't mind them scraping articles

But what I"m afraid of is Google scraping all a news agency's articles EXCEPT the ones critical of Google.

I 'm afraid that Google will, like it did with search, becomes so dominate that people don't even view another source of news, which would allow Google to censor anything they wanted in order to control public opinion.

Tencent introduces slimmed-down wristjob TOS to swollen market

Crazy Operations Guy

Low-level access?

So either they suck at writing proper APIs / HALs or they purposely did it so that the Power-that-be can make sure that you aren't betraying the People...

Crazy Operations Guy

Re: What about Atari?

If Cisco didn't sue Apple over the name IOS, then I highly doubt that the Atari estate would even lift a finger.

Eco-loons hack Thirty Meter Telescope website to help the 'natives'

Crazy Operations Guy

Re: Environment or profit?

If you consider a long enough timeline, there is no such thing as "Natives", just people who got there first.

Crazy Operations Guy

Re: Green scientists

Good to know. In that case, I've known a lot of scientists to see the lack of foliage as a challenge and start working on getting something to grow there in their spare time. The research would be invaluable in addition to oxygen it produces and the stabilizing effect it has on the ground.

Crazy Operations Guy

And they are celebrating because...?

The people running the project aren't going to stop just because a website was hacked. A lookup of where the site is hosted shows that its running on a Cal-Tech web servers, and its a simple information-only type website, so there is nothing on it of value to the opposition that isn't publicly available anyway.

If this attack was done for the purpose of cutting off support for the project, it wouldn't do anything anyway as this is one of the issues where people aren't going to change positions (And, in fact, only causes them to dig in deeper)

Crazy Operations Guy

Green scientists

I've always found that, on the whole, scientists tend to be a lot more environmentally-conscious than your average citizen and may very well provide more benefit to the land than just letting nature have at it. Not only that, but scientists come with a lot of disposable income ready to be spent at local shops. Besides, the telescope would make a pretty good argument to restrict further construction in the future.

'Use 1 capital' password prompts make them too predictable – study

Crazy Operations Guy

Re: Anyone?

Wouldn't do a damn thing against most attacks. Digging through my logs, a lot of attacks will try the same password but cycle the username (password hash is the same). Then the attack switches to a different password and goes through the username list again. All an attacker would have to do is increase the number of usernames tried so that the cycle becomes 10 seconds long. And that is assuming that the attack has a short list of names, even trying 1000 names at 10ms a piece would mean that the attacker doesn't even notice a thing.

Crazy Operations Guy

Re: Password generators

Even typing a 10KB string shouldn't be a problem either. A hash should just work on a string no matter its size or even its contents. I should be able to use an executable as a password. I suppose the issue is memory exhaustion for the hashing process, but RAM is cheap nowadays anyway, so even if the hasher requires 1 MB per session, you could still support 10s of thousands of users on a modern web server.

Crazy Operations Guy

Re: VbV

What is even worse is when you get the password wrong and they lock your card. Had that happen to me while booking a last minute ticket out of Ukraine last year. Passwords are pretty hard to type on a smartphone with such a ridiculous password policy when you're in the back of cab that is red-lining the engine and blowing every stoplight...

Crazy Operations Guy

Re: Case sensitivity

Like sprint and their case-sensitive usernames and passwords shorter than 15 characters with no punctuation. Screams "client-built SQL query"...

Crazy Operations Guy

My previous company requires passwords in the form of 5 letters, a special character, then 3 numbers. This was caused by some ancient mainframe system and a home-brewed password encryption system. The company's name has 5 characters in it, and people tend to increment the last three digits each time they reset their password... I discovered my old boss's password, it was just Sunil&### with ### being which cycle, started at 001 then was incremented to 002 and so forth....

And these are the people that are designing your phones, running your cloud systems and in case of one division, guiding your airplanes.

My new company requires a minimum of a 16 character password and requires white space. The employee manual actually has a whole guide on pass phrases and recommends that people use sentences and phrases like:

" Chapter 5 starts with 'But alas, he was alone!' "

or

"This book cost me $19.99."

But overall, it recommends using sentences like that that you would logically write on a piece of paper or type several times a day to defeat people finding it by snooping around or even using a keylogger. For a while my password was "Where is the 10:30 meeting today?" a reasonable reminder (not that I needed one) could have been a post-it with just 10:30 meeting written on it and no one would be the wiser.

Console makers game the EU Commission to avoid energy-use law

Crazy Operations Guy

Re: Just wondering...

So power companies can be lazy and continue operating old, inefficient, and pollution-belching plants rather than upgrade to cleaner, and much safer, modern plants.

MASSIVE FAIL: Indian gov DOXXES net neutrality campaigners

Crazy Operations Guy

Self-causing DDoS?

I'd think that it isn't so much a DDoS attack as its just a bunch of people trying to grab the data and are just overloading the servers in the process. From my experience with government websites, I'd think that they were built around the concept that very few people actually read up on government affairs (politicians, law school students, journalists, and other sad-sacks that got saddled with reading through records of government proceedings...)

Google exec and avid climber dies on Mount Everest

Crazy Operations Guy

Re: we are working to get them home quickly

A Gulfstream G-650 or a Bombardier Global Express could make it from Mountain View to Nepal without refueling, and with Google using JPL as a private hanger, clearance is much easier than flying out of a commercial air field. And I'm sure that Nepal would give them priority clearance if they are coming in with a load of relief supplies, doctors, and other necessities.

Perhaps Nepal should just hold all foreigners until their host nations send aid, or the crisis is over...

Infosec bods can now sniff out the NSA's Quantum Insert hacks

Crazy Operations Guy

Re: I'm sorry...

You think legislators actually write laws? That is so cute... Nearly every bill in the legislature was written by a third party and handed to the legislator for them to present to the floor.

They wouldn't need to pass a law for this anyway, they just need a judge to say that something like this would be violating some already-existing, broadly-written law (Like saying that this would be considered interfering with a police investigation akin to ratting out undercover agents)

Boffins laser print flexible transistors

Crazy Operations Guy

Would be nice for rapid prototyping

Could be useful for printing entire chips on it to test them out at low speed before trying to cut some wafers. Maybe we could start seeing some small start-ups building new architectures to get rid of x86...

Lapider les corneilles! French Patriot Act faces growing opposition

Crazy Operations Guy

Re: Helping the terrorists win

Indeed. I would actually feel safer if we reverted to pre-9/11 levels of security. A little awareness goes a long way; invasive searches and body-scanners don't do a thing.

I would much rather money was spent to properly train TSA agents on how to spot someone suspicious than machines that can't even detect if someone had taped several pounds of C4 to their body in a way that made it look like fat...

Crazy Operations Guy

Helping the terrorists win

The terrorists want us scared and the government does nothing to quell those fears. Quite the opposite in fact, as they seem to be constantly pumping up the threat of terrorism to restrict our civil liberties and freedoms. And given how much we obsess over such acts of terrorism makes it an attractive option for these terrorists in the first place (No one is going to blow themselves up if it means that the only get a small article in a local paper, but they certainly will if it means that their sacrifice means 24/7 coverage for many years to come)

So in a sense, these governments are aiding and abetting terrorism.

Ad-blocking is LEGAL: German court says Ja to browser filters

Crazy Operations Guy

"allow their ads to pass through its filter software. "

Simple: uncheck the box "allow unobtrusive ads" on the filter list. Order restored.

JavaScript CPU cache snooper tells crooks EVERYTHING you do online

Crazy Operations Guy

Re: whats the problem?

"slowing stuff down"

Or just chop off the LSB on the high-resolution timers. Cut off two or more for safety. Maybe set the actual resolution to be tied to how trusted the site is.

Crazy Operations Guy

I use an ad-blocker but make up for it by buying swag in the store.

Crazy Operations Guy

Re: Disable JavaScript?

Unfortunately, most websites require 3rd party JavaScript to not look like a pile of mess...

Crazy Operations Guy

Virtual Machines for security

This generation's "You can't hack me, I'm behind a NAT!".

In fact its becoming dangerous to rely on VMs to protect you now that a decent percentage of malware is now VM-aware (28% on the last report I read) with a few pieces here and there that even attack VMs specifically.

UN: E-waste's 42 million tonnes represents 'valuable' (and ‘toxic’) urban mine

Crazy Operations Guy

"The US and China between them discarded nearly one-third of the world’s total e-waste."

Well, I'd think that has more to do with those two countries containing just over a quarter of the world's population than anything else and a vast majority of the world's industry... A more interesting number might be the amount of trash is produced per-capita in relation to other countries with corrections made for industrial waste produced for an item ultimately consumed in another country (So the figure for a television thrown away in Sweden includes the waste that item created when it was produced in China so that a country wouldn't skew the results because it doesn't produce anything)

ID yourself or get NOTHING (except Framework), snarls Metasploit

Crazy Operations Guy

Possible loopholes

Would these rules apply to a US company / organization that writes and distributes their code from outside the US? What about getting the encryption code from a third party?

What would stop a company from shipping crappy encryption in the box but then having the software just pull the appropriate libraries from a server in Canada, Sweden, Vietnam, etc?

But what I've always wondered was why there are security companies still operating out of the US. With the NSA screwing things up and congress enacting crazy laws like this, I have to wonder why anyone would bother researching security in the 'states anymore... With the level of globalization in the western world (and large swathes of the east), there isn't much to differentiate countries anymore aside from what the legal landscape looks like and what language they speak (Although there are a lot of English-speaking communities to live amongst until the local language can be learned)

The data centre design that lets you cool down – and save electrons

Crazy Operations Guy
Joke

"tall buildings all sucking up electrons"

Its OK, its AC power, so they aren't holding on to it for too long.

Twitter direct message INVASION: How to stop EVERYONE spaffing into your DMs

Crazy Operations Guy

I've been following that advice since I first heard of Twitter

And as such I don't have to deal with spam from them (Or what passes for content on that site). I've never seen an advantage to Twitter over just subscribing to the RSS feeds of the websites I care about. It'd be useless for posting my view on anything anyway as I write in complete thoughts, so anything that I'd post to Twitter would be links to my personal blog, which has an RSS option already.

Google broke own security with April fool gag

Crazy Operations Guy

Redirecting through an IFrame?

And they didn't sanitize inputs or do anything to prevent abuse... that is amateur hour right there. Every day I come so close to just adding a new rule onto my proxy to block anything that contains an IFrame no matter its source.

BLAM! Valve slams brakes on Steam flimflam with $5 spam scram plan

Crazy Operations Guy

Three-part scam

Scammers buy credit cards on an underground forum, use them to buy a specific game and either rate it highly or badly (maybe even do this to disseminate a malicious mod for a game), and then use those accounts to spread the scam further. Then they can take the credit card details of those they've scammed and start the cycle anew...

Remember SeaMicro? Red-ink-soaked AMD dumps it overboard

Crazy Operations Guy

Hope this isn't going to sink the Seattle chips.

I'm quite looking forward to getting my mitts on some of those. Especially if we can get them in high-density servers similar to HP's Moonshot boxes or SuperMicro's Micro-blade. A couple cores, dual 10 Gig networking built in and a healthy number of SATA ports, I can see quite a few applications for them.

The problem with SeaMicro was that they were trying to cram a bunch of chips into a single box and operate under a single OS, and there are very few reasons you'd need that. Even HPC applications don't need that many cores in a single box, and in many cases are more efficient in a bunch of discreet boxes anyway.

LA schools want multi-million Apple refund after kids hack iPads

Crazy Operations Guy

Re: Why not something reasonable like a Kindle?

"But how will you lock down the kindles to stop the little darlings..."

What would you lock down?

The internal browser sucks for pretty much anything a child would be interested in wasting time on. And if you are concerned by the books they have access to, just restrict them to a specific set of sites to download them (Or just cut out the ability to pay for anything so they'd be stuck with getting books from the school's and the public libraries).

That is the beauty of the Kindle: it does just a single task and very little else, so there is very little that needs to be controlled or locked down. This also greatly reduces the motivation to root the things, since there is very little reward in doing so.

Crazy Operations Guy

Re: Why not something reasonable like a Kindle?

Yeah, interactive part would be nice and I would love to see them My point was that they should take nice, small steps towards that goal and just digitizing the book would do wonders (it would at least reduce the load children have to carry to something that doesn't weight as much as they do). Being too ambitious with something like this just leads to flushing $2.3billion down the drain on a device that will be obsolete in a few years...