Posts by Marcel

Yes, it's hard, but...

It's a chicken and egg problem.

Setting up TCP/IP stack used to be hard...

Setting up Linux with Apache and MySql used to be hard...

Setting up SSL/TLS on your website used to be hard...

Setting up DNSSEC is hard NOW, but as it matures, knowledge and tooling will improve and it will not be hard anymore and we will reap the benefits.

Just about everything in the world depends on DNS and it should be secure.

Laws

Also, having laws that prosecute people because something is "grossly offensive or of an indecent, obscene or menacing" is asking for trouble. It is very subjective and easily abused to prosecute basically anyone at any time.

The sad thing is that these laws are often the result of citizens calling on the government to "do something" about something they don't like or don't understand (and can't be bothered to). For politicians it's a cheap way to please voters and get elected next time. Too bad such laws are often the basis for totalitarian regimes.

Metric please

That 2¼ is kilometers, right? RIGHT?!?! No? Okay, maybe it's not mathematically incorrect, but at least it's mathematically stupid. Fix it.

Doesn't matter

If you need CCleaner it means you already have malware on your pc. Isn't removing malware with virus scanners and anti-malware software not just cleaning up after the fact? And is the problem not your OS/browser/behaviour?

Most politicians, like most citizens, who are not tech savvy, don't understand how useless such laws are in catching terrorists. Meanwhile, they hurt everyone by making us all more vulnerable by putting all of us under surveillance.

The good news is that a non-profit group of lawyers, the Public Interest Litigation Project (https://pilpnjcm.nl/en/), is already planning to fight this law in court.

Shoot the messenger?

Either the police is dumb and think IP-address is proof owner did it (common mistake). Or they are not so dumb, and want to send a message to those pesky folks making anonymity possible by running a Tor node.

By the way, according to https://meduza.io/en/feature/2017/04/10/mathematics-teacher-accused-of-inciting-mass-riots-now-also-accused-of-supporting-terrorism-and-once-again-detained this guy "is a “very law-abiding person” and will not even cross the street unless there was a crosswalk.", according to his mom.

Easy to avoid

Cybercriminals could:

- use IP-addresses instead of domain names (which they already do)

- use other people's computers (which they already do)

So basically it will not work, while creating yet another secret real-time website blacklist.

Own fault

IPv6 development started 20 years ago or something. That was for a reason. If we started migrating to IPv6 10 years ago, IPv4 address scarcity would be a non-problem. Oh well, human nature...

BTW: theregister.co.uk --> IPv4-only

Clueless

First I read this: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

And now this article. Is it me or are LEAs completely clueless?

Trend Micro fail

Trend Micro probably relies on unencrypted HTTP connection to spy on your internet connection to detect malware. Until now, TLS encrypted connection were used for well-known non-bad sites and could be disregarded by virus scanners. Now that TLS is available for the masses everything gets encrypted, including bad things and Trend Micro can't easily check it anymore.

The malware problem is not a problem that has anything to do with Let's Encrypt. It has to do with webservers being easily hacked, badly secured advertising networks, DNS policies, leaky browsers, unpatched Windows machines, etc.

Let's keep on encrypting people.

More interested in certificates

I'd love to see https://letsencrypt.org/ give away free certs later this year. Certificates are a much bigger scam than domains.

There are alternatives

Create your own all-in-one: get a Gigabyte Brix with Core i5, put in 8 GB RAM, a 500 MB HD (or SSD), a nice looking 24" IPS screen. Hook the Brix on the back of the screen and you have an upgradeable all-in-one for about 700 euro (much cheaper even if you go for a Core i3 or Celeron).

Human rights are non-negotiable

So the USA starts by granting all non-Americans no rights at all. Then when we complain, by the grace of God, they grant us *some* human rights in exchange for collboration with their unethical behaviour. F**k you, Eric holder and your soon to implode land of the free.

People in Iran should download Tor while they still can.

Linux please

I love Chromebooks, except for the OS.

Anyway, isn't a Chromebook without Chrome not a Netbook, the sort of laptops that were doomed (according to the Intel et al)? Innovation By Sticker™

Better solution

First he wanted to double the number to sys admins to make it more secure. Now he wants to get rid of 90% of them. I guess someone whispered in his ear that is would be cheaper.

Well, I have a even better solution: why don't you decrease your world-wide data vacuuming by 90% (and actually do what your agency is supposed to do). This has several advantages:

- cuts costs

- you don't break the law

- 90% less chance less of leaks

- you don't piss every on Earth off so much

Install updates

It's beyond me why companies involved in top secret research and military don't update software that is used throughout all of their offices and has vulnerabilities that are rated "critical" or "severe" and contain words like "remote code execution".

So yeah, let's continue building multi-billion dollar/euro cyber armies and buy multi billion dollar/euro cyber security products, while all we need to do is:

- right click blinking icon in bottom right corner

- press Update Now

- press Next

- press Finish.

Common sense

These 20 controls are common sense and obvious and should be required for ANY company or government to implement that is in any way connection to the internet. It worries me these telcos can't or won't implement it. Most likely it was just the legal department talking, to prevent litigation by customers for not implementing it. Anyway, they suck.

More critical reading is needed

The evidence linking hackers to a government or to a certain group is very thin or non-existent. What seems to be happening is that all of the thousands of hacks that happen every day are grouped into categories, then labeled as being from a common source.

All this is being done by governments with political agendas, soon-to-be-unemployed army generals looking for the next war and security vendors with gear/services to sell.

I take all this with a grain of salt. Meanwhile, all these companies moaning about being attacked are wise to teach their employees not to get caught in phishing attempts, install the latest patches on *all* of their equipment and start using encryption a little bit more (anyone using S/MIME or PGP?).

Not hard evidence

I have read the report and I don't see much hard evidence. There are a lot of facts in the report, but how they are linked together or where the facts come from stays a mystery. Not much substance and some dubious assumptions, in my humble opinion.

For example, how do they link the attacks to PLA's Unit 61398?

- They found that all attacks come from 4 /16 IPv4 net blocks (a total of 262k addresses), all owned by China Unicom. China Unicom is the 3rd largest telco in the world, with 273 million (!) customers in 2008.

- Then they link the netblocks to a city, Shanghai (the largest city in China, population of 23 million).

- Next they conclude that because the office of the Unicom engineer listed as contact person for the netblock is in the Pudong area

- The PLA Unit 61398 is also in the Pudong area

- Hence the IP addresses must belong to the PLA and is the source of the attack

Let me translate this into English:

- Suspect IP address belongs to a netblock owned by BT and is used in greater London area

- The BT engineer's office is in the centre of London according to whois

- MI6 is in the centre of London

- Hence the attack came from MI6.

I had the same question

I have often wondered why there aren't any big sites using DNSSEC. Sure, it's a little complicated for the average Joe. But it's must be a piece of cake for big banks and e-tailer that already have large IT-departments and millions worth of infrastructure. They have the resources to have a guy or 2 or 3 devote themselves to DNSSEC and just implement it.

Why don't we just take Iran's IPv4 addresses?

An American lobby group, United Against Nuclear Iran (UANI), is seriously pressuring RIPE (and ICANN) into cutting Iran off the internet. That's also a way to get some more IPv4 addresses...

https://www.ripe.net/internet-coordination/news/ripe-ncc-receives-communication-from-united-against-nuclear-iran-uani

P.S. Cutting a whole country off internet because their government supposedly does naughty things, is a very bad idea in my humble opinion.

The End Of Owning

This UV is the mother of all DRM. It's it's meant to be the end of piracy for once and for all. You will have no more freedom. Want to watch a movie? Want to listen to music? Want to watch a tv show? Come to the content companies who thought of this and be their slave. You will never own any content again. You will rent rent rent, even though they make it sound otherwise. This is bad and must be stopped.