1962 posts • joined 7 Dec 2012
Re: "The former policy wonk -
Well, it's understandable that one lauded as an expert is just so clueless.
After all, it's not like FVEY have bothered to install middleware to fork microphone and camera data, to transmit via a covertly, network install applet, to their central monitoring software and it then transcribes everything said for automatic analysis.
That's a 21st century technology! We're nowhere near - oh, wait. We are in the 21st, we can and have that capability and use it constantly.
Been there, done that, got the blasted tee shirt
Once, as a secure US military installation, which was key in all current wartime communications, the technical control facility manager decided to take the building's UPS offline and go direct to mains power. The unit being active:active at all times. The reason was simple and necessary; replacing a room full of dead UPS batteries.
Regrettably, he only skimmed the instruction manual, didn't want to wait for the installation electrician and flipped the twisty switch.
The entire server all went down hard. When he put the switch right (he was one position off from the correct setting), one key rack didn't come online and remained dark.
At the time, this BOFH had been wearing the information assurance hat, but am an experienced BOFH and also a certified electronics technician in industrial automation and robotics. So, reading industrial electrical blueprints is ancient news to me.
"Where is the electrical blueprint?"
Spreads several blueprints out on the floor, kneeing, tossing the incorrect diagrams aside, I rapidly locate (paraphrased, to protect NDA information), "Ah! Circuit breaker 57A, in bank 12F. Where is it?"
Predictable look of confusion and consternation and disclaimers of such arcane knowledge.
A swift heel and toe express around the battery/UPS room located the breaker - conveniently located behind a one-off bank of several hundred batteries, seriously out of view and traffic. Sure as can be, the breaker was tripped.
There was one chance in three that I'd flip that breaker on my own authority, on a US military base, and worse, in wartime. Slim, fat and none.
"OK, here's the culprit. *I* am not going to touch the damned thing, it's way outside of my job responsibilities and I won't accept responsibility. So, it's your ball. Wait for the installation electrician or push it yourself and *you* take any resultant heat for hardware failure."
The manager considered, "It'll be two hours before the electrician gets here!" He switched the breaker off, then to on position. The rack lit up.
It took nearly 12 hours and a very upset COMSEC custodian, to restore all services. Each crypto device required rekeying, requiring the presence of said custodian to provide the appropriate USB (and other devices) keys.
Six months before, we had a similar outage, due to a blown transformer and the aforementioned room full of dead batteries. A room that was ignored, right until a US General couldn't use his telephone, due to the outage.
Suddenly, we had the budget to replace that which we had complained of twice weekly.
Now, here's something more interesting
In the US, automobile insurance policies come in commercial and consumer packages.
Delivering packages for Walmart would be commercial activity and not covered under the automobile insurance package that Walmart employees barely can afford to pay.
That effectively renders those employees involved in an accident at the time of such commercial activity, legally not covered by insurance.
Which is mandatory in every state.
Well, I can't speak to BA, but I know of a case
Where a US military installation, quite important for wartime communications, entirely lost power to critical communications center power for the entire bloody war, due to a single transformer and a dodgy building UPS, which was to keep everything operational for all of five minutes, in order to let standby generators come fully up to stable speed.
It turned out, due to the installation being in a friendly nation in the region, it had lower priority (odd, as US CENTCOM was HQ'd there). So, when the battery room full of batteries outlasted their lifetimes and failed and due to budgeting, was not funded for lifecycle replacement.
Until all war communications to the US failed. A month later, the batteries arrived by boat and then had to endure customs.
That all after correction of a lack of generator testing on a monthly basis, which management claimed was unheard of, but the technical control facility supervisors admitted to being a regular test that they had forgotten about and hence, managed to avoid being part of our monthly SOP.
That, being brought up by myself, the installation IASO, in a shocked outburst when told that the generator failed and was untested.
The gaffe in SOP was corrected.
To then fail again, due to a different transformer explosion from failure, due to a leak of coolant oil in the desert heat and a week previous flood, caused by a ruptured pipe.
Not a single one of us dreamed of water from the one inch pipe leaking onto the calcium carbonate layer directly beneath the sand flooding into the below ground diesel oil tank, displacing it and upon need, the generator getting fuel from the lines, then a fine drink of fresh water.
Yes, another change in SOP. Whenever there is a flood within X meters of a below ground generator fuel supply, test the generator again. The generator was tested the week before the leak, so was two weeks from the next test.
Boy, was my face red!
Re: With the Samsung Galaxy 8 implementation - yes.
"What if I use my balls as the biometric?"
I had actually considered that. It'd have an added benefit that few blokes are about to stick that phone to their face after I identify in.
And maybe the cat won't lay on the bloody phone, like he does now.
Re: Never again
"As it states quite clearly on the promo visible on the screenshot of multi-panel (p2), 'Samsung Electronics has taken care to create a memorable expreience'."
Well, being electrocuted is a memorable experience, however, I don't recommend it.
Re: Pugh Pugh Barney Mcgrew ...
I dunno. Hanging up a snake in a forceful manner can tend to induce, erm, irritation on the part of the snake.
Re: try 1234
Aw, now you've spoiled it!
Quick, change the changed code to 6789...
I don't think that'd be all that effective.
You're dead if you don't give in, you're dead if you do give in and all of the passengers are dead as well.
We have precisely one Windows system in the house.
The POS from work. An HP EliteBook, with it's cracked NIC port, which isn't considered part of warranty and *why* HP won't be next year's vendor.
As for Microsoft, the only MS system in the house is the one from work. Although, I do keep one bootable under an obsolete version of Windows to patch assorted other systems that I'd rather throw into the trashcan.
First, there's that entire WSUS thingie that's free.
Creating a test group, trivial.
Been there, done that, created the damned program.
Add in SCCM and assorted other package management software, well, seriously. This is a management complacency issue.
Now, long fangs are hooked upon many, many, many management asses, not only UK, but throughout the EU.
Re: Missing the Obvious
I invite you to lead by example, so that others will follow.
Let us all know how that works out for you.
Re: Govt depts and system patching
Not only government. I work for a major corporation, derived from a Fortune 200 corporation.
This weekend, Saturday being my "Monday", I found major patching for this frigging vulnerability going on.
Back when I was IASO for a major US military installation, patches of the OS were delayed, at most, by 30 days.
Net result, due to equally anal retentive antivirus states, the 2008 cyberattack on the US DoD, which was centered on our area, failed.
Following best business practices also helped. A lot.
A tad of commonsense also helped.
Re: Oh dear. XP
Oddly, Microsoft sent out a patch for XP.
Good idea, as this rubish code belongs in a rubbish tip, not a fucking operating system. And to be honest, this shit code likely has existed since the US DoD bought the NT4 source code.
Blaming the NSA for doing what defense organizations do is idiotic, as they didn't write the shit code, Microsoft did and gave all six major vulnerabilities a free pass, for decades!
Do research how long the SMB1 stack has existed.
Hint: SMB1 is nearly as old as our children, who are in their mid-30's. It's nearly 30 years old.
We have one thing that's over 30, other than our children, our wedding bands. Everything else was either lost, destroyed in a move or damaged beyond repair in moving or normal life.
Or do we also need to get netbui fixed as well?
Yeah, I'm *that* old and a bit older.
Hint, the Queen of England sat 9 years on her throne before I was born, but my earliest memory, beyond a diaper pin jab, when I wriggled and understood what mom was warning me of, was JFK being shot to death.
This is a case of one complaining of a Model T Ford not running worth a damn on modern gasoline and worse, the valves hammering themselves to death.
For one, the NSA didn't write the garbage code that was SMB1. Microsoft did.
Said code repeatedly passed the excuse for code validation that Microsoft has.
That the NSA found six vulnerabilities and likely utilized them, well, they're military defense. Do you honestly expect any military organization to give away an advantage?
This is odd for me, as I have rarely defended the NSA!
I'll close with, *anyone* who permitted SMB1 protocol to exist on their network needs to be given the sack. Inefficient, network hogging worse that YouTube cat videos and pure rubbish coding has long turned that code to be a top list of first to disable on a baseline configuration. Right next to autorun, which even Microsoft figured out to disable by default. The only damned thing it's not vulnerable to is ping of death!
Re: 5 eyes?
Having personally known quite a few people (but, not involved with their activities), personnel, I'll suggest, no.
Too clumsy. FVEY is a *bit* more clever, adding authentication of certain sorts, which I shan't discuss.
Not leave shit wide open and hope for the best, their own equipment included.
China and Russia, the same.
This looks like a classic human foul-up, due to likely, a poor selection of copypasta code and distracted, likely pressured code review, if that was even present and not inherited abomination, which never did get code review.
To be perfect, divine. To foul up, quite human.
But, that's this analyst's opinion.
I'll now go to bed. To get 8 hours of sleep.
For the record, for fun also, it's 4 AM where I am.
Erm, this is enterprise specific hardware, not consumer geared hardware.
So, 99.9% of the userbase on the planet are not vulnerable to this bug.
So, my wife's hardware isn't vulnerable. Some of my hardware might be. :/
A bit of network reconfiguration would take care of that issue. :)
Re: My HP laptop was patched a month ago
Due to a relocation, change of lab and production networks, loss of critical equipment, due to that relocation, I'm now down to two potentially vulnerable systems.
A previously desired reconfiguration will be advanced to next weekend.
There's a big plus in having enterprise networking equipment at home. :)
Re: Damage limitation
Such interfaces, DRAC, this, various other management interfaces, should always be on an internet blind VLAN, accessible only from the management VLAN, which also does not have access to the internet.
*That* is the damage limitation.
WTF would you put a management *anything* openly accessible to the entire frigging internet?! If anything, it should be via authorized VPN connections that are allowed to access the management server's VLAN, which can access that VLAN only.
Christ on a crutch! This isn't complicated!
"Real Men" don't ask for directions, so the man page is totally out of the question.
Although, I'll admit, I've coded such an abomination more than once and while going over the code, thinking, "WTF was I frigging thinking?!".
Although, my best coding was in coding security, authentication and verification systems
I've also an infamous habituation for "fucking off", aka taking an additional break. I was productive enough to be able to do so, in each career I've had, which has now reached a half dozen, all high level successes, until the field faded. Before I could fatigue enough to not pay attention and miss things, it was time for a fuck-off time. Where I circulated among peers, resolved their problems, went out for a smoke, conversed for a bit, then went back to work.
In one corporate environment, efficiency analysts were annoyed at my waste of time and I insisted re-examination and permitted a non-additional break period examination. Shop productivity dropped by 30%, morale dropped even more and my own production dropped.
They re-examined their data and via interviews with those observing, noted my interactions and troubleshooting, while still managing to work my way to the remote smoking area.
Yeah, after, they recommended things my way. Alas, only for me.
Frigging idiots. Drove off other people, who would otherwise had advanced to such an SME level.
Who then worked for competitors.
Re: Not the only remote "god mode" AMT bug
"Are you referring to the NSA back-door?"
No, those have specific prefixes.
Oh! That was my internal voice, not my real voice, right?
Re: This is almost as beautiful as GOTO FAIL
ON ERROR GOTO HUMAN
Yeah, I'm a *bit* older than that. My first memory was being stuck, while wriggling, by a diaper pin. My next memory, JFK being shot to death, while mom was taking down curtains for laundering.
Re: Pardon me while I throw-up
"This is a bit of a blinder though, on what must surely be a code path that can be reasonably easily audited."
Never attribute malice to that which could be better attributed to being close to lunchtime or quitting time.
I've hastily reviewed documents at both times, to re-review, to reacquire my train of thought later, and was horrified at what I missed and then had to fix and review a bit farther back. And those were simple things, like mission plans (military) and policies.
Eventually, I narrowed my window of distraction time down and ceased such reviews until the later time period and pursued other items that required my attention. The change, distracting enough to avoid such errors.
Re: noob or arrogant...
"Human error happens, but the review process should be designed to cope with that."
Something that I continually strive to achieve in our information security shop, as a hedge for when I make one of my legendary fuck-ups.
You know the type, such as that hibachi accident at Hiroshima in 1945, to which the US quite nicely accepted the blame for my accident.
Re: noob or arrogant...
Oddly, during my code monkey era, if I nobbed a bit of code, I examined the hell out of it and figured out what it did, how and why.
Of course, I date back to before the era of compilers being common. We used to do dev parties, where a few maniacs actually wrote raw object code.
While things have moved on, I can still disassemble code and figure out what that compiled code, disassembled and shown inefficient, actually does. While rubbish for complex code, such as office software or an entire OS, it's eminently useful in malware samples.
Re: I used to be excited about AMT
Well, Dell's DRAC once was an option. Can't say anything about iLO.
Re: Way to go Intel!
Yeah, totally new.
It's not like Intel endeared themselves to use with the FDIV (aka approximation bug) or F00F bug, for starters.
I could also rattle off many, many other hardware bugs, from various vendors, from old '286 BIOS bugs onward, but it'd be encyclopedic. Going back to things like Award BIOS in 32 and 64 GB hard drive handling, where WD software and the BIOS poorly handled things, resulting in trashed WD hard drives.
Not a hint of *BSD.
Interestingly enough, I have precisely zero Windows based systems at home, my Mac was stolen and not replaced after a burglary, the rest are Linux or *BSD (you'll excuse me for not discussing the variant) and I still hold a US security clearance.
But then, my rather lengthy file does mention two things.
I'm a dick.
And I'm one hell of a good, long or short distance shot.
OK, a third entry, "Mostly harmless". ;)
Re: Yes. He was.
"On the other hand: If the scripts bork, I did not check the results, stuff breaks down and I goofed off instead of checking stuff bloody works as it "
Re: Yes. He was.
"But they clearly were fucking around instead of doing their jobs if the backups weren't being done."
I have a manager who watches assorted metrics, ranging from logon times to
I got into the doghouse for logging in a tiny bit late. I'm further into the doghouse for another metric, low number of generated tickets.
In that, I'm squarely there, low tickets. I refuse to provide false alarms, to be ignored by other projects. When I send an alarm, it's real.
Upside, while I'm an analyst now, I was previously a BOFH, having taken a five year break to care for an elderly father. He was also a BOFH type, prostituted into management.
As my experience base is far more current, I suspect he worries about what kind of laser my sharks carry.
And my security androids.
Re: Yes. He was.
I fuck off at work as much as the next guy.
But, I also ensure that I also do my frigging job.
You know, earn your pay!
Work when you have to do your damned job.
Would that I had a list of these turdballs, to submit to HR as blacklisted...
And I'm one who loathes blacklisting.
@Youngone, in some US states, refusal to present ID upon demand is a misdemeanor.
Good for you! Make sure that the venue is aware of why you canceled your trip. The more businesses are impacted and they know why, the less support the Oaf Filled Office will have for such nonsense.
Actually, the traditional checks and balances still apply for those within the US.
CBIS is an executive branch agency. Congress has the checkbook and can immediately defund the agency if it disapproves of the activities of that agency.
The courts still apply the law and can hold CBIS agents, management and leaders in contempt of court for not obeying the orders of the court. If the executive branch then fires marshals for attempting to enforce the law, a Constitutional crisis occurs, which Congress either addresses or permits the entire Constitution to be null and void.
In the latter case, it would then come down to how the military feels against a Commander in Chief destroying and undermining a Constitution it swore to protect and uphold.
And how Congress would feel when Trump were summarily dumped inside of the House of Representatives by that military.
Re: If Apple were to get the billion...
"...would they be passing the money on to their customers? I suspect it would just add to their already bloated margins."
Yeah, because the fiducial duty to stockholders suddenly ceased to exist.
Grow a brain, child.
It just *might* grow some innovation, which I'll admit is as likely as Marvin the Martian becoming real. But, it may well be reflected in briefly lowered prices.
And hence, more drones for crApple.*
*I loved the MacBook Pro, until it was emasculated into a iBook.
Along with the rest of the product line.
Alas, for the village idiot nominee
Only the military currently, per US law, can be held to the death sentence after conviction for espionage, sedition or treason.
Usual grandstanding, zero content.
"[who I understand got the sex change done AT THE TAXPAYER'S EXPENSE]"
Yes, the US provides medical and mental health care for convicted felons. How horrible! Maybe you'd prefer we not provide those services and summarily execute them instead?
Re: The real culpability lies...
"No, the real culpability lies lies with the people who authorised and executed the (really) bad things that Manning leaked."
In other words, when summoned to provide air support for besieged ground forces, air support units should instead land their aircraft and surrender, right?
Or should the ground forces simply surrendered?
Re: The real culpability lies...
"Err, hang on, so it's their fault that Manning decided to steal sensitive documents? "
Yes. Per US Army, US DoD regulations and US law. Personnel pending deleterious personnel actions are to have their access to classified information terminated immediately.
Had that entire lot of officers and senior NCO's performed their duty, Manning would be free.
Re: Julian's Hollow Promises
Even in the highly improbable event of a future indictment for the Manning affair, he will have grounds for defense by arguing that he is (a) not a citizen and (b) not in the US when in control of a server, which also was not in the US, when he violated US law.
Seriously, it'd be like attempting to enforce US bigamy laws against Saudi citizens who never left their country.
Re: One way only
"If you vote for a third party you will throw your vote away!"
Which is why the torries and whigs are still real powers to contend with in the US, right?
Re: Good on Obama!
For one thing, PFC Manning should have never been alone in prison, from the service member's S1 through S2, plus the entire senior chain of command should have been in adjacent cells for criminal dereliction of duty, resulting in the loss of control of classified information.
Manning was flagged for pending deleterious personnel action, an involuntary discharge from the service for cause. As such, regulations and the law are clear, when an individual is flagged for deleterious personnel action, said individual's access to classified information is curtailed immediately.
Which is precisely what they failed to do.
Indeed, had they performed their duty, Manning would have never been in a position to retrieve and distribute classified information.
As for those who think that the videos were horrific, yes they are. War is horrific, I rather prefer it that way, as it keeps the village idiots in power from declaring it every other damned day. Would that we could force them to lead from the front line on the occasions that they do start a war.
"As for Facebook, they proved me wrong. When they started I thought that only Google could grab so much data unchallenged, and I must give them credit for coming up with a model that allows the victims to believe they're actually doing them a favour."
Ah, admitting that one is an idiot is the first step toward moving away from idiocy.
Oh, wait. Idiocy is a permanent condition.
Seriously, from day one, their user agreement that one should read said that all data was theirs, not yours. If that doesn't give you a hint, I can get you an audience with Her Majesty, for a small fee. Just pop me off your credit card number, expiration date and CV code.
"OK, so you actually believe what people tell you, even when there is a clear conflict of interest in play? I have a bridge for sale.."
Do enjoy that bridge. No date/time stamps, heaven knows when each message box was generated.
But, it's comforting to know that you trust random strangers on the intertubes. Might you be tempted into considering an all expense paid vacation, where you could enjoy your generic Viagra, while toasting your success in that Nigerian investment?
"If you found out earlier, than perhaps you stood a chance to extricate yourself from it."
Because, backup technology was introduced yesterfuckingday, right?
"As a result, rather than a hero he should have been, he sadly died an obscure and broken man."
Which is the eventual end of anyone who works with highly, highly classified information.
From a chap who knows far too much about such things, although I'm far from broken. Merely folded, spindled and mutilated.
"and if you want to contact me then use email."
Well, at least you're falling back to a secure messaging technology.
Well, as secure as a shout on a bloody crowded street.
So, that personal data that you'd sell? I'll give you a half-pence for it.
A certain pirate bayage...
Which remains upon various and sundry watchlists...
Re: But how to know if someone has an implant?
"But I imagine that, say, titanium wire bound round a femur to hold it together could just conceivably form a multi-turn coil, in which case it might be dangerous due to circulating current in a rather high resistance metal."
Only if you have some magical overriding law of physics that surrounds you and turns titanium into a ferromagnetic metal.
I anticipate that to occur shortly after proton decay of the universe, if ever.
Re: But how to know if someone has an implant?
"The aim of this sort of tracking is to be able to identify exactly what item was used in an operation so that a few years later you can look at the record and know which implant was used and from there track the batch that the implant came from - you need to do this because if there's a recall, the doctor needs to know, not that the patient had a hip implant, but if the implant is from the recalled batch."
As one who has an implant with an easily observable serial number, seriously, grow a sense of humor.
Eventually, I'll require bone screws, which would have serial numbers and now a bar code.
We, the gimps, quite well understand what's at stake.
But, I also know, my IOL gave me X-rated vision.
If the conservatives want that recalled, there'll be a full scale war. ;)