Posts by Lee D

Re: Logic bombs are unprofessional

Sorry, but that you were using your own personal licence to run business functions reflects worse on you, but reflects badly on them whether or not they throw you out.

My first question would be: Who audited licences, was it included in the licence list, and why did nobody notice that the company hadn't paid for it?

And, no, I wouldn't have let you "uninstall" it, either. I'd have just disconnected and/or wiped the machine. If you don't understand why, you've probably never had to sack someone.

Re: "SSDs fail at an alarming rate in space"

Nonsense.

Hard drives, even with the best SMART monitoring in the world, fail unpredictably a large portion of the time. Any large hard drive survey will show you that.

And sometimes they fail so quickly even WITH SMART monitoring that you don't stand a chance of being able to do anything about it.

Reporting bad-sectors may be a symptom of imminent failure, but only so far as coughing up your lungs is a symptom of death. There are many other ways to die without doing that.

Re: SMB

How would you get there without a) a RADIUS-authorised network port / computer, b) running network health reporting where Windows has to certify that it's online and clean and policy-compliant, c) your users would then have to log in via 2FA, d) only such users would be on that VLAN, able to talk to that server, etc.?

SMB is largely an exposed protocol. You don't 2FA that, you can't, not securely at all. You secure access TO the network that would allow you to see it. It's like asking whether WSUS requires 2FA... it shouldn't be exposed to people who aren't already authenticated properly.

P.S. multiOTP is a RADIUS server. Configured right your machines could use it for network access and you'd be stuck on an unprivileged VLAN without it.

But in reality for most setups, the 2FA here is "you're physically connected to the internal network and/or you've logged in over the VPN". Not "does SMB support OTP?".

Re: stuck on HTTP

Any website without TLS can have its content modified on the fly by any entity in the path of the request/response.

Thus any website could have malicious javascript (coin miners, etc.) inserted into it, which the website or visitor wouldn't be able to detect, and the ISP could change adverts to their own, add tracking code (actual real-life cases, impacting your security and privacy, as well as the funding stream of the websites you visit, etc. etc. etc.), and all kinds of other issues - even something in your router (as per recent firmware problems with some routers allowing compromise by "redirecting" your web traffic.

HTTPS is a good thing. Just not sure about "by default". Technically, it's insecure. Yep. Absolutely 100% correct, so there's no problem highlighting that. The problem will come when it becomes difficult to say "Yes, I bloody know that's an insecure website for the billionth time, shut up already".

Re: You are already getting what you want

An aftermarket case on a fragile object is in no way comparable to an object designed not to be fragile.

That's like saying "Hey, just wrap your car in bubble wrap because we forgot to bother with the bumpers".

Re: 1 second

Think also of OTP tokens and things like that.

Don't account for leap seconds and in a couple of years time you are 30+ seconds out which means that no TOTP system (like Google Authenticator, banking apps, etc.) will generate the right codes if they are using different clocks that do (e.g. in a smartphone).

Leap seconds aren't that hard, and assuming everything from "I'll just count the seconds and divide by 365" is as blinkered as these kinds of omissions. If you're designing a major operating system designed to do everything from trade stocks to secure servers to integrate on a mass scale, date and time is very important to get right and there are enough gotchas that you already have to design around it, rather than bodge it in later.

UNIX started off on the right idea ("Store the number of microseconds that have elapsed since midnight 1/1/1970" and then account for all changes in the way that you DISPLAY them taking into account things like leap-seconds, time-zones, historical changes, etc. (i.e. convert to day, month, year, hour, etc.), not the way that you handle the number itself (which has little relation to real-time, but you can just increment it once a microsecond and have something else handle the logic of what that second was actually called - e.g. 01:59:59 or 01:59:60 or 02:00:00 etc.. when necessary.

Trouble is that it means keeping an accurate historical and future list of every change (and mistake?) made in those interpretations, for every timezone on the planet, etc. That's why you always just pull in date and time conversion functions and the "tz" packages, and NEVER try to fudge your own even if you think you know everything.

Re: Why???

You'd also think that a place as big as Heathrow would be able to have a secondary air traffic unit on the other side of the airfield that could be used if, say, a fire alarm went off in one of them.

Re: You can't fork Android

And probably always will be.

I don't think this case will change that, no different to expecting Steam to open up their source code.

What they are arguing is that you can't FORCE people to use Google Play in order to use Android.

Re: ...however!

Mini projectors are cheap.

Which is like not sending a response packet to a DoS.

They've still used up the airwaves, fought with existing clients, and spoke over them to request anything. Sure, you're not propagating that situation but without protocol changes there's no way to say "shut up and don't ask again" or isolate such requests from the parts that actual data-transferring clients are using.

Additionally, what you're doing then is ignoring random "who's there" probes, which is going to affect auto-join of all kinds (remember - the clients are dumb and may just be trying to connect to favoured network while connected to an unfavoured one, which they can't because you ignore their probes).

At best this is a minor tweak, that will impact legacy clients (maybe in protocol-breaking ways?) and not actually help all that much (e.g. if you have even 11Mbps clients, the probes are an incredibly TINY fraction of the data that they would transmit just to stay online once connected, and mostly passive - SSIDs are broadcast quite openly and clients pick up, they don't really transmit until you join - this is how the old WEP-cracking tools of old worked, they could determine the SSID and WEP key without broadcasting a single byte of data over the airwaves. It's the "thousands of clients" bit that's the problem, and ignoring a portion of them still doesn't make it any better - they're old so they're likely to re-transmit more often to get an answer!).

This is hype at best. If you are so congested that can't fit in a client scanning for SSIDs it might want to join, then you don't stand a chance of transmitting any kind of useful data to any connected client anyway.

10,000 clients sensing networks at even 11Mbps (i.e. taking up the most chunk of spectrum, while also taking the greatest portion of their allocated data to do so) is literally lost in the noise.

The problem comes not from the responses given, but the sheer "waiting time" for the airwaves to be clear before it's safe to broadcast any kind of request at all, and that's determined by the protocol of the client, not the AP.

Re: Gonna be one less school soon

Most MIS providers are no different.

What are you moving to? I betcha I can point you in the direction of someone with similar/worse horror stories on whatever it is.

If it ever learns to quit vi then we know we're in trouble.

"I'm gonna give you run of the complete IP network" rather than "I'm going to show you a picture of a machine that you'll have to log into"?

VPN is sensible, sure, but as an encryption layer only. VPN into a network as if you were plugged in locally is just a perfect way to spread stuff from their machines to your network.

VPN, and filter, and VLAN, and etc. etc. etc. and then to a limited network that only allows RDP traffic, through an authenticated gateway, only to select apps/VM's... yep. That sounds ideal.

But to most people, well-configured RDP - with up-to-date clients - to an unprivileged TS acting as a network client is perfectly sufficient in terms of encryption, stopping brute-force attacks, letting people work from hotels, etc., convenience, and compatibility (you can do it from an iPad, or a smartphone).

The question is not "what protocol do you use" but "what measures do you have protecting that protocol".

But, personally, blanket VPN access is incredibly dangerous. And most people want it "to access network shares", so you can't block the protocols associated with that. Now you have SMB/CIFS traffic flowing around uncontrolled home networks.

RDP, via a gateway, with certs, decent policy, IDS/IPS, and file-transfers disabled... it's then impossible to do anything that "that user logged in on a real machine inside" couldn't do, while also preventing all exposure of unsanitised data to/from their home / cybercafe / etc. IP networks.

Re: Good ol'terminal services stuff

Things like GDPR etc. kept us in-house.

Sure, put stuff in the cloud, but that just means "rent a computer somewhere with a good policy, encrypt it heavily, and control it yourself" in our case.

Citrix always seemed a con, for something you could do yourself better. Cloud Citrix just seems silly.

That's saffron-t to my sensibilities...

International calls? I get CLI all the time. I know because a lot of them like to use tricksy ones that LOOK like local calls but aren't (0027, etc.). I have one on my phone history today, if you'd like to see.

Unless, and this is important, it's spam. Then no CLI, international or not. But it's never answered.

I don't care that the local council use withheld numbers etc. That's their problem. They are one very, very specific example of exactly a place that SHOULD be pushing CLI properly with an official council number to call them back on clearly visible.

If you have to HIDE WHO'S CALLING then I don't want to take that call. Legit or not. Actual client/supplier/service or not. Known to me or not. Simple as that.

Yes, you can fake CLI (but it should be impossible, BT just need to pull their finger out). But every workplace I ever worked for has never felt the need to hide their number. All they do do is not advertise their internal DDI's and make the CLI of all calls go out with the main public switchboard DDI. There's no reason to be doing anything else, unless you're intending to deceive people about the origin of the call.

Those kinds of people won't want to answer the phone anyway, so no loss to just advertise the number at least for the first few calls anyway.

Plus, sorry, but nothing binding is done by me over a telephone call. You will email or write if you need it. And absolute best case: I'll call you back on your advertised number to ensure I'm actually speaking to who I think I am, and deal direct and still ask you for whatever-it-is in writing. You could request that via an SMS, if you wanted.

There is zero NEED for CLI. It's not even convenient as it can be easily faked or blocked. Hence it's about as reliable as a From: header in an email, and I trust it just as little. Because of that, I disregard them entirely and work on the much simpler principle of "I didn't give you my number, therefore I never wanted to hear from you."

Re: Email forwarding services are passé

Nonsense.

Any email forwarding is easily coped with, and SPF can be simply added (it's IET's job to say what mailserver can claim to be from their domains, that's it - they could just leave an open record on it or offera basic SMTP sender with auth).

And envelope-rewriting and forwarding is supported by just about every domain-name host out there with email-forwarding. I forward ALL my public emails (which I use heavily for everything, personal and business, for 20+ years) to a GMail (ultimately, but that's unpublicised and can be changed in seconds) which I use as my actual method to collect and read and reply to those emails.

I also run my OWN forwarding server to do just that as secondary, to handle more critical domains, etc.. It's Postfix and maybe an hour of config for anyone familiar with Linux at all. That forwards to and isn't blocked by Google etc. unless it's quite obvious spam. My own grey-listing, SPF-checking, DKIM-checking, etc. spam filter blocks WAY MORE than GMail does, and it never touches even fresh incoming addresses at my domains (e.g. newsocialmediacompanyspamhole@mydomain.com) that haven't ever seen an email prior.

Their reasoning isn't based on that because it's hard. It's just an expense and liability that they don't need. Personally, I'd ask people for £100 per address per year and then bolt it into Google Apps for those customers who want to pay to retain it. Would take long at all, and no GDPR liability as you literally never touch their email. But I can perfectly understand why they wouldn't want to, it's just not their job.

"Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice – e.g. no working antivirus software"

Poor security practice like running obsolete and unsupported operating systems, for example?

I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed. Give it up, stop developing, testing and shipping software for it, let it on the kerb.

Until you do that, people will just keep running it forever and think that just because there's some ancient version of Sophos on it that it's somehow magically "secure" now.

Re: Outrageous!

A weak pound worth $1.32?

SWITCHES=/N

in your CONFIG.SYS.

It's simple. You trade with another country, you have to abide by their rules too for that trade.

It's a long-established situation everywhere, not just California. Otherwise Apple would just put two fingers up to every other state/country in the world and sell their products there. Instead they sold-out to China and all kinds of places to be able to sell their devices there.

You are "International" but can't trade with Europe? That's a 50% hit on your revenue immediately, not counting fines and compliance work that you'll still need to do anyway.

ICANN are being really idiotic here and will lose the EU domains if they're not careful. It wouldn't take a year to set up a "ECANN" and make all EU ISPs use it (you just say ICANN isn't GDPR compatible and, bam, they'll move over), which means that if the rest of the world want to trade with Europe, they'll have to send queries to ECANN not ICANN and the DNS roots will change to give preference to ECANN overnight (A third of them are in Europe anyway).

This is arguing with the legal system that binds 50% of your worldwide customers saying "We don't care, and we're incompetent enough that we can't even fix it", which will just end in loss of control, whether through incompetence or legal decree. And once EU goes, other nations will follow suit.

Re: Will they fund the specialist lawyers and digital forensics experts?

Legal aid has always been a pittance.

Lawyers literally only work via legal aid out of the goodness of their hearts, or because their firm instructs them to, not for the pay.

The bigger difference has always been prosecution versus defence. Work on defending people who don't want to go to jail and you'll earn 10 times more than the people hired to gather the evidence to send you there.

Plus, courts are entirely separate to lawyers, forensics and everything else. The court is merely the venue when you show those items to people trained in law. They specifically AREN'T trained in every minor detail, that's for the lawyers to get across to the 12 lay-men in the jury and the judge who might not have a clue anywhere. Only incredibly specialist cases will dare mess with that.

If anything, you DO NOT WANT all that stuff in a court. You want an expert coming in, testifying, and being rebutted by other experts. You don't want judge and jury thinking they know more than the guy on trial, or the experts he's hired, or the counsel hired to represent him. Because, more often than not, they don't.

Take it from me, someone who works in IT, graduated in mathematics, was married to a barrister, and lived with a geneticist. In all those areas of specialism, I assure you I can point out huge gaping flaws in other people's expectations of what "hacking", "probability", "legal precedent", or "DNA match" actually means in real life. You want normal people listening to an expert who says "No, that's not how it works, your honour. There's only 96% certainty that this is the same DNA, which means that almost everyone in this room could be convicted of the crime being described today".

Re: Actually...

Welcome to the 90's. It's where you appear to be stuck, anyway.

"Actually......it is easier to get an Mac to boot Linux than it is to get a PC to do the same."

Absolute nonsense. Stick disk in, F12, boot, install, done.

"They may have some ideas how they want to people to use their product but that is not different from how your dishwasher manufacturer want you to use their dishwasher."

My dishwasher has never told me that it only works with John Lewis Plates, that I'll need to use Apple Soap, nor that it "just can't do that" when I ask it for a 10 minute rinse instead of a 20.

"Most of the anti-apple mob are angry Windblows users who are afraid of losing their "supremacy" of having to reinstall their PC at least once a year."

1) If you're reinstalling a PC once a year, you're an idiot.

2) Would you like stats on how often I have to reinstall a Windows machine versus a Mac machine in a school with hundreds of the former and only a dozen of the later? I'll give you a clue: You lose.

"I am btw. running OpenSuSE on a MacBook Pro... installing Linux on a Lenovo was too time consuming."

Good for you. And why? As someone with an entirely-Lenovo shop, I can't imagine what could cause that. Literally, boot install at disk / decompression speed.

"Oh one more thing: Windblows still can't manage proper display scaling something OS X and Linux has been doing for over 10 years."

Display scaling? As in zooming your display to show on higher resolution screens? You really are operating in the dark ages.

But they're not.

That's a silly use case.

They're looking for possibly 100,000 people out of possibly 70m people. At that point - in fact, WAY before that point - the numbers explode and even an accurate system has an atrocious false positive error rate.

"If I understood your problem correctly, the solution is simple:"

Yeah. Those obvious, intuitive commands, environment variables passing into other environment variables, etc. etc. etc.

I mean, I understand everything its doing and why. But I wouldn't be able to guess at that in a million years.

Re: What does it run?

People stopped dual-booting 20 years ago.

Having to shut down one OS to run another is ridiculous in the modern age, where you can run both simultaneously without issue.

Honestly, we stopped doing that the second virtualisation instructions were put into processors.

Re: What's the app?

To my knowledge, an awful lot of phones have never supported recording calls at all, but that's a hardware manufacturer integration. If they don't present the hardware to the Android drivers, then there's no way for the Android API to record it.

But also note:

https://developer.android.com/reference/android/media/MediaRecorder.AudioSource

"This permission is reserved for use by system components and is not available to third-party applications."

Even the latest Android APIs do have an option to do just what you're talking about, but it's never been properly exposed and officially supported. When you use unsupported stuff, that's what happens.

I don't think it's ANYTHING to do with Android. It's to do with people BYPASSING Android. And I think it's to do with manufacturer's not exposing functionality in a standardised way via the Android APIs that already exist and/or not producing hardware that supports such functionality (e.g. a voice-call-handling chip that doesn't provide the voice data to the processor running Android at all).

Re: How hard can it be?

Why?

If they have to mark all their products as "used" to be VAT-free, then they're not going to like doing that for big-brand items (i.e. the things that sell for the most money).