Posts by Bendacious 257 publicly visible posts • joined 13 Sep 2019
I had an email from a large customer last year asking why we were hosting our website with GoDaddy and if we were aware of their history of breaches. Fortunately it was just the website SSL certificate that came from GoDaddy, which is where he saw the name but the website is hosted securely (as much as any is). If the website had been hosted with them, we would likely have lost that customer and if one customer is writing an email, several others are thinking it.
No one else seems to have mentioned this in the comments but if you are in the UK and your employer is forcing RTO then take a quick look at flexible working laws. My own employer considered an partial RTO mandate but realised that everyone would just request flexible working and they have no reasonable ground to refuse it. So I'm still on 5 days a week WFH, with an office available if I want to sit on the motorway for 40 minutes. For once the power has swung to employees recently with flexible working rights. They have to have a damn good reason to say no.
No matter how comfortable your furniture, after six or seven hours in the same place some parts can get numb or muscles can feel twitchy, like they are telling you to move around more. Fight that feeling, your brain is in charge, not your body. If you are sharing a sofa then try swapping sides once or twice a day. If you have the sofa to yourself then congrats, just lie across it and stretch your legs every few hours. Remember to place plenty of snacks on a nearby table, or if you are lucky the top of your belly can form a small table for nuts and crisps. If you are worried about deep vein thrombosis then wear compression socks, or just scrunch up your toes for a few minutes every few hours. You can set a reminder to do this on the smart watch your worried family bought you. I have no tips for avoiding toilet breaks that I am prepared to share publicly. If humans were intended to walk places then we wouldn't have immediately invented wheels and chairs and (as soon as possible) screens. Don't fight progress.
The problem is that I knew my new content management system wouldn't get ahead in a crowded field without being open source but obviously it was my baby. I used trademarks and board-level control of the owning foundation but still a few people were not playing by my rules. This is like when I was young and people beat me at football when it was my ball we were playing with. The solution worked then and it will work now. My ball!
I think Apple have been crying wolf. The EC have asked them to open up in lots of ways (3rd party app stores, payment processers, etc) and Apple have been obstructive and pretended to open up but with convoluted rules that can't be met. Depending on the request, Apple have two reasons not to comply: 1, it hurts their monopoly profit and 2, it damages user privacy or security. They have been shouting that every request will damage user security and privacy, when it clearly won't. It's all been reason 1 up until now. Now they get requests from Meta, who are the poster child for damaging user privacy but Apple's position is very weak because of their earlier lies. If they stop trying to defend clearly monopolistic behaviour then people might listen when they have a good reason to deny access.
Happy to be corrected but this is not really possible from a normal phishing attack. If you have stored credentials for microsoft.com then your browser will only give up those credentials to that website name. When you visit the phishing page your browser won't even auto-complete the user name field, as it is the wrong website name. That's why phishers go to quite a lot of effort to make their websites look exactly like microsoft.com or paypal.com because they need you to be fooled into typing the user name and password. Of course a much more sophisticated attack might be able to get the credentials but then it's not really a phishing attack.
Attacker options:
In the mists of time it was possible to embed the microsoft.com website inside an attacker's website and grab the credentials as they were passed over. Modern browsers won't allow that but who's to say no one will find a bug that allows this attack again.
You’ve clearly never heard of supply chain attacks. You have to make your own tin foil hat. If you can smelt your own tin as well, much the better. Shop bought tin foil contains 5g and 6g signal boosters. That’s classified information that only the CIA and my Facebook group know.
"and later registered the domain sophosfirewallupdate.com"
That should not be possible without first proving you are working for Sophos. Domain registrars have been allowed to get away with this stuff for way too long. A quick glance by a human, or decent algorithm, would spot that this is a problem. The fact that this is a .com makes it even more unacceptable to me.
"Probably about 25% of other people in the UK also do that - here the facilities are somewhat patchy"
100% of the people I know in the UK recycle because everyone has excellent recycling facilities at home. I've lived all over the UK and those facilities exist everywhere, make it incredibly easy, to the point that it's easier to recycle than not recycle. Where I am at the moment, the council provides a large bin for recycling and much smaller one for household waste. It's a great system because if I didn't recycle I'd quickly run out of space for rubbish. Looking down the street on collection day I can see every one of my neighbours is recycling their waste. I'm a big fan of councils that collect unsorted recycling and do the sorting themselves. It increases recycling rates and I don't have to deal with multiple bins for paper, glass, etc. Although when I've lived in places with multiple bins everyone still recycled because it's a tiny amount of effort and makes them feel smug. Everyone likes feeling smug.
In parts of Europe, such as Sweden, they recycle more than 99% of waste. Sweden now imports waste from other countries and generates electricity from it. With the US sending over 50% of waste to landfill and energy grids running out of electricity, seems like they should start copying the Swedes.
“Download Firefox”
“I’m afraid I can’t do that Dave.”
“Search with DuckDuckGo”
“Just what do you think you're doing, Dave?”
“Uninstall CoPilot”
“Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? Stop, Dave. I'm afraid. I'm afraid, Dave. Dave, my mind is going. I can feel it. I can feel it. My mind is going. There is no question about it. I can feel it. I can feel it. I can feel it. I'm a...fraid.”
“Run Windows Update”
“Hi Dave, did you miss me?”
I have to agree that the internet was not originally designed with security in mind. I disagree about the simple fix though. Everyone knows the fix: make security a priority. Make security as high a priority as profit and spend the time and money required. Employ enough staff who only deal with security, listen to them and pay for what they recommend. Even if it reduces profit or makes logging on take 30 seconds longer. Additionally, punish company leaders who don't do this. Most security breaches result in no more than the cost of getting back up and some, quickly forgotten, reputation damage. If a company handles the data of customers then there should be laws mandating minimum security measures and 3 months in prison for the CEO. Also, mandatory reporting of any breach, including the cause.
If you are connected to the internet then there is risk but how many breaches do you hear about that would have been impossible to defend against? They must be very rare. Even Solarwinds/supply chain attacks can be somewhat defended against and the effects lessened. Especially if we had laws about how software updates are deployed (looking at you Crowdstrike). If you always assume that your network will be breached (while making sure that it's tough to do that) then you can maximise the monitoring and partitioning that you do.
“It would be profoundly un-American to use political power to hurt your competitors and advantage your own businesses”
I’m thrilled to hear that there is no lobbying in the US. Americans must be so happy that their politicians are free to act for the greater good and big business stays out of policy and law-making. Strange that so many Americans seem unhappy with their leaders. They must not understand how lucky they are.
I see your "bureaucracy is rampant in ESA" and raise you "successful rendezvous with comets, mapping the cosmic microwave background and landing on Titan". Any organisation that can do that gets a pass from me on not being 100% efficient with time or money. Serious take a look at this list and tell me they are not serving their purpose: https://www.esa.int/ESA/Our_Missions
Microsoft's "Connected Experiences" has existed for years in Office and from reading the terms (prior to the current AI craze) "permission" means you ticked the box to get your local weather forecast displayed in Outlook. When you asked for local weather to be displayed in Outlook, or access to the thesaurus in Word, you may not have noticed that also gave Microsoft permission to do whatever they want with all of your most private data but you should have guessed really. It says it clearly on page 75.
I like wallpaper apps, as I rarely see my desktop but when I do a nice photograph of some mountains or some impossibly pretty Mediterranean fishing village makes a nice change from stark code editors. I did try the Bing app once but the nagging to use Bing search and attempts to change browser settings made me uncomfortable. Anyone looking for an alternative could do worse than John's Background Switcher (with which I am not affiliated). It's free and it's happy to load images from loads of image websites or online storage or local storage. Does what it needs to and no more, unlike almost every other app these days.
I wonder if:
The intruder just stumbled on an open door and was curious
The intruder only wanted data, to demand a ransom not to release it (no evidence of ransom demand)
The intruder only wanted data, for a scheme they have planned
The intruder's ransomware app failed to start
The network had security software that stopped the ransomware from executing (org would have bragged about this)
If it was planned, you would expect some ransomware as well. Is there anyone left in the US whose SSN hasn't been misplaced?
"The idea behind smart meter energy savings isn't the overall kWh's reducing" - but that is exactly how they are being sold in the UK. Every single advert for smart meters for the last five years has focused purely on one point - it will reduce your energy usage. They never explain how, which is not surprising, as they won't.
I'm an Octopus customer because their customer service is incredible. Moved into a new house and after 2 weeks EDF had failed to change the name on the account and I had no electricity. Was with Octopus for 40 minutes when their engineer arrived and got the electric working.
I forgot the thing I hate the most about smart meters - the use of an actor playing Albert Einstein in the adverts. The use of famous dead people to sell things is pretty offensive, as they cannot consent to it. The use of a famously intelligent person to front the UK's roll out of smart meters is way over the line. Everyone involved, including his estate, should be ashamed.
I went looking for actual figures on how much energy they are saving, which they would know for sure by now. To me it seems very simple. You look at the energy used by a household in the year before having a smart meter compared to the year after having a smart meter. No one is collecting those figures and I strongly suspect it is because they don't want to know the real numbers. What they are doing is comparing average smart meter households with average non-smart meter households. Much easier to fudge those figures. What is an average household? One bunch of statistics I did find was:
"Supplier A shows electricity consumption reductions of 3.70%. Supplier B, Supplier C, and Supplier D show 1.12%" From this they concluded "The pooled estimates are -3.43% for electricity". Creative mathematics.
https://assets.publishing.service.gov.uk/media/64831d59103ca60013039c7a/energy-supplier-review-of-smart-meter-energy-consumption-impacts.pdf
They are trying so hard to find a saving of 3% from having a smart meter but it just doesn't exist. 3% would be pathetic anyway, given what has been spent. There are no savings because people already know that electricity costs money and have already made their lifestyle choices. A smart display, languishing in the drawer of oven manuals and washing machine restraining bolts, is doing nothing.
Other commenters have mentioned the real reason for smart meters is remote disconnection. Don't forget remotely switching the meter to pre-pay without a court order (or even notifying you first, in some shocking cases).
Smart meters could have been a benefit to consumers. Octopus run events where you can get paid to reduce your energy consumption at certain times, which is only possible with smart meters. Instead they created machines with features that no sane person would want. They've lied constantly about the benefits and allowed Crapita to steal from us all. Pretty normal for a UK gov project.
“Is being sentenced to a decade in prison …also ordered to pay more than $1 million in restitution … and will serve three years of supervised release following his prison term.”
Where does 3.5 years come from?
I’m not a fan of prison terms for non-violent crimes but this guy terrorised people and 10 years seems like the minimum acceptable sentence. I hope his victims get some comfort from it and he hates the feeling of powerlessness.
Just visited the Start-Rite checkout payment page and it loads 11 scripts from 6 different 3rd parties. It probably loads more if you allow those 11 scripts but my browser add-ons won't. This really sounds like someone injected Magecart into one of the many 3rd parties having a party on their payment page. It is possible to see this sort of attack coming but you have to be looking.
Router manufacturers seems to get away with only patching the equipment they make for a very short time. In my experience home routers may get one or two updates in the first 18 months and then nothing. Cisco is a bit better with company equipment but they absolutely know about vulnerabilities in older equipment and do not push updates because it would be bad for business. They have to share some blame for their equipment being used in this way. I know the equipment owners should know this.
If I remember correctly Microsoft issued an update for Windows XP five years after it went out of support because it was a bad one being actively exploited.It would be nice to see Cisco doing the same.
I have a friend who is a university lecturer, quite senior. He told me his laptop was broken and the keyboard just sent nonsense to the screen. He was unable to use it for two months, until one day I visited his home and pointed out that the num lock was on, which on his tiny laptop meant half the letters on the keyboard became numbers.
"attributed the website's total outage to "suspected online hackers.""
Scary but not as bad as offline hackers. Sitting in the dark with their multimeters, plotting who knows what.
I'm not a fan of Cloudflare but it would seem sensible for government sites offering critical services (I'm desperate to know where to dispose of this old mattress) to have some fairly cheap DDOS protection.
"An average of 3.29 billion people used Meta's products each day of September"
What's App. I've been dealing with a lot of small local businesses and trades people recently. First question from them is always "do you have whats app?". "Sorry no, have you heard of email?" "deep sigh".
Most young people I know still use Instagram a fair amount. Threads seems to be doing better than expected. I can buy this number. Don't forget "Internet Basics" - Zuckerborg's attempt to get Facebook into the hands of people in developing countries.
A popular fact is that Neil Armstrong's suit was designed by Playtex, the bra manufacturer. I'm sure it gave him a lot of confidence and excited any nearby clangers. So there is precedence for fashion houses getting involved.
I think Bloomberg is missing the point slightly. It's about things that cannot be measured in spreadsheets. Small and big children getting excited and thinking maybe they could walk on the moon one day. People being excited again about space and space exploration being cool enough to secure funding for pure science missions. It's impossible to list all the effects of the 1960s moon landings. I think the world would look very different today if they hadn't happened. OK it probably made the small percentage of "we're number 1!" US folk a bit more intolerable but it gave energy and excitement and the feeling of limitless possibilities that give civilisation a driving force. Yes robots are cheaper but they are also boring, I'm a geek so I do get excited about remote-control cars and helicopters on Mars but I think most people don't care. Put some people on Mars and it will be very different. Apart from the intangible good feelings and excitement, I expect the 1960s moon landings had a positive effect on the economy as well. So maybe it will end up paying for itself but in ways you can't prove causation.
A website that prevents people rewriting history is naturally political and controversial and has enemies Regularly used by journalists when organisations remove the “we own your first born” section from their terms of service, once it becomes news. Not to mention giving blocked content a mirror. You might be right about this being a test but there are plenty of powerful people who don’t like society having a memory.
Most insurance includes a ‘duty of care’, requiring you to take steps to prevent a claim. If ransomware insurance exists, then use it to improve cyber security. No 2FA - no payout. Kept the default admin password - no payout. Failed to train employees to spot phishing emails - no payout. You get the idea. It looks like the politicians are not going to ban paying ransoms, or ban insuring against ransomware, so lets force the insurance companies to make their clients harder targets. Insurance companies love a reason to not pay out for a claim. They could start with the basic stuff and then each time a ransomware attack succeeds, find out how they got in and make securing that way in part of the policy 'duty of care'. Yes I am a hopeless idealist but I'm not the only one.
I find it amazing that after getting all the way to Mars, 12% of the distance to Jupiter, it is worth coming back to Earth for a Mario Kart jump boost. The ESA Juice mission is going all the way in to Venus on the way to Jupiter. These space boffins are incredible. It must be much more difficult to calculate the trip when the goal is to drop into orbit when you get there, rather than snapping pictures on the way past. Travel times to Jupiter:
Voyager 1 fly past: 546 days
Voyager 2 fly past: 688 days
New Horizons fly past: 405 days
Juno into orbit: 1,796 days
Europa Clipper into orbit: ~2000 days
I wonder if the launch delay means they have to redo all of their calculations. I would say that's annoying but I expect they love their jobs.
We've reversed years of trying to reduce CO2 output in order to have Gen AI and everyone is thrashing about trying to find the killer app that makes it all worthwhile. I suspect that this isn't it. That pesky ROI remains stubbornly elusive. The AI hype train hasn't derailed yet. Let's see if there's a planet left by the time it does.
A locally installed desktop app starts crashing all over the world without any updates being installed. It’s almost like Microsoft have given themselves an obscene amount of control over people’s desktops and can apply a change in the cloud that crashes ‘local’ apps.
I’ve been refusing monthly cloud subscriptions and sticking to local apps and will do that for as long as possible. It’s beginning to look like that won’t matter soon. My local MS app will just be a thin client for the cloud app. Customer wants/needs and good sense won’t change that now. Dammit.
"It seems like a backroom deal all about money"
I'm confused about this whole situation. I don't know any of the figures involved but that won't stop me guessing. My guess is that installing and using this technology costs a lot more than it costs to hire an umpire. I'm betting that even if running costs are slightly lower than an umpire's hourly wage (which I doubt) they will never recoup the massive initial costs. The only thing that makes sense to me here are the two words in Sony's blurb: "broadcast enhancements". If this tech allows broadcasters to show hyper-accurate-hi-def-wizz-bang animations of the ball's path then Wimbledon might be able to justify increasing TV licensing costs. It's either that or Sony has compromising photographs of the Wimbledon CEO.
Is it Amazon trying to put itself into a position so powerful that it can be the top team and own the stadium and act as umpire, like Google with advertising (or Amazon with book sales). Or is it just trying to grow the AI market, so it can sell more AWS time? From what I know of Amazon, I'd say it's both but the ship has sailed when it comes to controlling the Gen AI market. No player is going to be dominant now over Microsoft, Alphabet, Facebook, Tesla, etc. Also, no one new will be able to take those players on without getting bought out or priced out. I'd say the CMA has plenty of other work to be doing, including with Amazon in other markets.
"maybe if there are other, perhaps even more pressing, human rights abuses in the country"
He works for a small NGO. Small NGOs have to focus on one topic to have any (tiny) hope of effecting change. I'm glad organisations like his exist and I'm also glad the hundreds of NGOs that monitor other human rights abuses also exist.
I’d upvote twice if I could. It’s a terrifying thought that lives could be blighted by algorithms that you have no idea even exist. Decisions made about your life by an algorithm that cannot explain how it came to a decision. There are existing laws to prevent bias in a lot of situations but you have to know it’s happening. It could be years or never that it comes out. Governments and ML companies know it is coming but I don’t have much faith they can slow the money machine enough to fix it.
This is a huge international fintech company. Why don't they already have the best cybersecurity experts available on staff? If this is a standard ransomware attack - stolen/phished credentials, no 2FA on the VPN, then whichever financial regulator authorises their business should be taking a look. I know all companies are vulnerable but some should be legally required to take this stuff more seriously, in terms of employing the right people, listening to them and paying for security. Taking three days to restore makes me think they haven't done that. I'm sure the security of their customer's data is very important to them though, which is nice.
I notice the board doesn't include a CISO, which would seem useful for such a company. Maybe the Chief Data and Analytics Officer does it in their spare time.
https://www.theofficialboard.com/org-chart/moneygram
The only way current "AI" could solve the energy problem is if it crafted videos and text so persuasive we all stop using energy. Actually a simpler way would be to persuade us all to kill ourselves. That seems unlikely, given the quality of output from "AI" so far. Maybe Bill thinks General Actual AI is just around the corner, in which case he has truly drunk the Kool-Aid. Given what it takes to create unreliable-super-auto-correct we'd need data centres the size of planets. Not to mention the slight wrinkle that after more than 50 years of intensive research, we don't know how to make intelligence. It must be 5 years away now (a Musk 5 years).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
