Posts by Sixtysix

Godwin's Law

It's not often that Godwin's Law shows up so obviously and repeatedly amongst comentards... but dear goodness! Today must be "special".

Can we stop? Please?

Came for enlightenment...

..left wanting.

The "article" seem to mix up Enterpirse, SME, and SoHo terms, concerns, concepts and costs/wages at random, and the only point universal value was talking about the Cyber Essentials/Plus programme which is a reasonable starting point... but only to a point (I have issues with CE+ in an enterprise making rulings about how/what/when we should patch...).

Knowing Cyber is an issue: great start.

Making someone interal responsible: bare minimum.

Getting a competent assessment: Contract it out unless you have lots of in-house cyber sec skills

Fixing the holes you found: pick the best way you can afford

Ongoing: Make *sure* it's being maintained - internal/external/mix doesn't matter, but do re-assess regularly.

Why I'm cautious...

Looking at O365 just now... and Office 16 and 19.

Whatever we go, I plan to keep Exchange in-house for foreseeable future.

My integration partner gets it... my MS Account Manager - not so much.

Reversing decisions...

Sounds like a job for an ex-FCC chairman...

Timing should work well.

30 Days....

... would usually be plenty.

In this case, 30 weeks would not be enough, and I suspect that most of these "thinglets" will never ever be patched/upgraded, and will become a zombie army for someone/thing.

Dearly hope that "we" can identify and block traffic from them in the future, or this is how the Internet will die :(

Which want to see

Because Which? really wants to see who buys it's recommended hardware.

And what better way to see, than to, really, literally, *see* them.

...mine's got the Tails/ToR installer in the hidden pocket...

The 2% - and not interested

Obviously Elites... except, D'Oh

How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief.

The REAL eyeopener was the ICO having a complete lack of interest in the "marked" files: WTF? Guess they assume that HMG / Police / GCQH will pick up the slack... ?

I do wonder if a head rolled.

Insiders - should be better than this

"As an Insider, it pains me. Beyond belief. — Abby Jane Hicks (@AbbyJaneHicks64"

Whilst I have tremendous respect for all those willing to put their main systems in the line of fire by working exclusively on the Insiders ring, I think Abby is not representing the majority of Insider Contributors well:

We were told to expect that StrangeEffects will be a regular occurrence.

We are clearly warned that BadThings might happen.

We are absolutely encouraged to keep backups.

At the same time I have a LOT of sympathy for Steven who has obviously backed out of Insider (as have I). Not sure about ninja and cats, but the lack of follow through is one of the reasons why my main machine and backup have been switched, and my input to the programme has been zero for some considerable time.

I have trust issues...

</quote>

Arbor <...> spokesperson said. "At this time, we do not believe that this has impacted any customers or partners,

</quote>

No shit Sherlock? I think that's entirely the point - you won't know... and neither will the affected parties.

*THIS* is why I have trust issues: the AV companies have chosen not to flag it. For corporate compliance, the AV tools should flag EVERYTHING suspicious, and allow the Corporate administrator get to tick a box that says "We note and accept that install in our environment because..." NOT just ignore things that could be FAR from benign.

LOVE the response from Funkypigeon!

LOL

Also: Nice to see competitors playing nicely together!

Some interesting spin already

Expiring NDAs all around...

Comparing against their O365 offering which apparently offer the "most productive and most secure Office experience -with the lowest total cost of ownership for deployment and management," I'm torn.

O19 demands no further Infrastructure or Information Management changes to implement - O365 want oodles more bandwidth, and give a whole pile of new headaches to information management... but looks like it's (finally) going to be price competitive.

Thankfully the first complication is a simple one of "pays money and takes choice" - and the latter is SEP (someone else's problem), so I've asked the users which they want...

The answers are not fitting on a postcard...

Take them round the back...

...and euthenise them.

With extreme prejudice.

EXTREME I said...

Politicians are not sufficiently educated to know they are being stupid

Crypto needs math literacy to understand. SERIOUS math. Not high/grade school, but University Major type math.

Without that background, (assumption - probably safe) politicians have to rely on "experts" to advise them, and they get to not only pick the experts who may not have the required math (assumption - reasonably safe), but the politicians will keep asking until they find an expert who supports what they want to hear (assumption - proven).

So there's no way to tell them it's impossible that they will listen to - they think those that are telling them "Not possible" are either i) hiding something, ii) have vested interests, iii) are being paid by the opposition, iv) are terrorists and shouldn't be listened to anyway as that's who they want to spy on...

Please, please, please, PLEASE

I know I shouldn't, but I can't help myself...

I actually, sadly, REALLY hope that this ends up as an object lesson in WHY IT WAS A BAD IDEA due to all the possible hacks being used wherever and however possible. With luck that will give results that have been OBVIOUSLY tampered with (preferably by millions of "extra" votes for an unlikely candidate) and rather than the rest of the world pointing and sniggering quietly, REAL ACTION results.

Also: not gonna hold my breath - they'll probably believe and defend the result whatever happens.

He's right...

...but it galls me to admit it.

94% went to prison...

...so all the stats are rubbish then!

If you can assert that 94% went to prison, then that's of KNOWN bad actors.

Since it is impossible to quantify what you do not know, ALL these stats are snakeoil.

As seems to be usual course in the land of the free - we don't want you to realise what's really going on so we'll Blind You With Stats that will get quoted out of context and make things seem safe...

Pretty Much Every USA Election Campaign?

"Consultation"

Sadly we all know that whatever we say, realistically, nothing will change.

This change? Hate it with a passion - as been said, too many stock pictures, too much whitespace, and why put the classification and reporter on the "listing" - especially making so much of it.

WE ARE TECHIES - WE WANT INFORMATION, EFFICIENTLY.

I think it was wasted cash and cannot WAIT for text only/text rich version to come along.

Not going to make a lot of difference?

Until everything is in the Cloud...

...and I suspect by then the MicroSoft CAL/licencing regime will have caught up to ensure they'll get a large slice of the savings that using a Chromebook would accrue.

Yipee!

Probably be ready just in time for my retirement then...

Be able to ditch the desktop, and take a laptop on holiday... and then stay away without withdrawal symptoms while still enjoying the many (so, so many) games in my Steam and Origin Libraries without the heft of a tower case, 30"UHD, secondard screen, mechanical keyboard, gaming mouse, HOTAS set, custom switchbox, Streampad, surround sound.. Oh. Wait.

Yeah,maybe not complete lack of withdrawal as I huddle over a small screen clicklet kb and compact mouse. But I'll be somewhere sunny. That counts for a lot - and keeps the Mrs on-side too. Vital!

I can hope anyway.

2000 days and counting...

Email is absolutely broken...

Having just been stunned by a trivial cross domain spoofing gotcha pointed out during a penetration test, we secured *our* domain vulnerability with SPF, but once we understood the mechanism could scarcely believe how trivial email spoofing is if you control DNS/RDNS.

Currently email servers take the message being received as "the truth". I suspect it would be better if rather than the message being delivered, a notification was delivered, and servers then had to decide if they were going to retrieved the message from the email server of record for the domain... but that's a whole new ball game. I suspect the folks that conceived email and the standards around it would be/are shaking their heads at the way things have gone.

No point holding my breath for a "fix" tho

Fail proportion?

EPIC...

There is no way to win - either way we lose.

- If it (sort of, in any way) works, then we'll all lose ALL privacy on-line because you can guarantee that other categories of "sites/information" will be added and there'll be no way to be legally counter-culture (anonymously)

- If it fails, then they'll think up something worse, because they're "thinking of the children".

Here's news

- the children who "stumble" on on-line depravity will still stumble on the badly behaved site: no improvement

- the teenagers WILL find those sites that don't follow the rules, and THAT is where the predators will find them

- Mr Moderate Joe Public will discover TOR, VPN, and annonymizers, and suddenly GCHQ will have the devils own job sorting the real subversives from the heaps of end to end encoded smut...

ARGH!

Store all your passwords in your wallet...

I use https://www.passwordcard.org/en for (some) of my passwords.

I have an algorithm based on domain name (one letter and number of characters gives me a start point) that lets me work out/replicate where the password starts, which direction it goes (one of the 8 cardinal directions based on TLD) and how long it should be.

Do not need to use on my devices as I have my KeePass db, and don't use for all websites, but does let me access "throwaway" sites with a strong password, and access to my secondary email account which will allow (indirectly) access to primary email (and thence my KeePass backup) when I'm out and about/abroad/etc.

I have several copies... and don't care if other people see!

Lies, damn lies and FOI

We ran a server 2003 instance until very recently, and I constantly got criticised for the "gross security risk" that represented.

This is WRONG for *some* use cases.

On a well designed infrastructure, it is more than possible to design the network operations in such a way that an older, but still critical, application can run on unsupported Hardware/OS/Application framework and etc. safely - if it is only used internally, and cannot reach/see the internet.

It takes effort and planning to ensure that it cannot be reached except as required to provide the "service" it exists to provide, and is only accessible by the clients and methods essential to that service... but that's why internal DNS, subnetting, VLANS, Reverse Proxies and Firewalls exist: to mitigate, control and contain risk.

So MUCH of my staff's time is wasted responding to FOI requests that are just used to sell my details to marketing droids... that I don't want to hear from (and no I don't want your white paper, didn't give you permission to store my details, so GDPR them off your contacts system, please, thank you and goodbye).

Prioritise carefully

I won't allow patching without testing... except very occassionally on Internet connected devices/servers.

Everything else gets a test cycle.

That can be 1 day, more usually two weeks, sometimes longer.

We have a LOT of legacy systems and applications that really rely on a cobbled together patchwork - and that means some patches do get rejected.

About to find out what that means for Cyber Essential Plus - but whatever the outcome, business operation trumps potential risk.

I'm not for changing!