Dicks Diary

Ebay bought kit proves costly

Story on BBCi this morning about a security bod who bought a Cisco VPN concentrator on Ebay for 99p that when turned on connected back to the gateway it had originally been configured to connect to. No-one presumably had withdrawn keys, certificates or MAC based access controls which is typical.

I buy an awful lot of kit from auctions both online and actual physical sales of seized hardware. Often the latter are the most useful as kit is seized spinning, no chance to DBAN no chance to revoke credentials or data. There is also no law in the UK to manage the cleansing of hardware seized by bailiffs or county court sheriffs for public auction. Yet another loophole that no-one seems bothered about but often in the current climate it’s the perfect place for wannabee criminals and ID theft hackers with low skills who can pick up kit for peanuts thats literally worth its weight in gold.

Last month I wrote about MFP’s that give up huge amounts of corporate sensitive data that are readily available for peanuts, in the last four years I’ve bought servers from a corporate clearance company in Edinburgh that contained the entire replicated Netware infrastructure for a county council, a Compaq workstation from an auction house that had the management accounts and expenses for a division of a household name corporate and a backup of three years of staff appraisals, a harddrive from CEX the high street retailer/recycler containing marketing information and internal briefings from a UK high street retailer including their hardcoded Microsoft PPTP information, a Checkpoint SME small office VPN router picked up from a council run refuse recycling plant in Hampshire that had all the working credentials for a major corporate etc etc - I could go on but you have to just wonder why when we make tools freely available does this stuff happen.

Common sense security - it costs nothing. Often security breaches can cost nothing and have an implicated cost that might be both your reputation as well as your architecture.

UK ICO Website not patched…

Killing time today at the hospital sitting on mobile broadband I read a story with interest on BBCi about personal data safety which linked to the UK Information Commissioners Office website where you’re prompted to fill in a questionaire on age and location for starters. Only thats as far as I got as which ever lowly paid Microsoft drone on the ICO technical staff wrote the ASP piece can’t code for toffee. Pay peanuts get monkeys - but then thats what ASP was invented for - people who couldn’t actually remember how to write proper webpages and needed a helping hand

Only the ICO never followed advisories from Microsoft that have been around since 2007 and obviously aren’t pentested internally or audited sufficiently and don’t have a patch regime that should otherwise stand up to what I presume is internal scrutiny. So two phonecalls placed to warn them that 1) their code leaves them vulnerable 2) that their servers and levels of .Net libraries are vulnerable and I am none the wiser that anyone there hada a clue what I was talking about…. It’s shocking. Am not about to breach secion 1 and 2 of the CMA or to seen as utterly professional in how the ICO was informed and not bothered to fix.

You would expect the ICO staff to remember that they represent the UK population at a decent level of public visibility and not leave themselves vulnerable to exploits that are in the wild and to test their ASP pages before release to the public.

Very unimpressed - this stuff is childsplay, maybe if they’d put it on a proper Web hosting environment such as Apache on Linux and not chosen to use such lame ass coding tools and pre publication testing they wouldn’t now be left holding the baby.

Clownshoes.

Floyd founder dead

Pink Floyd keyboard player, composer and co-founder Richard Wright has died of cancer aged 65.

After the death of Syd Barrett in July 2006, the music world and especially the massive groups of Floyd supporters worldwide will be knocked for six at his untimely passing.

More news here, although neither Dave Gilmour nor Guy Pratt’s site have as yet been updated. His last published work was being prepared for release on 22nd September (Dave Gilmour - Live in Gdansk CD & DVD) and the Syd Barrett City Wakes celebrating Syd and Pink Floyd was already scheduled for late October in Cambridge. It has even more meaning now.

Zack & Miri - clock ticking…

On October 31st in the US the latest AskewUniverse film - Zack and Miri Make a Porno, is being released, written and directed by Kevin Smith, produced of course by Scott Mosier and with Dave Klein back at the helm behind cameras. Unfortunately there is no UK release date, no issue I’m hopefully in US again around that time and also going to the Count Basie Kevin Smith Q&A so thats me catered for

Starring Seth Rogan, Elizabeth Banks, Jeff Anderson, Jason Mewes and a cohort of former real life pornstars the film has been getting some rave reviews as possibly Kevin’s best film to date, read some of them by accessing his blog here.

You can see a low res trailer below, just make sure you don’t offend anyone nearby in an office as this contains lewd language (Well of course it would)… Please be warned. If you are behind a corporate firewall or have internet acceptable use policies of course engage common sense.

The Bank of Mom and Pop

Article on BBCi this morning about how parents nowadays seem to be financially burden by their kids once they leave home, with contributions to cars, weddings, housing deposits, bail outs and even re-mortgages to help their children get on property ladder.

Made me giggle nervously. I’m one of three kids and I’ve always stood on my own two feet even when in the mid 90s that meant living on the breadline and rationing food when my ex ran off leaving me a huge pile of debt.

Never had a handout - never want one. If you’re hard up thats an incentive to either get off your bum and sort it out or panic.

And they let them breed..

I have spent a fair amount of time in NHS waiting rooms recently. I have made a decision to go get a vasectomy based on the fact that I have gone through periods of forgetting what Adam was like when he was small and glorified the need to want to be a dad again before I get too old.

Sod that.

I am sick to the back teeth of people who can’t control kids in public. Toddlers. Best thing for toddlers is 1) Phenergan 2) Methadone 3) Being kept in a box inside a noise filtered, accoustically deadened cell until they are old enough to do joined up handwriting.

I sat in a waiting room today with people coming out of anaesthetic and their relatives like me waiting to drive people home. Screaming kids, kids with dummies, kids without dummies, kids who frankly need shooting - along with their council house white trash parents and their creole earrings and tattoos.

1) why bring kids to an unsuitable environment ?
2) why allow your kids to run free in an environment where theres plainly nothing for them to do ?
3) why weren’t you trusted enough to understand birth control ?
4) whats the betting you’re on benefits ?

If I’ve offended anyone I apologise. The chances of me offending anyone who would take this personally is very rare as I’ve used verbs, nouns and adjectives and there are no pictures in this blog entry

Stephen Fry 25th GNU Anniversary

As part of the 25th anniversary of GNU / FSF, Stephen Fry one of my favourite actors and directors (and Free Software fan) has appeared in a video to celebrate everything that is GNU Linux and as an explanation of what it is we do and stand for. It gives a complete laymans understanding to our drivers and our communities. Do watch it.