Re: Railcard Head Orifice
At least it wasn't microdrive.
988 publicly visible posts • joined 11 Jul 2015
I noticed a couple of times that there seems to be a series on downvotes on commentards, just the odd one or two on *all* the posts. Which suggests that someone who takes a weird dislike to a particular set of articles or a bot that attempts to alter the appearence of consensus.
El Reg - can you confirm if there is some weird activty on all comments in a short space of time?
Is it the Russians?
Or is there a greater conspiracy involving google? Or maybe Russian Google staff?
Googley Bear.
We should ask Julian for his take on this.
Useful if you are an android trying to pass for human.
In which case you would probably set a daemon called <breathing> to run in the background.
But that wouldn't be a human thing to do, you would use something to remind you externally, like a watch.
So then you probably would use a watch to do it. But then a human wouldn't need a watch to do it so therefor you would probably set a daemon called <breathing> to run in the background and another called <check_watch> which has a randomisation element for periodally checking the watch. But you would probably not want to do this when you are doing things that shouldn't require you checking your watch like sex or sleeping, so you would need to have states that are checked to ensure that <check_watch.....
I am thinking about this too much.
Intersting place we are in right now. All of a sudden the reams of data that we daily spew, the trillions of bytes of cats, porn, txtspk and selfies and are flung are all considered 'rightfully' yours; the domain of the security agencies.
We get it. You are keeping us 'safe'. And for a given value of safe, you are. Even if, using this method, you caught or interrupted *one* bad thing, this is a definition of keeping us safe. Thanks for that. But I, personally, don't trust you. You see things with lines stating this is a good citizen and this is a citizen to watch because certain patterns cross over. And you watch, 24/7 and add up all these little extras that once were maybe deemed eccentric by others, and they cause you concern because they dont equate to the idea of a good citizen.
There are far more people like me, than people like you, though.
So you need stricter fines, methods for control to keep the 'undesirables' under control. But this doesn't work. So these methods become more corporal in nature. Because this works, right?
Then what? You think 'this will never happen, we won't repeat history'.
And of course, as you know, you already are.
Because what will happen? A generally disatisfied populace will end up voting in a government that actually looks like it is leading, is forceful and gets things done as opposed to the clowns currently operating. And then that government has the tools, thoughtfully put in place by you, to ensure that they continue to be forceful and Get Things Done™.
So thanks for that.
Total bullshit of course. Just a little eccentricity of mine, thinking like this whilst I have my breakfast.
"Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for *the way they're explicitly bypassing security* and attacking the target network"
Then it isn't much in the way of security it is bypassing, then.
I am not defending Halifax. There is a breach of etiquette here. But at the same time it should be water off a ducks back, not a 'How dare you!' reaction.
The internet is an unforgiving place to be.
"If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.
I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service."
And that is exactly the mindset that the policy and lawmakers are coming from.
If malicious hackers were nice people then they wouldn't be malicious hackers. So it is, quite literally, an anarchists state out there in Intercyberweb Land. Those that know this will have a better chance than those that don't. And now with added GDPR you better hope that your house is in order because hacked/leaked data along with insufficient GDPR consideration will result in bankruptcy.
So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. I don't say 'How dare you!'
But hey. That is just me.
Actually, I am up for everyone being able to scan whoever they like. I, personally, think that will result in a percentage point increase in secure online destinations.
The law is an ass when it comes to security in the online world. Basically going after low hanging fruit because 'We are doing something' and all that bollockerdash.
NMAP ftw.
I am not holding out much hope for the new 'Atari'.
Which is a shame. Because that *should* rock the gaming world. Not with 3d immersiveness. Just easy to develop for.
They should have gone for a Neo Geo on steroids. In fact, they should have just made it a Neo Geo clone. :)
"It's the clueless middle-to-upper management that spec it and use it that are the security problem."
No, it is still also due to the coders who write the stuff, the analysts who examine the stuff, the testers who test the stuff, the customers who buy the stuff.
Joint effort.
Security will only work when holistically applied. Otherwise you are always just one phishing attack away from pwnage.
(Except in the case of Oracle. Oracle is Satan's work.)
'Catherine McGuinness, policy chairman of the Corporation of London, chipped in to add: "I'm particularly pleased that this court will have a focus on the legal issues of the future, such as fraud, economic crime, and cyber-crime."'
So they aren't legal issues in this current timeframe, then?
Who knew..
Where on earth to they get these stupid, idiotic, canned media quoting, crap spewing shitty little bollocky, electron wasting, bile inducing fools?
RE: Nostalgia - I remember reading a lot about L0pht in 99/2000. I may even remember the senate hearing. Was it in computer weekly? Certain names cetainly popped out, Mudge, Space Rogue - those, and others, certainly came up time and time again.
Anyone else read, or used to read, Attrition.org? Still going.
"At least what we do is basically out on the table. The same can't be said for the French or German security services."
Sooo...what you are saying in the French and German security services are better at keeping secrets?
Saying publically: 'We are going to do this questionable moral activity in the name of (insert catchy soundbite here)', doesn't make it any less questionable.
Human nature at work. It won't improve. The game will stay the same but the goals will shift.
It has ever been so, it will ever be so. Start with your own personal moral compass and work from there.
Wasn't talking about the good linx distro side. I was just referring to the household name bit.
If I went to my family and said Android, they would go 'What about it?'
If I went to my family and said 'Ubuntu', they would go 'You having a stroke or is that a new cordial?'
If I went to my family and said 'Canonical', they would go 'is that a small camera?'
I love my family. I hate the fact I am the only one who works in IT, in my family.
I mean well done is deserved.
But I don't see why we have the term 'Open Justice'. Justice is justice, surely?
If there is something nefarious going on behind closed doors, if something is just it still is just, if it is affected then it isn't justice.
Actually that reads weird. You know what I trying to say? Meh.
Too much GDPR documentation going on.
Legally mandated requirements are that. Legal requirements. So if you run a Telco, you have to comply with the the data logging requirements for running that Telco.
After that GDPR and the ePrivacy directive take hold.
SO if you are legally required to keep a record of what phone calls where made through your system for 7 years, then you keep them for 7 years. But on the first day of the 8th year, you better have your data deletion policies in place.
"But a normal website owner should have no further need for the data after it has been in the logs long enough to check for unauthorized access, which should be same-day or next-day (3 days if there is a weekend between), is what I'm reading from the IETF. But that does seem rather short. A few weeks seems more reasonable."
You won't necessarily know about an instrusion until Troy Hunt mentions your domain. Bad things™ happen even to those that do take precautions. Ever hear of the rogue employee? And you need to find out what occurred so you know that particular hole is shut down and the ICO will want to know what you are doing about the data breach. You can't do that if you dispose of your logs too quickly. When you are aware of it, you don't know how or when it occurred yet so you need to check.
Those that think they are that secure that they can't be hacked in anyway are, for the most part, deluding themselves. You have to assumed you will be hacked at some point.
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
https://gdpr-info.eu/recitals/no-49/
So a few weeks for logs? Fine. Do it. You may never need them beyond that. But if you do need to know what happend a couple of months ago?
" Full IP addresses should only be stored for as long as needed to provide a service;
Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses;
Inbound IP address logs shouldn't last longer than three days;
Unnecessary identifiers should not be logged – these include source port number, timestamps, transport protocol numbers, and destination port numbers;"
I don't agree. The way the internet works means that ip addresses are a necessary use. Yes, IP addresses can be Personally Identifiable Information when combined with other data, or you are using a fixed IP at an individual address, but if you access my services I can't help but know your IP address. My logging is fine to record your entire IP address. It is what I then do with that information that is important.
Also, I am bound to provide suitable protection against any intrusion, or notify ICO if I suspect an intrusion. This aso means potentially sifting through logs to try and locate that source. Three days? That is just silly. 6 Months, sensible. 12? Maybe they have a point, unless regulatory requirements state otherwise.
This would come under legitimate interest. If you come to use my online services, then I have to store the above information to allow me to satisfy the requirements that come from operating online services in the EU. If I then decide to do something funky with that data, then that is another thing entirely.
I am wondering if INTAREA felt that they hadn't yet made any statement regarding GDPR and rolled out the first thing that sounded press friendly. They certainly are not showing a deep understanding of the issues involved.
"Logs should be protected against unauthorised access."
And remember, Kids, don't take sweets from Strangers...
Upvote because, in a few thousand years and the universe's first antimatter linked Hypermegascalon Dimensional Thread TZR + goes online*, I hope the first reported enquiry at whatever passes for a press event then, consists of:
"So...does it run Crysis?"
*I say online. What I really mean is it pops up in your consiousness.
"Leaking Apple’s work undermines everyone at Apple and the years they’ve invested in creating Apple products… The impact of a leak goes beyond the people who work on a particular project - it’s felt throughout the company."
The impact of the leak? Really?
I suppose the impact on your unsold stock of current iShiny may be hit. But really, Apple, you truly are just another self righteous, narcissistic, lifestyle wannabee, tax dodging, grubby little American corporate.
Who else would make so much out of a thin laptop, then promptly allow root access without a password?