Posts by happygeek

I kinda like the old 'cool techies unite' look!

In fairness, there is no evidence to suggest that any elections were rigged. Mind you, the lack of proper logging would mean that nobody would know if there had been, so maybe you are right.

I'm called 'happy' geek yet I'm nearly always pissed off.

Now gone...

Ah, just took a look - all the test ones I'm guessing :)

It's an ask job, as far as I am aware. Which ones do you want gone and I'll do it now?

In what has quite possibly been one of the longest periods between security problems being revealed and action being taken, the Virginia Board of Elections voted on Tuesday to remove the certification of more than 300 AVS WINVote touchscreen voting machines. The Virginia Information Technology Agency, and consultancy Pro V&V, uncovered multiple flaws in the voting technology which had also been used in other states including Mississippi and Pennsylvania. The scandal here is that there have been concerted efforts to remove these machines from the electoral system since 2008 when experts investigating irregularities first flagged their concerns. They have consistently been used in Virginia between 2002 and 2014, and if you have voted there you may well have cause for concern.

The security audit found a whole catalogue of vulnerabilities including the machines using, wait for it, WEP wireless security which has long since been relegated to the Do Not Use pile courtesy of it being easily hacked. Just to make that hacking even easier, the password was hard coded into the machines; and it was 'abcde' can you believe? Talking of passwords, the OS admin password was, erm, 'admin' and database storing the votes (an old version of Microsoft Access) used an easily hacked encryption key of 'shoup' for good measure. Oh, and talking of that database, should someone have wanted to copy it, edit it and then put it back nobody would have been any the wiser as there were no controls in place to prevent …

According to the latest Verizon 2015 Data Breach Investigations Report all but four per cent of the security incidents analyzed by researchers could be accounted for by just nine basic attack types. That's pretty useful information for enterprise looking to prioritize their approach to security in terms of establishing a stronger security posture. So, as far as the nearly 80,000 incidents that were analyzed to form the basis of the report, what were these nine basic patterns then? Verizon states that the nine threat patterns are:

1. Miscellaneous errors (such as sending an email to the wrong person for example)

2. Crimeware (various malware aimed at gaining control of systems)

3. Insider/privilege misuse

4. Physical theft/loss

5. Web app attacks

6. Denial-of-service attacks

7. Cyberespionage

8. Point-of-sale intrusions

9. Payment card skimmers

Truth be told, these are exactly the same as identified in the 2014 report which is kind of worrying on the one hand as it suggests that mitigation measures are not being that effective or the bad guys would have moved on. Which also means it has, perhaps, a foot in the good news camp as well simply because they have not moved on to new attack modes in earnest. The new report reveals that 70 per cent of attacks relied upon a combination of these basic patterns, usually involving a secondary victim which adds complexity to the breach. It also reveals that many existing vulnerabilities remain open, with available patches not being applied, and those vulnerabilities can stretch back to as far as …

Welcome buddy

Erm, what has torrenting got to do with cloud security in the context of this story? Seems a bit of a random comment that...

I tend to recommend a triple whammy of:

Malwarebytes anti-malware premium
Malwarebytes anti-exploit premium
Kaspersky IS 15

All play nicely with each other, provide a decent enough 360 threat barrier for most home users and are not too resource heavy for most modern laptops.

According to a SecureList posting dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may be connected to. Sounds pretty serious right? Apple obviously thought so, seeing as it took the company which is so profitable that it ranks in the top three companies on the planet more than three months to fix it. The updated OS X 10.10.3 and iOS 8.3 software releases patched the holes, but even so, three months plus!!!

This is actually something of a big deal if you ask me, and not untypical of Apple which has stood accused of taking far too long to fix vulnerabilities in the past. Yes, I appreciate that it's better to get things right than rush out fixes that break something else or don't do the job properly. However, and it's one mega however if you ask me, while a small to medium sized organisation might be forgiven for taking a while to patch code with limited resources to throw at the …

It all started pretty well, with the announcement by Mozilla at the end of last month that the Firefox web browser would make the Internet a safer place by encrypting everything. That's everything, even those connections where the servers don't even support the HTTPS protocol. Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support HTTPS. The 'Opportunistic Encryption' (OE) feature essentially acts as a bridge between non-compliant plaintext HTTP connections and fully compliant and secure HTTPS ones. Firefox 37 made OE active by default, supposedly protecting sites that hadn't bothered with going through the digital certificate authority process, or which don't fully encrypt everything courtesy of embedded plaintext third party content requirements such as adverts for example.

At the time, Mozilla networking engineer stated "OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial. Only HTTPS protects you from active man in the middle attackers. But if you have long tail of legacy content that you cannot yet get migrated to HTTPS, commonly due to mixed-content rules and interactions with third parties, OE provides a mechanism for an encrypted transport …

From Canada via India according to your IP address...

Hello and welcome to DaniWeb.

Talking to a number of consultants specialising in IT security, it seems that the 'big boys' are leading the way with those remediation stats. Look to the medium sized enterprises sector and remediation falls to around 10%. Their future could be, erm, interesting to say the least.

You would think that someone from a digital marketing agency with clients such as Ford might know this stuff already, wouldn't you? Unless Dianne is just advertising that agency by way of her signature link, in which case the poor association still stands.

Was it more of a wham than a crash?

In which case you have nobody but yourself to blame for the situation you find yourself in and, frankly, I have little sympathy for you. In the same way that I would have little sympathy for someone complaining about the broken foot they have, yet refuse to stop dropping concrete blocks on it twice a day.

I suspect we will live...

PS, read the rules before asking another question if you actually want anyone to help you.

According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.

Patrick Wheeler, director at Proofpoint, says “the fact that so many systems remain vulnerable to Heartbleed highlights the difficulty of basing security on patching production systems. Organizations have to balance the needs of business-critical applications with the duty to take all reasonable, industry-standard measures to protect employee and customer data. Incorporating security fixes can be all the more difficult in the case of an issue like Heartbleed, where …

Perhaps the signature advertising a digital marketing and branding agency puts people off responding to very basic questions that you would think someone associated with an online marketing outfit whose clients include Ford and Phillips may be well aware of has something to do with it?

Read the rules then try again.

Here's a helpful hint: "provide evidence of having done some work yourself if posting questions from school or work assignments"

I have a feeling that WojTroll will go quiet now...

Security is, more often than not, a case of getting the basics right. This is certainly true of the cloud where the hyperbole surrounding insecurity far outweighs the actual risk in my opinion. Not that the cloud is an inherently secure place to store data, just that it poses similar risks to other data storage methodologies which need to be assessed and dealt with accordingly. So when I hear statistics being bandied about such as '68 per cent of employees use personal cloud storage services at work' as was thrown in my direction this last week, I cannot help but heave a little sigh.

This is not a cloud issue, despite it being wrapped up as one when I saw it; it's a basic security principles one. Consumer grade services are called that, and sold as that for good reason - primarily because they are not intended to be used within a business context. Sure, plenty of people DO use them for commercial purposes but that is besides the point; it doesn't make them enterprise grade in terms of security. This kind of service misuse, for want of a better word, is what you might call a rogue cloud or shadow cloud. Shadow because it is hidden from the business, and rogue because it isn't meant to be there.

Actually, in the real world, neither descriptor is actually accurate more often than not. I've been to many an enterprise where the existing information security policy does not cover the use …

"please stop saying that yu do not alter my posts where I say not possitive things - of course you do - thats why I do have infractions (where is the name taken from??). Its first step towards censorship on the forum."

Who has altered your posts? Please point me to the evidence of that. You have infractions because a moderator has determined that you are in breach of the site rules. If you think that rules and a system for enforcing those rules equates to censorship then, frankly, you are in the wrong forum and should go elsewhere where you will likely be much happier.

No, I mean that making changes to core system functionality simply because ONE USER demands it, and with no further discussion as you have stated, is no way to run a business. It's a recipe for disaster because the system would be in a state of constant flux. Just because YOU think something needs to change does not mean you are right and everyone else is wrong.

Tell you what, seeing as you have determined that Dani doesn't listen to users and is untalented, kindly point us at the applications and systems you have created and which have been up and running for 13 years?

I just quoted your post directly. Care to provide a sensible argument as to how immediately changing core system features upon user request is anything other than a recipe for disaster? No, thought not.

Unfortunately you are not in a position to determine who speaks here or otherwise, so prepare to be disappointed when you demand I shut up.

Here's the bottom line: change your attitude or your account WILL get banned. You are already just one 'Keep it Pleasant' infraction away from that happening.

Here we go again. If you took the time to actually read before you post then you might have noticed that the OP has been a member here since 2009. My guess is that she would not still be here if she thought it lacked 'basic fuinctionality' and, indeed, would probably not have expressed her gratitude for it being here.

As for my post, 25 years ago I was accessing things like Usenet/Archie via an Amiga amongst other things.

"Whenever user requests feature change/addition which would alter core usability of webapp - there is no place for discussion - coder (in this case Dani) should start coding it immediately and do not stop till it gets implemented"

You've said some stupid so far, but that moves stupid into a whole new dimension.

Ordinarily I am more the peace-broker than the ball-breaker, but your attitude has pressed my rant button. Here it comes:

So, by your extremely self-centred view of the universe, whenever a user requests a change to the system then Dani would immediately implement that without any discussion? If that's how you think respect is gained then I can only conclude you live in an asylum and posting here is part of your therapy.

Seriously, you are coming across like a petulant child who throws a wobbly when told no. Look, we do listen to feedback here and plenty of changes have been implemented as a result over the years. One user shouting, however, will not dictate change just because he rudely demands it.

In my 25+ years online I have come to conclude that if it smells like a troll, looks like a troll and acts like a troll then 99.9% of the time it is a troll. If that's not you, then you are sure doing a damn fine job of impersonating one.

If you really don't like it here may I suggest you go elsewhere, we won't be offended and we will carry on just fine without you.

Us Internet old-timers (25+ years here) need to stick together. Welcome :)

Yep, that's my recollection. Webmaster Marketplace was just full of people posting web hosting adverts, and many of them were very suspiciously templated posts that all looked the same with slightly different business names - obviously some affiliate thing happening. End result was that the forum became a pointless spam trap.

Best leave it to Dani to answer your specific points though, as she is the business brains here. I just write editorial and kill spammers :)

Vista should have been shot at birth, along with Windows Me.

Which 12 year old operating system which is still running on 11 million servers is about to die? Yep, that's the one: Microsoft Windows Server 2003 reaches 'end of life' status on July 14th.

One of the longest running discussions on DaniWeb asks the question Why does Windows XP refuse to die? and I have my suspicions that we may be asking the same of Windows Server 2003 in the years to come. Which is fine as far as it goes, unfortunately that's not very far in terms of security as there will be no more security patches, updates or assisted technical support. One industry expert has described this as being the "biggest security threat of 2015" and published a white paper on the subject with the very apt title of 'Server 2003 is dead. What are you going to do?'

Ade Foxall, CEO of Camwood and co-author of the report, suggests that discussion of Server 2003 end of life has been woefully limited even within the IT professional community, certainly when compared to the kind of coverage that XP got when it was approaching the same terminal stop. In an analysis of more than 5000 IT publications, Foxall discovered that Server 2003 end of life only got 5% of the news coverage that the end of Windows XP stirred up. “After the recent migration away from Windows XP, IT departments should be more aware than ever of the dangers of using an out-of-date platform" Foxall …

Welcome to DaniWeb Chris.

What?

It's that time of year again, and the latest Secunia Vulnerability Review has been published. This analysed anonymous data gathered from scans right across 2014 of millions of computers which have Secunia Personal Software Inspector (PSI) installed and revealed some interesting statistics. On average, the computers used by the people running PSI had 76 programs installed on them and these vary from country to country. Secunia focussed its attention on what it calls "a representative portfolio of the 50 most common applications" which compromised 34 Microsoft and 16 non-Microsoft ones. So what did the analysis discover? You might be surprised if you tend to think of Microsoft as being the bad guy when it comes to vulnerable products.

In total, there were 15,435 vulnerabilities across 3,870 applications published by 500 different vendors which represents an 18% increase from the previous year in terms of vulnerabilities and 22% up when it comes to the total number of products. No wonder IT security can be a hard game to play when the surface is so broad and varied. The good news is that some 83% of the vulnerabilities in all products were patched, or at least had patches available, on the day of disclosure. Kasper Lindgaard, Director of Research and Security at Secunia, warns that while the numbers suggest an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged a month later. "30 days on, Lindgaard says "just 84.3% have a …

Welcome

No such thing as too beardy, surely? :)

Welcome Oliver

The recently revised Facebook community standards page states that the social network is on a mission "to give people the power to share and make the world more open" however it appears that it may have been giving the wrong people the power to share stuff you thought was private. According to security researcher and bug bounty hunter Laxman Muthiyah Facebook's photo sync feature came with a critical flaw which "allows any malicious Facebook application to read your mobile photos."

The vulnerability concerns Facebook's Photo Sync feature for mobile users, which was introduced back in 2012 but because it was an opt-in thing might have luckily passed many users by. If you had, however, have turned it on then any photos you took with the phone would automatically be uploaded to the Facebook cloud where they would be stored for future use. That use could be for including in your Facebook postings, and the sync feature would give you quicker access to all your images in theory, or maybe it could be seen as a handy backup system in case anything happened to your phone. The photos in the Facebook cloud were marked as private so could not be seen by anyone else, again in theory. In practise, third party apps that you had authorised to access your mobile photos could see them as well.

I'm not sure if that means all your photos are stored by Facebook, including any shall we say any saucy ones. After all, …

Yesterday was epic. I was glued to rubgy on the TV for seven hours and it felt like just a couple. Exciting doesn't really do it justice. You know what, I don't care who won after rugby like that. England, France, Ireland and Wales all played so well. Best 6N finish I can remember and one of the best days of ruigby ever. Stunning stuff.

Thanks. I think it is indicative of banks looking to get a competitive advantage by way of customer perception rather than actual security improvements. A cardiac rhythm measurement is no more secure in real world terms than any other token as a form of 2FA/2FV, and may be much less practicalm in reality. As I say, it's all about perceptive security to gain competitive advantage while data breaches are making headlines. IMHO of course :)

Halifax is the town in West Yorkshire where I live, and it also happens to be the name of a well known UK Bank which started life there. Best known on the this side of the pond for TV adverts featuring a friendly chap called Howard Brown, a former customer services representative and sales ambassador for HBOS which owns the Halifax. If recent reports are correct, then before long the Halifax could also gain notoriety for replacing passwords and PIN codes with bio-metrics. Not just any old biometrics mind, none of this old-fashioned fingerprint scanning malarkey for Howard and co; the Halifax wants to verify customer identify using their heartbeat.

With wearables becoming the media luvvie dish of the day, and not just in the tech media space either now that Apple is entering the market for fashion conscious hype junkies, the Halifax would appear to be following suit and assuming that customers will be happy to wear an electronic tag. OK, not the kind that some offenders are required to sport but rather a Nymi wristband. I think that not only is that assumption wrong (my elderly mother would certainly not wear one and nor, for that matter, would my punk rocker teenage son) but the Halifax are equally erroneous when it comes to the identity verification side of things as well.

OK, so what are we actually talking about here? Well, according to Wired magazine Halifax is testing out the use of a Nymi wristband for …

You don't actually touch your eye with contacts, you touch the contact which then just slops into place (and taking them out you are just pinching the lens itself - if you touch your eye you are doing it wring). Seriously, the thought of it is many magnitudes worse than the reality.

I never thought I'd be able to use contacts for the same reason, then I got Wet Macular Degeneration and needed nine injections into the eyeball over the course of a year and my objections to contacts kind of fell into perspective :)

I like the idea of cow-orking, as long as the cow comes to no harm. Weclome :)

Yep, spot on there.

Are you sure you can't do contacts? I thought I wouldn't be able to live with them, but for me they have proven to be the ideal solution. I wear contacts for general purpose vision, and then a very light pair of non-prescription readers for close work. As other have said, the trick with being comfortable in your specs is to get the lightest pair you can afford.

I don't usually write about acquisitions and all that financial stuff, but news that PayPal has acquired CyActive caught my eye as apparently this brings the promise of 'bio-inspired predictive security' into the online payments provider threat protection mix. Which made me think, just what the heck is bio-inspired predictive security when it's at home, and why has PayPal bought into it?

My first port of call in trying to get a line on this was the official PayPal blog posting on the thing. "While we have industry-leading fraud models and verification techniques, and a world-class security team" James Barrese, Chief Technology Officer and Senior Vice President, Payment Services, PayPal says "we’re always looking for ways to make our systems even more secure." Which is where the CyActive acquisition comes in, along with the establishment of a security center in Israel that will "tap into the country’s cutting-edge technology and top cybersecurity talent." CyActive being part of that tapping into process, being an outfit which specializes in predictive technology that focuses on how malware will develop and by so doing adds an element of future-proofing (or at least that's the idea) to PayPal security measures.

OK, so what does CyActive actually do then? Good question, and according to the company itself the answer is "forecasts how hackers will evolve today’s malware into tomorrow’s advanced threats, by applying bio-inspired algorithms and a deep understanding of hackers’ behavior, considerations and constraints." Which is about as …