Posts by Ken Hagan

Re: Dear Leader

I think "Dear Leader" is now "Dead Leader". The current incumbent goes by the moniker "Fatty Kim", at least on Chinese social media.

Re: Naive Question

"The bigger issue for things like medical equipment is probably the drivers."

Possibly. I don't recall seeing a "Medical" device type in Device Manager. There may be some medical devices that ship with a bespoke "interface card", particularly the really old ones that were built for DOS, but I would hope that the majority of devices written in the last couple of decades communicate with more sane options like RS232 (now carried over USB and supported by every OS on the planet) or an ethernet cable (similarly universal).

It might take time to validate any new configuration, so that you can tick the box labelled "Doesn't kill the patient", but I doubt whether device support is the blocking issue for that XP->whatever roll-out.

I agree. If your reduced to using the timezone as "evidence" then you scraped your way through the bottom of the barrel a long time ago. A more plausible conspiracy theory is that the NSA have just noticed that most of the world's XP systems are in countries they don't like and later systems can be protected if MS can be persuaded to put out a patch two months before the attack. (If you want a soundbite, they've weaponised Microsoft's update policy.)

But a vastly more plausible theory still is that some normal crook decided to strap a ransomware payload on the back of a new exploit they found on the interwebs. There are *far* more crooks than there are nation states, so the odds are *always* in favour of the mundane explanation.

Re: Rogue One ...

I doubt it. Since this has become a long comment thread, let me re-iterate a point that someone else made further up. If you are the NSA and intending to use this against a particular target, you want a kill switch that you can register once you've hit that target, to stop your weapon becoming any more public than it needs to.

Also, to answer another query from further up ("why include a kill-switch when you can't register it without disclosing your identity"), if you are the NSA and you register a garbage domain name, no-one is going to know why or try to arrest you even if they do.

It is a little odd that someone adapting this software to a very different purpose, requiring as large a target as possible, chose to leave the kill-switch in (and in the clear). Perhaps they didn't understand the code they were using.

Re: Hunt to blame for NHS attack

"MS does still support, if you pay..."

Not sure about that. The original offer was $200 for the first year and $400 for the second and $800 for the third, per seat. That third year ended a few weeks ago. I've not seen any mention of a fourth year, at any price, to anyone.

Refs:

(2017) https://www.theregister.co.uk/2017/03/17/microsoft_to_kill_windows_vista_april_11/

(2014) https://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss

Re: Amazing you can leave the SMB port open

"Also, one questions why file sharing is necessary in these days of web and other fat client based apps."

File sharing is a client-server app. The end-user-facing client is a file browser rather than a web browser. Some programs (particularly older ones) are designed to speak http, others are designed to speak to the "local" file system. Re-writing all those programs to fetch their data over http would merely expose them to a different set of holes.

Re: And we'd sure appreciate it if you could stop clicking on attachments

"stage one of Really Good Security: you have left your ego at the door."

Stage two is to persuade all of your user base to leave their egos at the door, too. In an organisation as large as the NHS, stuffed (er, staffed) with doctors and surgeons for whom self-confidence may actually be a job requirement (who here feels brave enough to knock a person out to within a gnat's breath of death, then stick a knife into them and cut out some of what you find?), I fear that stage two may actually be impossible.

Re: You are missing the point

"They now are not going to get any money."

Too right. It would be fair to assume that most of the world's major intelligence agencies (particularly the Russian one, which isn't noted for its light touch against Enemies of the State) are now waiting for someone to try to pick up the cash. If there's anyone with balls big enough to march in and claim it, we'd probably be able to feel their gravitational field.

Re: I'm in Texas

Perhaps they felt that providing a map, with state boundaries and fuzziness in affected areas, made it unnecessary to expend the proverbial thousand words on a more detailed list. (Just as you didn't explicitly say that you were an O365 user.)

Re: Numpties.

"Remind me again why I should trust a company with centralized control of my data"

You should trust them because the penalty clauses in the contract make it really bad for them if you suffer any kind of outage and so they'll make every conceivable effort to deliver. Just like any other kind of service or product that you buy in from outside, in other words. Businesses have been doing this for years and I really don't see what the fuss is about.

Obviously it would be bonkers if you didn't have any such clauses in the contract ...

"Instead of the 7-Zip installer, how about a full PC benchmark suite?"

Prediction: Not only will MS not do that, they will write words in the EULA which try to stop anyone else doing that and publishing the results, like they did with .NET. (I don't know if that language is still there, but the first few versions were certainly "If you benchmark the software then you will get MS's permission before publishing the results." type of thing.)

I assume that such clauses are unenforceable, but IANAL, as they say.

Modern software philosophy

I'd dispute "modern" and "philosophy". I have been watching people complain on the internet about the low quality of "modern" software for the last 25 years. It both puzzles and amuses me.

It has always been the case that software written for cash has taken the business-like approach of asking "how much will this bug cost to find (let alone fix) and how much will it cost to leave it in". You test until finding new bugs becomes unacceptably costly and you hope that the bugs left in will be relatively low impact as a result.

All commercial anything has used this approach since forever. It's basic economics. Happily, we can use equally basic economics to conclude that if you negotiate penalty clauses for bugs, you can increase the incentive to find and fix them before release. Since most shrink-wrap EULAs go out of their way to say "this software is not fit for anything" I think you can probably guess where the bar lies by default!

Re: Long flight

Except that this shuttle is the payload rather than the vehicle and being able to launch the same payload twice is hardly rocket science.

The launch vehicle is a distinctly non-reusable rocket. There are no re-usable spacecraft and existing propulsion technology provides no means to build any such.

Re: it is unlikely that it carries any weapons... cough... cough...

"The energy released by whacking something with 15kg at 18km/s collision velocity is roughly equivalent to a kiloton of TNT."

Actually, Google says 1 kiloton is 4TJ, and I think the KE of 15kg at 18000m/s is about a thousandth of that. This makes sense, because it was several hundred tons of chemical energy that put the payload up there in the first place, so it is reasonable that it would have a ton or so equivalent of KE once it is up there.

But you don't need the ion gun. Just let a small lump of payload hang out of the side of your satellite and "encounter" the target on a non-glancing trajectory. The relative velocity will provide plenty of destructive power and you can blame it on space-junk.

Re: Transparency...

"All I'm asking is why people think that that cannot be logged and output - ie why the AI cannot explain how it arrived at an outcome."

That log would be perfectly easy to generate. However, it would take you weeks (or more) to read it and you would be none the wiser at the end of the experience as to why the computer had said "no".

Put another way, the computer does not have a reason, it merely has a very long calculation. Many moons ago, its designer discovered that the result of the calculation was fairly well-correlated with his or her own prejudices, at least on a test data set, and that designer therefore decided to use it as a substitute for making the decision themselves.

As long as everyone understands that it is a mere corrrelation on a mere test dataset and is being used as a substitute for an equally (but differently) flawed process of human judgement, there isn't a problem.

Re: strcmp

Possibly because some well-meaning-twat in the compiler division wrote a non-standard "deprecated" attribute into the string.h header file and so any attempt to use strcmp() is now rewarded with a compiler warning whereas using a less-safe-but-more-obscure function compiles cleanly.

Actually, strike that. Almost certainly because of the above.

Re: Probably best to not have IP6 enabled on an server Intel box or have it in DMZ!

"Yet another reason why NAT a firewall is still important and exposing stuff via IP6 any non-firewalled network protocol you care to mention is maybe not so smart!"

FTFY, as they say.

Re: So, just another day in the office...?

"We now reap what we sow and we are utterly unprepared for it"

Speak for yourself. We have sown "openness" and most of the population is so prepared for it that they'd almost given up hope that it might eventually happen.

These leaks all have the effect that politicians can't do one thing in private and another in public. Worse, for the politicians, the fact that some of the leaked material later turns out to be false doesn't nullify the damage because people just get into the habit of using the leaks as a list of leads that have to be followed until they are independently confirmed or denied.

That, incidentally, is why you should ignore anything that is "leaked" just before an election (like this). A leaker who is trying to push a lie will leak some lies in amongst a lot of truth and do it at the last minute so that no-one has time to check.

Re: Removing the driver doesn't affect the vulnerability

@DougS: Properly configured, Intel don't leave back-doors in their CPUs. Clearly we don't live in a properly configured world.

Re: Organisation - Barclay's

The bank is named after James Barclay, so your snark is mis-placed.

Re: Facebook doesn't have to provide free speech

The whole question of responsibility probably needs to be addressed.

If I make an abusive telephone call, the phone company is not liable but (I think) they are obliged to help the police figure out who I am if the recipient makes a complaint. (Even if they aren't obliged, they'd probably reckon it was lousy PR not to, since the connection records are there.) However, a phone line is one-to-one and the scope for abuse of such "user generated content" is limited.

Likewise, I could post abuse through snail mail (and people *have* posted anthrax and explosives). Again, however, it is hard to make a habit of this without the police eventually catching up with you.

As a social pariah, I would be better off abusing the internet, where one good troll can reach millions with almost complete anonymity. Here also, the intermediary is (apparently) not liable, but also (apparently) needn't have any measures in place to help track down the culprit. (Yeah, you can close the account, but I can open another one the next day and carry on.)

I'd argue that this has seriously upset the historic balance between the rights of individuals to say stuff and the rights of other individuals to ignore it. The current situation appears to allow internet companies to make money out of anti-social behaviour. That can't last.

If the last 20 years of political threats are anything to go by, internet companies should not presume that their business models are protected by natural law. We will continue to have politicians suggesting solutions that they have dreamt up until we (in the technically literate community) come up EITHER with technical solutions of our own OR with sufficiently detailed audit trails that the existing legal deterrents are once again effective.