Posts by Adam 1

Re: It only makes it easier to crack...

> Why not just have an increasing delay between logon attempts?

That defence only works against online attacks. And it is probably easier to detect enumeration attempts from the same IP and blacklist it. More likely though, someone forgot to password protect their Mongodb which gets lifted and then they throw hashcat at it.

Why? Averages can be skewed by outliers. Trimmed mean might be better than either, but the main question is whether that number meaningfully illustrates what is happening with the data.

Agreed. You could almost get half a fighter jet for that.

Re: I've been saying this since the Snowden revelations came out...

Exactly. The Windows zero day (for example) will get reported to Microsoft when both

* A better/faster/less detectable exploit is discovered/purchased; AND

* They catch an adversary doing it.

If the first point hasn't happened, the second point won't be a consideration.

Re: @ Adam1

Sorry. I misread your comment as don't bother with VPN or tor because that makes you interesting

Re: Get what you wish for

> the clear implication of the government (a) lobbying itself and (b) pretending to be a private individual.

I have no problems with (a). It is a good thing™ for governments to extoll their positions on any matter and to force them to justify the positions they are advocating. My problem is with (b). And I have a big problem with it. It has the optics of an attempt to present a case for change or not without the usual skepticism applied to a normal government mouth piece.

Re: Big Companies and Policies

Curious about the down vote. Happy for anyone to disagree with me, but at least state your argument so I can see where you're coming from.

Despite what the story states, it is not going to be everyone's job to check the backup. Most of that 75 won't even have the rights to do so, nor should they. And it's not unheard of for places to be temporarily overstaffed. Think about what happens with planned mergers or spin offs, where IT functions can get duplicated for a while or sit there idle until some other department gets up to capacity. Sometimes it is cheaper to pay people to do nothing for a few months than to scale up or down, especially where the skillsets are not so fungible.

That said, it appears some mock DR exercises would have been a better use of time with hindsight.

Re: Makes me wonder how many others in the "playbook" have this capacity.

> Ultimately somebody has to have the power to do this because shutting down servers is a valid admin activity. However it should be made a multistep process with plenty of Are You Sure? types prompts

How about "Please enter the shutdown validation GUID. This can be found on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard."

Pfft. Like my car. It has two back doors that I'm aware of.

/Grabs coat

Re: openpgp

Firstly, not the down voter. I agree with the general gist of what you are saying. My only disagreement would be about the easiness of detection. Remember that a lot of things need to hold true for encryption to be secure. A few years back, Debian's RNG was accidentally screwed up by removing some code that looked buggy but was necessary for seed initialisation. That fundamentally compromised all encryption operations for a 2 year period.

See https://www.schneier.com/blog/archives/2008/05/random_number_b.html

Re: Pigeonhole Principle

> or partitioning the document and using the same hash method to "cover" overlapping portions of it

Just be aware that whilst the pigeon hole principle shows that it is mathematically certain that two documents that collide must exist where the input size exceeds the hash output size, it does not follow that two inputs that are smaller than the hash output cannot collide. In a well designed algorithm, it should be both very rare and computationally infeasible to find the other. IE. Nothing short of brute force

Re: Google stating problems occurred as a result of "routine maintenance"

It really did look like some sort of phishing attack. And certainly Google have now through lack of foresight opened up their user base to fall for the next one. They should have had a website explaining exactly why you needed to reauthenticate. Not a mystery popup!

Re: Root access

> your fictitious drone videos them from a handy window would more likely to go unnoticed than a HDD thrashing for no apparent reason

Nonsense. It's simple to mask. Simply call the executable svchost.exe and no-one will bat an eyelid when it randomly consumes all the system resources.

You are treating this attack vector as if it is a fairy tale, but remember stuxnet was a weapon that accidentally got out but it was designed to take out Iran's nuclear enrichment capabilities on air gapped systems. It is not beyond comprehension to imagine a machine that is not air gapped but is fire walled off. Sometimes the observer just needs a private key so they can MitM on the legitimate channel without detection. This sort of bandwidth could send out a private key sub second with no packets apparently leaving the network.

Re: "I wish for world peace"

Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."

If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.

Hope he loses. What an arse hat.

Re: At reader level yes

Wrt to the collision rate of fingerprints, that is a side issue. It actually becomes worse in some cases. Some occupations are notorious for using chemical compounds that effectively eat away the prints so for those people the templates have a lot less points of interest and so collisions become possible. Most APIs won't let such people record a template. But the templates are basically a set of angles and distance measurements. No two scans of the same finger would ever result in the same measurements any more than taking two photos from a tripod could create a byte wise identical bitmap. The question is never "are they a match" (hint: infinite FRR). It is always "are they acceptably close". That's where the complex math starts because you are expecting features in a similar location to distort in a similar way, and some features are missing altogether because of sloppy scans.

Re: Not the best choice

Um. Pretty much the other way around. The shorter the half life, the more aggressively the thing is throwing particles out. And iodine will happily be absorbed by your thyroids and do plenty of damage throwing its beta particles about in those 8 days.

Re: Of course for Netflix..

Or whether a VPN client is running.

Humans pay no taxes. They merely pass them on as a reduction of their consumption from businesses. Just as silly an argument.

According to economics, businesses will charge as much as the market will bear and no more and seldom less. Humans will seek out the best deal for them (including a cost minimisation objective). Taxation is an input cost to businesses. So are employee salaries. So are executive salaries. Any business who wants to raise prices in response has to either have a monopoly/duopoly or hope that their competitors follow suit.

It's a genuinely interesting problem. If more folk are going to be displaced (I hate that word because it doesn't capture the impact on the individuals) then unemployment costs and pensions will rise, tax take will drop and spending capacity of society as a whole will drop. That is a negative feedback loop, so we are royally stuffed if we don't find some way of dealing with it. I think there are several issues with Bill G's suggestion (when does a piece of equipment become a robot as well as handling the import tariffs you would need to stop offshoring of the robot labour to give two examples) but it is worth considering in the mix of ideas.

You also need to take into account the new gas export infrastructure that has come online in recent years. Prior to this the supply and demand equation was primarily domestic consumers. Now gas prices follow the international market as many producers can make more by selling it overseas. As a result, wholesale prices have at least doubled and this ruins the economic assumptions behind such plants. But hey, at least Chevron, Santos ExxonMobil et al contribute to our collective wealth by paying a fair share of tax.....

Re: The F*ck

Maybe they need the reverse

> rm -rf /

> I'm sorry, Dave. I'm afraid I can't do that.

Re: no car apps here

> I've seen more fobs fail than work.

That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge.

But

We have seen jeeps get remotely driven into ditches. We have seen Nissans have their climate control activated from another hemisphere (literally). And by now some of these cars are being sold to second and third owners who are blissfully unaware that the original owner's iPhone can still unlock it. And that's before the more novel attacks from fake charging points that sideload apps as demonstrated just this week that could quite easily grab those credentials and the GPS location where that phone is often kept.

Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today.

Re: GDI32?

No I don't mean legacy stuff using MFC. Of course that uses it, but not all things that use it are MFC. If I look at the processes on this system that have a handle open to gds32, I can see 148 of them, including things like Firefox, Chrome, cmd, devenv (VS 2015), Notepad++, powershell, Process Explorer (ironically), sqlservr, w3wp (IIS worker), and of course the various office applications, updaters, svchosts etc. I literally just created a new otherwise empty WPF application, and even it loads gdi32 when you double click it.