Spineless oversight
Probably not as serious as driving on the wrong side road and causing an accident that kills someone and then scurrying them back home from abroad.
Posts by NonSSL-Login
385 publicly visible posts • joined 13 Nov 2015
Whistleblowers have come to us alleging spy agency wrongdoing, says UK auditor IPCO
'Long-standing vulns' in 5G protocols open the door for attacks on smartphone users
Friday 18th December 2020 15:05 GMT
Of course it is
Ignoring things like the SS7 protocol and other backwards compatibility issues, and badly configured firewalls that try and patch some of them, its obvious the NSA and GCHQ will continue to have a hand in making sure future protocols and hardware are insecure as they have come to rely on abusing the system for so long.
Look at us all shouty on this hand about Chinese 5G equipment while on the other hand quietly subverting security in protocols, software and standards to maintain the status quo.
Backwards compatibility needs to be scrapped and a more secure gateway is needed to keep old equipment/3rd world countries still connected rather than the everything connected + trust system currently in play.
US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack
Monday 14th December 2020 20:15 GMT
Novel Techniques
FireEye said they was hacked with “novel techniques”. A supply train hack isn't that novel of an idea these days but the update and communicating over the trusted apps protocol is. Its been bugging me since they announced it what it could be and this sounds like it fits.
All this attack on Hauwei saying the chinese will use their hardware to infiltrate everyone and now we have news that its the Russians using American owned software that could potentially pwn Americas top ten comms companies. Oh and all five branches of the US military, the NSA, the Pentagon, The Office of the President of the US etc.
Some kind of irony there.
Crooks posing as COVID-19 'cold chain' company phished EU for vaccine intel, says IBM
Monday 7th December 2020 15:34 GMT
Shake the tree and see what falls out
Not every fishing trips starts with an exact end goal in mind.
Sometimes the data and results you see along the way dictates the path you take and gives you further direction.
Not every fishing trip has to end with a success but you hope to learn something along the way which will be useful on the next trip.
No, the creator of cURL didn't morph into Elon Musk and give away Bitcoins. But his hijacked Twitter page tried to
Wednesday 18th November 2020 15:38 GMT
Re: About the Stockholm geolocation
Its even better to have a zombie machine of a home computer/scan for proxies on home isp netwoprks to bounce through so you get an ISP AS for when certain services block VPN/Data centre ip's. A home ISP looks much more legit and the IP address gets a better risk rating and less likely to throw up extra checks.
No surprise they tried a local IP address. Its common sense.
One year after server hackers left NordVPN red-faced, firm's first colocated setup is online
Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search
Friday 9th October 2020 14:06 GMT 
Stupid Gets Caught
Looking up a location on Google Maps to get a better idea of the area is something I often do after reading some news stories. Always figured someone somewhere would be able to use the search results to make me a suspect.
After watching CSI programs im sure I have Googled "How to dispose of a body completely" or similar just out of interest, Pretty sure my search terms would set off alarm bells despite being too lazy to commit any crime.
So thank god for VPN's, random User agent switching addons, noscript, pi-holes and all the little things you can run to not appear on a watchlist and waste the time of authorities.
From knowing years ago that they were flagging people who took certain books out of a library and to now knowing about mass surveillance post Snowden, everyone, including criminals should know what they are doing is logged and traceable.
At least everyone should know by now you don't take your mobile phone out with you to commit a crime. That situation should only happen if its spur of the moment of you are stupid.
P.S.After hearing how IPV6 wouldnt affect privacy but knowing all along it would, here is a clear case of IPV6 pointing to someone to validate the other data (being logged in to google while doing searches doesnt help either ;P). On IP4 it would have been a shared by thousands carrier grade NAT IP address that would have ended at that router.
Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors...
Friday 2nd October 2020 15:01 GMT
Re: Not sure about this...
We are probably still doing the checking as there is hope that Trump loses the election and we can then go back to installing the better Huawei kit we want to install. Even though a Nokia deal has been talked about im sure we are just biding our time in the hope of the sanctions being dropped if Biden wins.
Biden is anti-chinese too and akin to the devil in disguise so it might be a false hope.
Bottom line is we want the cheaper + better Hauwei kit.
Bad news for 'cool dads' trying to bond with their teens: China-owned TikTok and WeChat face US download ban by Sunday
Monday 21st September 2020 13:51 GMT
It's not quite a Facebook where everyone posts everything they do daily and informs the NSA exactly who they know and how along with pictures for their facial recognition database plus telephone numbers.
Its more akin to twitter where you follow people and make comments on their videos. So its mostly that nasty metadata you are sharing compared to Facebook where you give everything including all your likes, dislikes and views on everything so that NSA algorithms can decide if you might say something nasty one day about america so they have an excuse to search all your luggage and computers next time you go through one of their airports.
Saturday 19th September 2020 13:12 GMT
Tik Tik is bad mmmkay and should be banned
But not if the US own it. The app is fine then.
Quantum fuzzy logic or brazen attack on another country because they have an app as popular as their own and want everyone using just US owned apps and hosting for NSA spying reasons? Me cynical and asking rhetorical questions?!
By now everyone should be able too see how these attacks on TikTok/Huawei/Anything chinese that gets popular, are protectionist control actions by the US, not based on any reality of threat. Unfortunately this is going to push China to start working more closely with Russia and its other allies more and at the same reduce it's need for anything American. Ultimately the US is shooting itself in the foot politically and economically over the long term to what is a short term gain, if it is indeed even that.
Still sore Trump fcked up my purchase of the P40 pro. Hopefully someone else will use the Leica cameras in their models. Not that some countries will be able to use the cameras to make videos on any non-US apps....
Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame
Friday 18th September 2020 10:02 GMT
Re: "The hardcoded password is a deliberate backdoor."
It only doesn't look good because the article is written as a hatchet job by an Author in America.
The title makes it looks like there are backdoors in Huawei chips. There isn't.
We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example.
Totally different to all the American Cisco backdoors and vulnerabilities that we find month after month. hard coded credentials/keys and other backdoors before we we even get to the vulnerabilties.
This has sod all to do with Huawei really but its written to make them look bad. The registers lack of impartiality when it comes to stuff like Huawei is why it is becoming less trusted among peers.
What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let's find out
Sunday 9th August 2020 13:06 GMT
If only...
Would love to get a Huawei P40 pro which doesn't use the American Qualcomm chip but Trump has buggered up how useful it would due to his attacks on Huawei over security depriving their phones of the play store.
Maybe its a ploy to make us all buy Qualcomm backdoored...erm....vulnerable chipset phones that the NSA and co can have full control of, because this whole political thing is nothing about security.
UK Defence Committee chair muses treating TikTok like Huawei: So eyeball its code then ban it from the country?
Monday 3rd August 2020 21:18 GMT
Even amateurs are finding hard coded credentials...I mean the more plausible deniability version of debug keys that engineers forgot to remove....in Cisco kit.
No need for the experts to look when theres on average 5 backdoors/pre-uth exec/RCE found every month anyway :P
Remember kids, its ok for google software to send everything to the mothership about you for Uncle Sam and the NSA but China is bad mmkay, their software might do something....
Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist
Tuesday 28th July 2020 09:08 GMT
Secrets elsewhere
Some places have so much security to protect their information and products but that often goes out the window when they pass that information to another company to work with.
Having worked for a translation company that for example translated Tank manuals for users and mechanics, printouts would be left all over the place including left in the printer trays for hours.
Even applying standards and being promised certain procedures, you dont know whats happening behind closed doors of outsourced work in other companies.
FYI: Someone's scanning gateways, looking for those security holes Citrix told you not to worry too much about
Saturday 11th July 2020 13:22 GMT
Scout Motto - Be Prepared
Even if there is no current exploit for a new vulnerability just published, pre-scanning the net with Masscan for possible targets gives you a fresh clean list to run an exploit against if one appears shortly after. Allowing to you mass pwn much faster when then time arises using your lean list of pre-fingerprinted targets and a potentially more complete list than Shodan.
US govt: Julian Assange tried to recruit hacker to steal hush-hush dirt and we should know – the hacker was an informant
Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access
Tuesday 5th May 2020 12:21 GMT
Re: one app per country?
It makes more sense to throw the tracking app idea out the window altogether.
Judging distances via bluetooth is a shambles to begin with due to how all different phones with different chipsets output the BT signal and how they receive it. Working on that flawed data and advising people (advising them what exactly?) based on that is pointless,
Even if you accept someone will change their behaviour based on the app, we have to assume everyone has a mobile phone and installs the app. There would be so many holes and missing information in the big picture, I just dont see it being useful in any way at all. Except for goverments to have one database to easily track who interacts with who, without waiting for the NSA and GHCQ's to do the search through their collated phone mast info instead. /Cynic
Tuesday 5th May 2020 12:05 GMT
Re: Makes a change
One assumes Google will still slurp and keep the location data for themselves. Just not sharing it with others....except the obligatory NSA, FBI, CIA etc.
It has always bugged me how Google has got away with bundling Bluetooth permissions with location so they can get location on apps that don't need it. There is no need for the app for bluetooth scales to need the location permission but impossible to use it if you deny,
Of course, having bluetooth in hair brushes, toothbrushes, toasters etc is another debate on its own...
Hey, China. Maybe you should have held your hackers off for a bit while COVID-19 ravaged the planet. Just a suggestion
Thursday 26th March 2020 23:24 GMT
We know that outsourced Russian hackers are not allowed to use any Russian words or fonts in their code, so have to be careful to scrub usual fingerprints like home directories with Russian names that compilers like to stick in and such like.
We also know that the CIA have used Russian companies certificates in their malware and plant foreign language fingerprints like the above compiler home directories.
Not to mention all the stolen and re-used code from other countries cyber-offence teams. So yeah attribution is hard, so we have to go with best guess. It should be sold as definitive unless we are 100% and thats hard, even if we go by previous knowledge as again, that could be wrong for the same reason as above.
Thursday 26th March 2020 20:26 GMT 
Cisco Kit
Given how many remote exploits there were for Cisco Kit in the last 30 days and how widely deployed they were, I would expect every country with sophisticated cyber capabilities to be making the most of the vulnerabilities before they got patched.
The US gov were so noisy about Chinese Huawei kit being vulnerable yet here we are with US Cisco kit having vulnerability after vulnerability and with proof they are being exploited.
Hacking is one of those jobs that can be done at home during isolation lockdown
Yeah, that Zoom app you're trusting with work chatter? It lives with 'vampires feeding on the blood of human data'
Saturday 28th March 2020 15:52 GMT 
Prime minister and cabinet
Noticed on the news that Boris is using Zoom to talk with other cabinet members.
Does the UK government have anyone who advises on software and security matters? I mean they were all using whatsapp well after it was known that backups were sent to the cloud without encryption so...im guessing not.
Its not as if its a government who could be discussing sensitive info...oh wait, I'll get my coat.
Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday
Saturday 14th March 2020 15:30 GMT 
Saturday b0rk3d
Tried to purchase something online today and got a message on my phone telling to verify the transaction in my banking app.
Tried opening the banking app and for the first time ever got an error about not being able to connect to my banks servers. Tried on cell data and home wifi but no use and the banks helpdesk was useless.
Ended up buying the item from ebay instead where it just worked without any extra prompts, phone messages or actions needed after pressing the checkout button.
I have a feeling some businesses are going to lose sales if this has been implemented badly.
Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...
Wednesday 11th March 2020 16:51 GMT
Re: Survey answers
That pretty much guarantees you a spot on most BBC shows these days, even if you are utterly useless for the role!
Those that like Chrome as a browser should can to one of the alternatives using the same base code without the tracking stuff. Chromium, Brave, maybe Pale Moon or something similar.
'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc
Thursday 5th March 2020 17:02 GMT
SDDS
Another example of what I assume is a government organisation gifted backdoor which shows that backdoors cannot be kept secret forever and once exposed, everyone can be screwed by every Tom,Dick and Harry.
All the US has to do now is to make a noise about foreign hardware having backdoors so everyone scrambles to buy US backdoored kit. oh wait...i'll get my coat.
Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?
Thursday 27th February 2020 11:59 GMT
Yet another backdoor in Chinese products to snoop on traffic..oh wait, Broadcom & Cisco are American, must be a bug! /Sarcasm
How useful this could be depends on how well the client OS/software reconnects and re-transmits and how many errors get shown on the desktop I would guess. Repeated warnings vs silent recovery would make a huge difference in whether someone investigates the reconnects or not.
You can make a wifi de-auther using a ESP8266 board which is about the size of a flat finger but i'm not sure if it possible to modify that project to read the known encryption key traffic after. Something to look in to!
Departing MI5 chief: Break chat app crypto for us, kthxbai
Wednesday 26th February 2020 21:03 GMT
How does he keep a straight face
That 'lawful intercept' backdoor that hardware manufacturers have to put in as part of the 5G standard which is causing the current noise about a certain Chinese company should tell them all they need to know about forcing weaknesses and backdoors in systems.
Total bollocks that its not about mass surveillance and data mining for juicy shit. Real criminals they can and do get warrants and such to investigate properly. This is just for mass surveillance and everyone knows it.
Assange lawyer: Trump offered WikiLeaker a pardon in exchange for denying Russia hacked Democrats' email
Thursday 20th February 2020 09:39 GMT
Extradition treaty
No one should even have an extradition case, let alone be extradited to the US until Anne Sacoolas is extradited from the US for Harry Dunns death.
Plenty of reasons not send Assange to the barbaric third world like american jail system anyway.
Time to undo Blairs extradition gift to America too as it was not in the interest of the UK, much like his illegal war.
Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open?
Thursday 20th February 2020 16:10 GMT 
Backdoor! Oh wait, its not Huawei kit
"a bug caused by the presence of a high-privilege account with a static password present in the Cisco Smart Software Manager tool."
If this was a San Fran'cisco' author reporting on Huawei there would be shouts of Backdoor and evil Chinese company but it's American Cisco so it's a bug.
#JustSayin (and will keep saying until the stupidness stops but alas that might take as long as el-reg switching to secure https login pages about 3 years after my handle here started prodding)
GRU won't believe it: UK and US call out Russia for cyber-attacks on Georgia last year
Tutanota cries 'censorship!' after secure email biz blocked – for real this time – in Russia
Tuesday 18th February 2020 18:05 GMT
Censoring a service so that users have to use a different service which can be spied on is often the goal.
It can be done in your face where everyone can see it or quietly under another guise. DDosing certain VPN nodes so VPN services software thinks Server X under gov control is the fastest node so their targets connect to it for example. not much different from this email provider block.
Western countries shout about the control other regimes are inflicting while hypocritically doing the same via more discreet methods.
Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this
Saturday 8th February 2020 12:56 GMT
Part of this is to stop MITM attacks.
It's easy (using available frameworks) to MITM someone on a network and modify their HTTP downloads on the fly. So as they download an EXE, your MITM machine adds malware to the file and the unsuspecting user gets the modified version
Same can be done with archives and ISO downloads.
This makes it harder for someone on your network, ISP, NSA types (or criminals who have gained access somewhere/redirected traffic via BGP attacks) to intercept along the route and add their own code.
Trivial backdoor found in firmware for Chinese-built net-connected video recorders
Thursday 6th February 2020 13:31 GMT
Exactly.
When various 'debugging backdoors' have been found in Cisco equipment the el reg articles say it was a probably a genuine dev mistake and no mention of a backdoor.
When a company connected to Huawei have something similar, even if it's not internet connectable like Cisco's built in keys and backdoors, its suddenly the end of the world and Huawei are evil and it was likely intentional.
I love el reg but slowly losing my respect for their articles with this bullshit. There needs to be a way for us to be able to disable American based propaganda authors articles showing on the page....
Hospital hacker spared prison after plod find almost 9,000 cardiac images at his home
ICANN finally reveals who’s behind purchase of .org: It’s ███████ and ██████ – you don't need to know any more
Sunday 19th January 2020 22:41 GMT
Re: names redacted...
With the Donuts registry being involved in the buying....they were the first (and I think only) registry that decided to throw law out the window and suspend domains based on the MPAA's say so.
https://torrentfreak.com/inside-the-mpaas-piracy-deal-with-the-donuts-domain-registry-160210/
With that tight media cartel connection I wouldn't trust anything this company does. like trying to buy rights to .org
This whole deal needs a full independent audit and public report before the sale on important internet infrastructure goes through as a bare minimum.
Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption
Friday 17th January 2020 18:00 GMT
Re: What if..
Had a problem like that using Multiboot to have multiple roms on a phone and when one got a kernel update, caused problems galore with booting the others.
If I understand what they are doing here, they are not changing the deleting or replacing the bootloader but putting it in memory and patching the phone to boot from that bit of memory instead of the current bootloader. If this is the case then it should have no effect on the phone after a reboot.
Otherwise like you say, may things that can go wrong!
What's that? Encryption's OK now? UK politicos Brexit from Whatsapp to Signal
Saturday 28th December 2019 20:15 GMT
Re: Snowden endorsement
Despite the fact we know he worked with the NSA's hacking department, TAO, and various contractors in a technical and engineer roll so obviously knows his stuff....his endorsement is probably not related to his skills/lack of skills on cryptography.
What he brings to the table is knowledge of the x-keyscore database and data retrieval system. Knowing what data they can and cannot slurp up as well as knowing what protocols/algorithms/encryptions cause the NSA problems (at least up until the end of his time there) so can make informed recommendations based on that alone.
Hate can blind you to the obvious.
Saturday 21st December 2019 12:54 GMT 
Not encrypted whatsapp backups
How has the IT security guy allowed them to continue to use whatsapp all this time knowing that while it has E2E encryption, it makes backups of your chats unencrypted on google servers?
It only needs one person in a group to enable backups form the constant nags and E2E encryption doesnt matter as its sitting on googles servers for various alphabet agencies to access, even those not supposed to access it.
Consider nothing said on whatsapp as safe since they added this front door in to your messages. I only wonder what politicians could have said that other countries could have used as intelligence to their advantage.
UK's Virgin Media celebrates the end of 2019 with a good, old fashioned TITSUP*
Want to live long and prosper? Avoid pirated, malware-laden Star Wars free vid streams – and pay to watch instead
Friday 20th December 2019 17:10 GMT
Re: Another Option
You mean the fake 4k because it is upscaled from 2k or something similar?
Or the fact they put it in a HDR container to get your TV in HDR mode but none of the Star Wars movies seem to have authored for HDR properly and the nit difference between stuff is not much different from SDR?
Star wars movies thrown on Disney+ as 4K HDR and it's anything but. Same as their TV series The Mandalorian.
Friday 20th December 2019 14:47 GMT
Tell me something new...
Seems every so often around the launch of a new movie or tv series, an AV company or publication runs a story about how Kodi boxs catch fire (real story is some some Chinese box's dont have a CE certified power adapter) or trying to watch x, y or z on a pirate site will lead to your bank account being emptied.
Almost as if the MPA (piss artists formally known as MPAA) chucked them a loads of money to come up with some anti-piracy words. Carnegie Melon seems to enjoy the yearly grants from them and continue to have weirdly biased reports for an 'independent' report.
No real story from Kasperky who I usually respect for their malware breakdowns and general work, except the usual <something popular> gets more attention from malware authors or controllers. Whatever is popular gets more attention and has always been the case.
Emirati 'surveillance app' ToTok promoted by Huawei as Apple punts it from store
Tuesday 24th December 2019 17:19 GMT
Trying to be like the Daily mail?
So much mention of Huawei in this negative article and even the story URL when Huawei is not the bad guy here. Seriously makes me want to start blocking stupid story authors.
UAE trying it on like other countries. Don't see any articles besmirching Apple or Google for recommending Whatsapp when they introduced the unencrypted backup on Google servers front/backdoor which I have no doubt was done to give NSA access to those messages.
I'm surprised there wasnt a dig at kersperkys AV for not picking it up as malicious or something too.
Pathetc. /Rant
Biting the hand that feeds IT
