Posts by big_D

Re: Good to see it's still in development

At my last employer, an open source security company, they used that and Claws.

It is starting to feel a bit dated and needs a little more love, but it is still a solid program.

Re: It's not "browsing" anymore..

@zapgadget I've never known Firefox or Chrome refuse to connect. They'll throw up a warning any you'll need to add an exception, but they will normally then let you through...

I've set up hundreds of https devices on internal networks over the years (2 QNAPs and a couple of printers just yesterday) and I've never had problems with self-signed certs.

Re: It's not "browsing" anymore..

Yes, you can use https on any address and most corporate devices these days use https.

If your business is big enough, you will have your own trusted issuing authority set up, so you can issue certs for your internal devices, that your corporate devices will accept as valid.

But you need to put work into it, so only larger businesses with dedicated IT staff will bother.

Most CMS systems, like WordPress, now have automated scripts for putting in certs from letsencrypt, for example. This makes it relatively easy to update.

Re: Why tabs?

@Geoff Campbell but then is the point where I don't want them in tabs, I want to read one window whilst working on another...

Re: Why tabs?

Theoretically, you can "group together" a bunch of related applications or application "windows" in one window. They act just like tabs in a browser, so you can switch between Word, Excel, browser, Notepad etc. Why you would want to do that is anybody's guess.

I would say, that the Cyrillic name on the Cyrillic version of .eu and the Latin version of the Cyrillic name under the .eu domain.

As to the European ä â°a etc. being in the "Latin" .eu domain, that only makes sense, those letters are additions to the English Latin alphabet and they still use e and u, therefore it would be .eu anyway. Greek is harder to defend.

If there is a Cyrillic version of the .eu domain structure, it make sense to push the Cyrillic names there.

For me, it looks like a logical move. At first glance, the only people who should be really upset are scammers using a mix of Cyrillic and Latin to dupe people into visiting "fake" sites.

Re: Rubbish in, rubbish out...

When I hear Dutch people talking, it always sounds like every other word is either English or German. I can usually understand what they are saying, but I can't speak Dutch.

Re: Rubbish in, rubbish out...

Also, I always hear people praising Google Translate, MS Translate and various other tools and services, but they are all doing English <-> Spanish or English <-> French, with a bit of Chinese thrown in for luck.

All of them make a horrible pig's ear of English <-> German.

Re: Hmmm

Google doesn't even need spelling mistakes, or it didn't used to.

English -> German is very dodgy with Google.

(NOTE: The following example now works, because I uploaded the correct translations a couple of years back)

I had to do a quick translation of a handbook I'd written in English into German. I thought I could save a little time and use Google Translate to get the rough text translated and just tidy it up...

The problem is, Google Translate has real problems with formal English. Abbreviated English is fine, but formal caused it to ignore the negatives:

"Do not open the case, high voltage inside" -> "Das Gehäuse öffnen, Starkstrom drinnen"

"Don't open the case, high voltage inside" -> "Das Gehäuse nicht öffnen, Startstrom drinnen"

Or even funnier:

"Do not open the case, no user serviceable parts inside" -> Das Gehäuse öffnen, nicht drinnen"

(Open the case, nothing inside)

There was nothing with the spelling mistakes, just it would ignore certain words, like "not", although why "no user serviceable parts inside" translates to "nothing inside" is anyone's guess.

Re: One in twenty users?

Mine is still on Lion, as that is the last version that supports the hardware... But it spends most of its time in Windows these days, as Windows still gets support.

Re: Well the big difference is...

@Christian the German Government won't protect you from themselves! :-D

The courts have twice told them that the Bundestrojaner is illegal... But they are trying to push through yet another law to allow them to use such technology (I believe Bayern / Bavaria has already "legalised" it, although there is still the opportunity to bring that before the Constitutional Court AFAIK).

Re: But...

They got into trouble in Germany as well, because they marked the "Bundestrojaner" (State Trojan, a program used by the BND and police to infiltrate PCs of suspects) as malware, which didn't go down well in political circles.

Re: Define Dangerous Please

There are plenty of regulations out there that define what dangerous is.

The certification for sale of most types of good (food, electrical, clothing, children's toys etc.) ensure that the products have been legally declared safe (CE mark, for example).

But a lot of clothing and toys still get through that are either toxic or downright dangerous (kids' cuddly toys that have stiff wires in them that can poke through and cause injury or the use of lead base paints, for example).

Re: Dangerous?

Things like the helmets would not be legal for sale on the sites, because they don't carry the EU certification. This has always been a problem, long before Internet sales. The same helmet is available with or without the ECU mark. The one with is legal in Europe, the one without is a grey import and is illegal, because it doesn't contain the right certification. The problem is, the average copper on the street can't tell the difference between a certified Shoei or Arai and a fake, so he has to go by the certification mark (even if it is faked), so a US DOT approved one is illegal...

Anything electrical without a CE certification, for example. Products for children that have been tested and proven to contain toxic substances or metal spikes (last year in Germany several cuddly toys were removed from sale because they were either toxic, poorly manufactured (heads came off and babies could ingest the foam) or were stiffened with metal wires that could cause injury).

Clothing or upholstery that isn't fire retardent (and tested) to EU standards would be another area.

IoT dolls have also been removed, because they break EU privacy laws (know security weaknesses that allow hackers to listen in on the kids or speak directly to them). A kids watch was also removed out of privacy grounds, because parents could listen in on the kids when they were at school, this broke the pirvacy of other children and of the teachers. The parent would need to get the written permission of everybody the kid came in contact with, before they could evesdrop on the kid.

Re: If ARM is so good

Longer battery life? I spent 2 days working offsite and didn't need to recharge my Lenovo L480. When I was finished with 2 working days, there was still around 20% battery life.

Given that I could have charged the laptop in the office or in the hotel (it was new and I wanted to see how long the battery would last), I doubt many people really need 20+ hour battery life on a daily basis or go on trips that mean they are so long without access to a power socket - and if they are, then it will probably mean that they need power for a lot longer than an ARM laptop would provide.

I'm guessing that most users are either no longer than 2 days without power or they are weeks or months without power. I would think that there are relatively few use cases that fall between the two scenarios.

Re: Have a cup of WINE

ATMs generally use a very locked down version of Windows Emedded.

There are equivalent Embedded Linuxes, but they don't generally support WINE, as they are as pared back as possible to reduce their exposure. So you would need to add the packages manually and maintain them manually.

Re: Question?

Support for the last release of XP Embedded runs out in January 2019.

AFAIK, most ATMs use the Embedded version of XP, which, if it is using the 2009 service update is supported through January 2019. If it is using XP Embedded SP3, it was supported until January 2016 and Point of Sale version to April 2016.

Still not good, I just wanted to clarify.

Re: SCADA systems running windows

I don't even want to think what 80-year-old SCADA code might look like.

Where I live is famous for its red cloth. The local museum has several working looms, including an original Jaquard Loom, which they run off several metres of cloth every year during guided tours of the place. Very interesting.

Re: Company selling security consultancy find security flaws shocker

My experience so far is that security is still often an afterthought. The other problem is, a lot of the IoT stuff is tacked onto existing hardware, which has often been in the production for over a decade, so it is irrelevant, whether the next generation hardware has some security baked in, the majority of industrial systems are unprotected by design.

I agree, however, that the wording from Godfrey is a little misleading, there is certainly some work going on in this area, but you only have to look at the **** that is coming out today in cars, for example, where they are online, but the CANBUS is still pretty much unprotected! Industrial PLCs aren't much better, in my experience.

But their attack requires local access. Physical security is as important as cyber security in these situations. If you can just walk in and install a box on a critical infrastructure, cyber security is the least of your woirries

We don't know what their remit was. And getting through the firewall and hacking a PC on the network isn't that hard, but might have been outside the remit for the case in question, which would have made it illegal try such a scenario.

It is also not a "local" attack, which means on the device(s) in question, it was an attack within the network, so internal but not local.

And the industrial networks tend to be very fragile. I worked for a company producing vulnderability scanners and they had extra documentation and modes for scanning SCADA and PLC networks, so that you don't bring them crashing down during an initial scan. Their systems started in a "light touch" mode and gradually worked up. It was also recommended that the customer make a replica of their production environment to test on, before scanning the real thing.

Re: Pay more, get less

This has been standard practice for decades.

Back in the old Technet CD days, when there were only 10s of thousands of reported issues, you go to see them and there was a report on whether the issue was being addressed or not.

Some bugs have littlle or no security impact. For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody, but require, say, a few hundred man hours to fix. That isn't something that they will want to fix, as long as no other method is found to escalate the bug to a higher priority. If somebody has physical access to the machine, they probably don't need the exploit anyway. This would then be looked at, as to whether it will be fixed in a future version, because it isn't urgent and there are better things to spend time on, for example, remote execution and drive-by exploits that are serious and likely to be actively exploited.

If MS had an infinite number of developers and infinite money, they could fix every bug. But with finite resources, you need to use the resources where it matters most.

They are just setting out the parameters they use to determine which problems are important enough to fix immediatly, in the near term, in the long term or never so that researchers can understand how the reporting system works - and whether they are likely to get a bug bounty for their work.