Posts by Alex Brett 137 publicly visible posts • joined 11 May 2007
The claims that there were backdoors in the modem for DoD/NSA/GCHQ were thoroughly debunked - see http://www.revk.uk/2013/12/paraniod-ravings.html or http://www.ispreview.co.uk/index.php/2013/12/confusion-alleged-gchq-nsa-backdoor-bt-fttc-modems.html for details...
No I don't mean storage, but a Network Access Server, which is where the 'network' (normally the switch in consultation with a backend service) decides whether to grant you access (normally put you on the right vlan) if you comply with the business requirements around AV etc...
Having said that, in a lot of cases peoples personal machines may be more secure than company laptops which have nothing more than default Windows firewall to protect them when off the network, and the user having no permissions to do anything more stringent...
I'm not sure how the pricing compares (if it's more I don't see any reason for it since presumably the mail is handled in the same way within RM), but there's always Smart Stamp - couple it either with a decent label printer or a printer that can feed envelopes (not sure if such a thing exists?), and that's probably a lot simpler than most franking machines...
Just don't follow the model used by Ofcom in the UK, whereby they accepted BT's proposal to split themselves into three parts (BT retail, BT wholesale, and BT Openreach, with the latter being the 'local loop' part), leading to a sort of corporate schizophrenia and now basically ends up with the different parts blaming each other when something goes wrong, and bouncing the fault backwards and forwards and not actually fixing it (and trying to charge the customer for the privilege with SFI2)...
'WIMP GUIs have always been designed to provide neophytes a way to discover functionality for themselves and learn the keyboard shortcuts as they do so.' - can you explain then why with the Ribbon in Office MS have been actively discouraging the use of keyboard shortcuts?
As I understand it this wasn't actually a DNS amplification attack as you described in the article, instead they were sending DNS requests with the source address spoofed to be the target, causing the DNS servers to send its response directly to the target. As the request is quite small it isn't too difficult to send lots of them, and by targetting the request appropriately you can get the response to be quite large, thus causing the DDOS.
This also means that often simply turning recursion off in BIND is not sufficient, as in the default configuration it will likely (depending on which version of BIND) still return the list of root servers as a referral instead of simply refusing the query. The list of root servers is quite a large response on its own, and thus can be used in this attack.
The magic line you need to add is "additional-from-cache no;" - this will stop that behaviour.
They seem to be claiming that from the grid and the entered code you can't work out the pattern - this is true if the grid is a suitably randomised set of numbers with numbers occurring multiple times in different places etc, however surely all a MITM attacker needs to do to get the pattern, is display a grid with numbers set up such that you can identify which ones were selected (with 10 digits and the grid the size they suggest you'd need to do this 2-3 times, but that's probably not a big deal), and then you have the pattern...
Unfortunately the ISPs see the answer as Carrier Grade NAT (CGN) - while for a fairly large proportion of their customers this will likely work (most *commonly used* protocols don't require you to have a public IP, the only notable exception that comes to mind is BitTorrent, but I'm sure ISPs won't mind causing their users problems there!), the big thing they're missing is that it won't be long before we start having services that are IPv6 only (as the providers can't get any IPv4 addressing for them), at which point CGN doesn't help...
While I'm not denying the Apollo astronauts were very brave to take on such a lot of risk etc, it is worth mentioning that the LLTV was always going to be much more unstable than the real lunar lander, as it was operating in an environment with 6 times the force of gravity than the LEM was going to operate in, so having to bail out of it was unlikely to add any significan worry over the real thing...
Surely the solution here for any competent ISP is to gradually block subsets of customers from accessing these DNS servers in stages, and handle the support calls over time rather than waiting for them all to get blocked in one go and have a deluge of phone calls to deal with...
The thing is I suspect a lot of people don't want the logos / anthems / graphics etc anyway - it's like with a DVD / Blu-ray how when you put it in you have to watch (as they make them unskippable) a load of anti-copyright messages (and in some cases trailers), followed by a useless menu all to actually start playing the film. This is vs a pirated film where as they tend to only pull the movie you stick it in and it plays - why does the pirate get a better user experience than someone who has paid for the film?
I was pleasantly surprised by the Blu-ray of Die Hard 4, as although from memory it did have the copyright notices, after that it actually did just start the movie, with the menus etc all available as overlays. I wish more films were like that...
While I agree they're annoying there is at least a reason for them - with a 'booking fee' the entirety of it goes straight to the venue, whereas if they just increased the ticket price the increase would normally be split with the film (or the producing company in the case of theatre), so to make the same amount they would have to increase the ticket price significantly more (hence it's actually better for you in the long run)...
All the video shows is that it is receiving events when keypresses are made etc - there's no evidence from the video that it is actually logging and/or transmitting any of these on. It might simply be that in order to get the events it reasonably needs for diagnosing issues it has to get *everything* and then ignore the things it doesn't.
On the other hand, it could of course be logging all of this which would be bad, but compare it to for example an AV application on a PC, which does intercept a lot of things to check for viruses, but is not syphoning off any of that data etc...
One of the biggest issues with laying any sort of fibre network is the fact that fibre optic cables in the ground are subject to (believe it or not) business rates, though on a very strange scale (it gets significantly cheaper per fibre the more you have, such that it presents a big barrier to entry for new players who will only have a few).
Combined with the fact that because BT apparently don't know how much fibre they have, they have a deal worked out with the valuations office, that (from 2010 figures) means their bill comes to £255m, but if worked out (very approximately) on the distance rules everybody else pays should be over £1bn...
OK taking each point in turn:
- Privacy extensions (on by default in Windows and some other OSs) negate this as the machine rotates IPv6 addresses regularly
- The *prefix* is tied to the ISP yes, but by using router advertisement should the prefix change the only change needed is on the router and then everything else should just work (note that in most cases the router will handle it automatically)
- OK I'll give you this one, writing IPs is much harder, however needing to use IPs is becoming much rarer now
- In a consumer / SME environment you would expect IPv6 devices to ship with a ruleset that is secure by default, and require some sort of 'advanced' mode to remove the 'block inbound unless related to outbound' rule that makes it do the equivalent of a typical IPv4 NAT device
If the hacking was as has been widely reported by setting the caller ID to be the mobile you wanted to hack and dialling the voicemail access number, then I doubt this is a mobile, but most likely a phone on its own ISDN or similar set up to allow it to specify caller ID...
...until you realise that a lot of Communication Providers (CPs) who offer local numbering have to have a block in every area code, and given restrictions due to the traditional telco's equipment not being able to cope with smaller, some of these blocks are 10,000 numbers big. This means that for a provider with the smallest possible block in every area code they end up having an annual bill of £400,000 (if they were to charge for every area code, which I'm sure will be the next step).
If they charged based on numbers actually in use, or only charged if the provider couldn't cope with a smaller block (i.e. give the companies whose equipment needs updating a financial incentive to do so) then it might be OK, but as is it's just going to put smaller CPs out of business...
I thought they used them already in some places, I've certainly had problems where both my Virgin Media cable broadband has failed, and I've not been able to pass any data on my Three 3G stick, so I had always assumed there was some shared backhaul somewhere (I live very close to a mast)...
I was doing an internship in the IT dept for a UK software company a good few years ago now - we had a large batch of GX270s and I think we had a Dell engineer out on average once or twice a week to replace a motherboard - we even had a couple of 'loan' machines we'd swap out with users desktops when they failed.
The really tedious thing was we couldn't get Dell to agree to just replace all of them in one go, or leave us with a stock of motherboards and instructions on how to replace them oureslves, so every time one failed we had to call up the support team (in India on a very bad quality line of course), and explain to them that yes it's the same issue we've reported on n other boxes. It was amusing what they sent the engineer out with sometimes - he'd turn up with a new PSU despite the fact we had made perfectly clear it was faulty capacitors on the motherboard!
My understanding is the way they got in is by spoofing the caller ID to be the mobile number, which with an appropriate connection in to the telephone network is quite trivial (though normally against contract terms, and possibly against Ofcom rules). Getting such a connection is not particularly expensive or difficult...
The voicemail systems then naively trusted this caller ID, and so believed the call was coming from the mobile itself, so let it in without asking for a PIN.
This has since been rectified by most (all?) operators so it now actually checks if the call originated from the network in addition to having the right caller ID...
With a digital standard such as HDMI, a cable will either meet the specification, and pass through the data with a suitably low error rate that it can do the required level (e.g. 1080p), or not - once it meets the spec, it can't get any better.
Show me a proper double-blind study of sufficient size to prove otherwise and I'll happily eat my £5 HDMI cable...
Part of the problem is if your upstream is saturated, then the decisions the cable modem makes about what to drop are often braindead, and leads to some of these issues.
By putting in place appropriate QoS at the router level that means what leaves your router is capped to the level of the upstream link, you can make sure your prioritise interactive things such as games, VoIP etc at the highest level, TCP ACKs at the next, and everything else (so large downloads, web browsing etc) at the lowest - when I did this on my connection everything suddenly became a lot better!
Interestingly this is an area where IPv6 will actually help to prove your innocence - because you don't use NAT, and each machine has a unique address, it's easy to show that it wasn't your PCs that accessed the material, as the server will see the unique address, not a random single IPv4 address that only identifies the connection.
Of course, there's nothing to stop the clever person from changing the IPv6 address they use when accessing dodgy things, but it should make it easier to clear people who obviously wouldn't know how to do that...
"We do look forward to Virgin confirming that they will open their infrastructure to enable all companies to have the opportunity to invest in a new fibre future."
Virgin didn't have most of their infrastructure (at least the ducts etc) put in at public expense, so they are under no obligation to open their infrastructure if they don't want to, unlike BT who inherited most of their network from the GPO...
The thing that most annoyed me about the specials, was the CGI used to create Red Dwarf - it was ridiculous as everything looked far too 'shiny' compared to the sets in the previous series, not at all what you'd expect given the cleaning is supposedly down to the crew and the scutters!
The UK does indeed still use onward/indirect routing, and not ACQ, for both fixed and mobile numbers, thus calls are still routed via the donor network. Ofcom rescinded its mandate that they move to ACQ after Vodafone (supported by some of the other MNOs) appealed to the Competition Appeal Tribunal (CAT) claiming that Ofcom's cost benefit analysis didn't prove the need for change. CAT agreed with Vodafone, and thus in November 2008 Ofcom set aside its previous statement and removed the obligations...
They have managed to get mobile porting to happen relatively simply (call up get a PAC from losing provider, give it to gaining provider), and other than issues like this it seems to work OK, but for fixed line it's even worse - the gaining provider has to send a Letter of Authority signed by the customer to the losing provider, who can reject it for one of about 52 different reasons (some seemingly stupid), and then takes about 1-2 weeks to happen!
It took me 3 attempts to get them to cancel a 30 day rolling contract on a data SIM where I didn't even want a PAC etc - they do just keep going round in circles, and on I think 2 of the calls I just got fed up and hung up - finally got it sorted by submitting a complaint which got someone to call me...
I can't remember where I read this so not 100% sure if it's right, but I believe a lot of the tabloid voicemail hacking was possible not due to guessing the PIN, but due to stupidity in mobile operators systems.
AIUI the issue is that they trusted caller ID coming from other networks, hence whoever did it simply got a phone line where they could set the caller ID to whatever they wanted (which is difficult in the UK, and almost certainly against the terms of whoever provided the connection, but not impossible), set it to present the mobile number they were trying to hack, then dialled the operators voicemail system - as it thought it was a call straight from the phone it let them in without any PIN checking.
I believe the issue has now been fixed on all the major operators, so they no longer trust caller ID from outside their network in this way...
The beeb article also has some mentions around open source:
He insisted the government was committed to using more "open source" software to save cash - but had to balance this with concerns about how easily it could be "hacked".
I'm confused as to the logic of that statement - if they'd said something about useability concerns sure, there's an argument to be made there (not saying I necessarily agree with it, but there is contention), however to say that we can't use open source because it's easily hacked is ridiculous...
Surely the easiest solution is just build your faraday cage or whatever in two layers with an air gap between them. Obviously you'd need to have a few supports to keep everything structural, but make those of a material very different to steel (and one very poor at conducting ultrasound) and you're sorted?
Surely you just filter the entire /64 the person is spamming from, best practice is for each unique customer to get their own /64, so that shouldn't cause any issues with one customer causing problems for others.
You can then quite easily do a bit of checking and if you build up a large number of /64s you block the containing e.g. /48 or whatever. Given I've just come up with this in about a minute, you'd expect the anti-spam companies to have already sorted it given they've had since 1998 to do so!
Well, firstly it's route flap damping not dampening (you're not making them wet!), but I think you could probably get round that by ensuring the time between the link going down and up was enough not to trigger the damping logic - plus it's my understanding that a lot of ASs only implement RFD on external links, so if you hit the 'right' link within an AS you could still cause lots of issues...
Assuming you're VAT registered, then it all depends on who your customers are, if you are a B2B supplier, then your customers are likely VAT registered anyway, and hence the change only makes a cashflow difference to them, as they're going to claim the VAT they've paid back anyway, thus not a big deal - no change to your profit margins as you claim back the increased VAT from your suppliers etc.
For a B2C supplier, or supply very small businesses that aren't VAT registered themselves then it's more tricky as at that point your customers likely care about the 'including VAT' price rather than the excluding, so your goods will have just become ~2.1% more expensive to them, unless you swallow the rise in which case your profit margin decreases obviously.
If you're not VAT registered at all then your costs will likely have increased ~2.1%, so you have to decide whether to pass that on etc, and at that point it can have an effect on your profit margin. Note that most fixed costs like energy bills etc are either not VATable at all, or charged at the reduced rate which is unchanged at 5%, so there is little change there.
It's unlikely they 'promoted' lots of 'ordinary customer peers', as it isn't something you choose when you sign up to Skype whether you become a supernode or not, it's done based on the type and quality of your connectivity, so if you fire up Skype on a very good internet connection (no NAT, lots of bandwidth etc) you'll almost certainly become a supernode and start handling directory info and routing other people's phone calls...
I suspect they got these thousands of 'mega supernodes' from somewhere like Amazon EC2, or other cloud providers - with something like that once you've set up one image firing up thousands of copies of it is trivial, it's not like they had to set each one up manually.
...they could make is to instruct public sector purchasing teams not to put "must have experience of supplying product/service X to the public sector", and just have "must have experience of supplying product/service X" in their tendors - that would open up the market significantly rather than limiting it to the ~3 big public sector suppliers!
The issue is the system the UK uses for number routing - communication providers (CPs) get allocated a 1000-number block, and other CPs then send any calls for that block to the particular CP. Aside from the number wastage problem, it also makes porting difficult - we have to use a system called onward routing which means the CP who 'owns' the number block (the donor CP) forwards calls to a ported number on to the CP who now has that number. Porting a number that has already been ported then gets even more complicated as you can imagine!
Internationally the UK is actually held up as an example of how not to do it - if (like most countries now) we had a central database then porting gets much simpler (just update the relevant DB entry), and you no longer have to issue 1000 number blocks - you can do much smaller allocations (even down to single numbers) without problems. CPs can also return numbers they no longer need. It even has the benefit that you can specify multiple ways to connect a call, so a VoIP provider calling another VoIP providers number can keep it pure VoIP rather than having to go via the PSTN.
Unfortunately, it's the large carriers like BT who will likely be against this, as it would end up quite expensive for them to adapt all their systems to do this central lookup rather than onward routing, and have very little benefit for them. Being the large carriers, they have a lot of influence with Ofcom etc, so it's likely nothing is going to happen in the short term...
The worst thing is even the opportunities that public sector organisations do put out to 'open' tender, they normally stipulate such strict absolute requirements (e.g. must have been in business x million years, must have provided similar services to at least x other public sector organisations etc) that they basically preselect who can tender as very few companies properly meet their requirements, despite many companies being able to offer a decent service at a fraction of the price they pay the 'big boys'.
I realise they need to ensure some amount of stability (you don't want to go through the hassle of setting up a 3 year contract for the supplier to then go bust the next day) and need to get proof the supplier knows what they're doing, but the way they do it at the moment with such strict requirements is just wrong...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
