National Lottery Accounts compromised

This morning Camalot released the news that they’d detected suspicious logins on 26,000 of its on-line punter accounts, of which 50 had been altered. As far as they know. They’re keen to stress that this doesn’t affect their core system (i.e. can’t be used to fiddle the payouts).

It’s entirely possible that they haven’t been breached at all – people could be re-using passwords taken in an earlier heist. What’s odd is that someone has accessed thousands of accounts but done nothing with them. Why? Kiddies, possibly.

If this is as Camalot is currently reporting, well done to them for spotting the suspicious logins and acting fast.

Putin the Boogy Man

Vladimir Putin in KGB UniformI’ve been listening to Today on Radio 4. Francois Fillon has won the conservative presidential candidacy for the French president. Apparently, shock horror, he likes Margret Thatcher and is friendly with VLADIMIR PUTIN. That sounds a bit like Vlad the Impaler!

The presenter also had a jibe about Donald Trump; he also wants to do business with this monster.

He is a monster, right? He’s a Rusky, like Starlin, and therefore wants to take over the world. And he’s done all these terrible things to prove his evil intent. Lets just remind ourselves…

First off, Russian troops put down a “revolution” in Chechnya. Actually, this was an Islamist uprising, but before the West had experienced Islamist uprisings so at the time Mr Putin was portrayed as Mr Nasty. Now we don’t really want to talk about it.

Then he backed the Assad “regime” in Syria against the “rebels”. Assad was and remains the democratically elected president of the country. Sure, he tried to make war against Israel at every opportunity but that’s normal around there. Not a nice person, but democratically elected. The so-called rebels were self-appointed, and unsurprisingly, have long-since disappeared and Islamists have filled the vacuum. The West continues to condemn Russia for backing the democratically elected government against, you guessed it, the Islamist insurgents (Islamic state and the like).

“Ah”, the liberal media wail, “Russia is bombing Aleppo and civilians in the ‘rebel’ held areas are being killed.” Well there’s a war on. The “rebels” are bombing the government-held areas and killing civilians, and this is okay? And non-Russian forces are bombing rebels in Mosul, yet there they’re called Islamic State, and there is little mention of civilians.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Okay, what about annexing Crimea. Russian tanks in a foreign country. What actually happened there?

Well in 2010 Viktor Yanukovych won the presidential election in Ukraine, beating Yulia Tymoshenko. It was considered a fair election. He won. Some people in Ukraine didn’t agree and started fighting about it a couple of years later. Reports vary, but Yulia Tymoshenko’s supporters have neo-Nazi overtones.

Ukraine was split in to the Russian-speaking Crimea and the rest, and the Russian-speaking population in Crimea was in trouble from the violence, so Putin sent in the troops to protect them, and support the democratically elected government. The West sided with the neo-Nazi rebels.

For historic reasons, Russians do no like neo-Nazis. Strangely the Western liberal media reckons they’re okay if they’re fighting against Russia.

Now I’m no more a fan of Putin than I am of most politicians. He’s got his hands dirty, to say the last. Rising up through the KGB is hardly an ideal career path for a benevolent leader, although this is how it’s been done for a long time. But when you look at the situation in Russia, there are plenty of worse candidates for president. You could say he’s the least-worst option. The Russian people like the guy; he looks out for their interests. And with the West pushing hard against Russia, who can blame them? And to cap it all, Putin is actually the defender of democracy in his foreign policy; how does he keep snatching the moral high ground from Obama?

The reason is that Obama and the West still have the “reds under the beds” attitude. Putin, on the other hand, has a different understanding of who the real enemies to freedom (or his cushy way of life) are. As do Trump and Fillon.

Enough with this “Trump Crashes Immigration Site” rubbish!

Ha Ha Ha! On Wednesday, Canada’s web site for prospective immigrants crashed due to the weight of American’s trying to escape from a USA run by Donald Trump. Really? Now other immigration sites such as New Zealand are reporting similar problems and certain some media outlets are lapping it up.

It’s a funny story, but I suspect that it’s too good for some people to check the facts.

There are two possibilities here:

  1. A load of American’s panicked suddenly.
  2. Some jokers decided a DDoS attack at this point to make it appear American’s were panicking would me funny

In the absence of any evidence to the contrary, I think option two is way more likely. People have been joking about the “move to Canada” option for months.

Are you a Tesco bank customer? Please verify your details. Spam meets salami.

I’m surprised I haven’t seen any phishing emails targeting hapless Tesco Bank customers following the publicity surrounding the weekend’s account raids. Give them a few more minutes.

Details on what happened are very thin on the ground. This morning on R4 Today they were saying a few thousand, but less than 10K customers had been affected. Estimates are now going up to 20K. But what’s interesting is this appears to be close to a good old fashioned salami raid, a term that the newbies in security may not even have heard of.

A salami raid got its name from thinly cut salami (a kind of foul-smelling sausage). If you cut off a thin slice, no one will notice, and if you do this to a large number of unfortunately sausages, none of their owners are likely to spot it but you’ll end up with a lot of processed meat.

Traditionally this approach was employed by computer programmers diverting pennies from a large number of accounts in to their own, but its unlikely to be the case with Tesco. The spotlight is likely to fall on people making use of the on-line banking facility to enrich themselves using other people’s logins, although I find it curious that accounts weren’t emptied while they had the chance.

Baofeng UV-5X vs UV-5R Review

Someone asked me today whether they should get a UV-5X instead of an UV-5R. The 5R is a bit of a legend in the handheld transceiver world – a very cheap and capable VHF/UHF unit covering Business Light and Ham bands on FM. It has a few flaws – for example you can’t disable the keypad and stop users doing stuff they mustn’t (a matter for Business Radio, but not a problem for ham use)

That said, if you can trust your users not to meddle, it’s a good piece of kit. And the UV-5X has an upgraded motherboard and chipset for about 25% more on a very low price – so what’s not to like? (Incidentally, it’s the same as the Baofeng FF-12P, but without the reversed display)

I’m assuming, dear reader, that you will know the Baofeng UV-5R and its variants so I won’t go into any detail on these. If you don’t, they’re extremely good kit for the money.

But if you’re considering a 5X over a 5R, which should you choose? In terms of features, the 5X appears to have similar firmware to the 5R 297 release – presumably not identical due to the new chipset, but you won’t notice a difference. When I get around to it, I intend to pull one apart to see if the chip-set really has changed, but for now I’ll take Beofeng’s word on it. CHIRP treats the 5X as a 5R, although current builds do list it as a separate model. It’s measured power output is around 3.5W on UHF and 4W on VHF, although I’ve no reason to believe this is going to be particularly consistent across examples. (Low power mode was 1.5-2W on both). Accuracy of frequency (objective) and sound quality (subjective) are very good on both units.

For what it’s worth, the 5X is (currently) shipping with a new antenna, not found on the newer 5Rs, and quite different to the longer ones found on slightly older examples. I’d hate to say one performed better than the other – I might run some tests if someone twisted my arm, but in real use I didn’t notice anything.

So what are the differences you will notice? Well, mostly cosmetic! The torch, that Baofeng seem to be so proud of on all their radios, has been upgraded from the simple LED and how has a parabolic reflector. It is thus a better torch. Quite why this is important is beyond me, but if you are a fan of radios with decent torches in, buy one and knock yourself out.

The volume knob is smaller (to make room for the torch beam, I assume). The PTT button is different. And the cover for the microphone is a fold-back job rather than hinged, but has a screw which means you can remove it completely and put it back later. This isn’t a bad thing if you’re using a microphone; the hinged cover on the 5R and similar was a bit vulnerable when open.

One improvement I did notice is that they’ve fixed the carrier squelch nonsense (on the UV-5R the setting made very little difference). However, the current build of CHIRP allows you to tweak this on other models anyway (it’s under Service Settings).

But, there is a killer reason why you may want to stick to the 5R – support. In some crazy move, the 5X uses a different (incompatible) battery and a different charger. If you’re already running 5Rs this is going to be a total pain; if you don’t have a Baofeng radio yet it’s going to limit your choice and availability of accessories. The DM-5R (the digital version) very sensibly kept compatibility with the 5R accessories, so why couldn’t this?

The 5X is, however, reputed to be splash-proof, if not waterproof. This is a good thing. The keypad also has bigger keys – that’s to say thicker with more travel, NOT as you might think, with a larger face. There’d be no room anyway, although The 5X is actually a bit taller. This means it won’t fit the rubber armour sleeves or any tight-fitting holster. Another problem is that I don’t think anyone can supply it with a UK charger as standard, although the US one will work with an adapter.

The UV-5X is not a bad radio, but to mind it’s not good enough to beat the UV-5R, where the ace is the range and availability of spare batteries. For my money, if I wanted to get more than the bog-standard UV-5R I’d go for the UV-5RHX or UV-5RTP – with upgraded (three setting) transmitter power. They’re accessory-compatible with the UV-5R, although internally (and to CHIRP) they appear as BF-F8HP and a BFP3-25 and both have NSR3409 firmware. The only difference is that the TP comes with the new rounded shorter antenna and the HX doesn’t appear to be available with a UK power adapter, although it does ship with the large battery. I don’t think anyone in the UK is selling it.

A-Level scrappage scheme – Tony Robinson dug up to condem it

Earlier this week AQA scrapped the A-Level in Art History, and today Archeology got the chop too. The luvvies at the BBC decided to get some expert comment about this act of cultural vandalism, and naturally turned to one of their own – Left-wing comedian and actor, (Sir) Tony Robinson. He’s keen on archeology, having made some reality TV show about it. However, he was knighted for his services to politics, having been a member of Labour’s National Executive Committee. So who better to discuss it?

Sir Tony was, unsurprisingly, keen to blather on without any balance, roundly condemning AQA for their decision. He knows a lot about education; after pre-school he went to a grammer where it scraped four ‘O’ Levels, and dropped out of ‘A’s.

Unfortunately Sir Tony couldn’t directly criticise the government as it was the exam board decided to drop it, but it didn’t stop him trying. And for balance, they dug up a professor of archaeology too – not a luvvie, but definitely an academic.

The argument made by this brace of lefties is that scrapping subjects like this means poor people going to state schools won’t have the chance to study these subjects. A view that wasn’t questioned. Well I’ll question it – if AQA has scrapped it, no one can do it.

Apparently it was also “limiting choice” to concentrate on core subjects. This stands no scrutiny. Hardly any schools offer A-levels in these subjects anyway, as no one wants to do them and even if they did, there is no one to teach them. If you have a love of a subject, go and study it yourself. Apparently, last year only 400 students took Archeology.

No one was keen to make the opposite case; that such A-Levels are a really bad idea. You can go on to study a degree in archeology without having done an A-Level in it; you just need a brain and the ability to think critically. You can get that by studying anything difficult. You don’t need to be spoon-fed a subject to “try it out”, all you need to do is go to the library and read some books.

Having A-Levels in weird subjects is actually a bad thing, in my view. People may choose to do them. In itself that’s fine, but human nature leads to many choosing the easy ride. In at least one private school I know of, most of the pupils leave with an A-Level in Scripture (Religious Studies). It’s an easy one to get and boosts the A-level tally.

So what happens when you take your A-Level in Media Studies, Archeology and Divinity to university? Do they prepare you for a degree course? Well, it might for a degree Archeology, but so would self-study and a love of the subject combined with an A-Levels in Maths and Physics. THat’s true of practically any subject at degree level.

The result of the current ridiculous situation is this: I have people trying to study for a degree in Computer Science who are unable to write a proper sentence in English. Their basic arithmetic skills are almost non-existent; and as for mathematics: forget it! And, surprise, surprise, they got on the course using A-Levels in soft subjects, so they don’t know how to study anything hard.

Bring on the A-Level scrappage scheme.

Has LinkedIn had its data blagged again?

This could very well be related to the breach that occurred in May, but it might be a new one.

This morning a trap email account, known only to me and LinkedIn, started to receive a lot of spam of a similar nature. This hasn’t happened before. For anyone else to be aware of this addresses existence it had to be stolen from me or from LinkedIn, or possibly by monitoring an ISP if not encrypted en-route. I’m pretty confident that it wasn’t stolen from me; the system it exists on is pretty secure and under my nose. As an added measure, all addresses are stored with additional traps that aren’t known to a third party, and if none of these is used its reasonable to assume that the data wasn’t pinched from me.

Monitoring an ISP is possible, but I don’t think it’s likely.

This means the address was probably stolen from LinkedIn. It’s hard to know for sure whether this was in May or later, but there was no indication it had gone missing until this morning so it’s worth of more investigation.

Has anyone else suddenly started receiving spam on a linkedin-specific address?

Google Drive Hacked to spew Spam

Early this morning (GMT) I intercepted emails trying to sell a Chinese business signage product that had been spammed to spambait addresses left on web pages. Nothing new there, but having analysed the source I discovered that the Google Drive “cloud” storage system was still being abused to sent them out. I saw the first such incident about a month ago.

Basically the crims are creating a Google Drive account and then sharing it with a large number of people using a custom message. The name of the file becomes the title, and the sales pitch goes in the body:

Dear Sirs,

From internet we know you are leading on AV/TV product reseller field.

Sysview is a digital signage software, capable change your existing smart TV to a digital signage . Sysview features following :

The only surprise about this is that no one has exploited it before. It’s going to be very difficult to filter out without hitting all Google could services, and Google’s “sign-up free without asking questions policy” is going to make it hard from them to tackle.

Come on Google! You’ve had at least a month to get this sorted, to my certain knowledge. Google could be forgiven for failing to secure the system against such abuse in the first place, but I’m not going to. This is a common sense failure.

The Royal Mail is Doomed

Britain without the Royal Mail? ThRoyal Mailat’d be, well, un-British. But, like Woolworths, it’s coming to the end of its natural life after 500 years.

Realising this, it was sold out of public ownership in 2013 in the hope this would give it the flexibility to adapt and change with the times. Form most of its life it’s existed to provide communication in the form of letters. It survived the introduction of the telephone – in fact it used to run that too, messed it up and had that part of the business privatised as British Telecom in the 1981. This didn’t stop BT doing some odd things (like selling the division running these new-fangled mobile phones), but it has replaced the dwindling demand for fix-line domestic telephone calls by selling infrastructure of networking instead. BT are doing rather well at it.

Fax, and then email, has really put a dent in written communication. Who sends letters any more (apart from idiots)? However, the Internet has resulted in a massive boom in on-line commerce, and physical products still need delivery to the purchaser. Royal Mail plc needs to re-invent itself as a delivery company, and use its existing infrastructure to do it better than the start-ups who are filling the void. Unfortunately it’s doing spectacularly badly at this, whatever it’s accounts say.

Hereabouts, our two nearest Post Offices are closing, in spite of there still being a demand. There’s always a queue. The Post Office was their advantage – you could visit it to drop off a parcel and pay the postage on it at the same time. If you can’t do this, you may as well have an account with some other carrier, who’ll pick up from your premises without any fuss. Royal Mail will, if you’re big enough.

But the big problem they have is delivery. With another courier, it’s not a problem. They’ll always follow instructions and leave it across the road, where we have an agreement to take each others’ deliveries. Not a problem. If that doesn’t work they drive past a few hours later and there’s always someone around to handle it.

But Royal Mail has a “better idea”. They stuff a card into your post box telling you to collect your parcel the following day, from your local Post Office. (The one they’re just closing) And your local Post Office parcel department is only available until noon.

Whilst I like my local postman, and the people in the parcel office, the reality is that other shipping companies provide a much better service whereas they’re constrained by crazy working practices, partly fought for by their own trade union.

Unless Royal Mail can get parcel delivery right, by delivering the things to the address the sender intended, when they intended it, they’re going to be stuck with operating an almost pointless shrinking letter service, and eventually decreasing economies of scale will mean the competition can do that cheaper too.

Internet of Things Botnet Menace

Forget self-aware AI systems taking over the world. If you read the hype over DDoS attacks you’d be forgiven for thinking an army of internet connected devices was on the march, herded by a gang of amateur criminals – the IoT bites back!

This isn’t about anything new, but the fact it’s being used in recent record-breaking DDoS attacks has brought the matter to the fore.

And then yesterday the code for the two main botnets, Miari, turned up, posted on Hackerforums by its originator, probably. The other similar botnet is known as Bashlight, but I understand it works in the same way and attacks the same devices. Originators of such code usually dump them in the public domain when they feel that they’re about to be busted. It makes it harder to prove they’re behind an attack when other people have, and are likely using, the same code.

A look at the code itself confirms what many have suspected for a long time; some CCTV equipment can be appropriated for naughty purposes. Unfortunately the affected equipment originates in China and is sold to a wide variety of companies who put their own badge on it, and sometimes customise the software. It’s basically a generic network-enabled Digital Video Recorder (DVR), with the generic name H.264 Recorder. Getting it all patched isn’t going to happen as there is no update mechanism, but if people changed their password to something hard to guess, rather than leaving it as the default 1234, the world would be a better place.

I’ve been looking at this type of CCTV equipment for over decade, ordering an embaressing number of samples from Alibaba and the like and building up a collection to rival my disparate VoIP endpoints. They have a lot in common – very little I the way of security or robustness in the face of attack. My advice to anyone using such kit is to install it behind NAT and use a VPN to access it externally.

But getting back to my theme, the media hype suggests that all sorts of IoT things have been hijacked. Unless I see any evidence to the contrary, this is simply not true. The CODE released targets one type of network DVR, and, in reality, it can’t even persist if the device is power-cycled. However, reports suggest that the time taken for the botnet to re-establish itself is very short.

I’ll be updating this article in the next few days once I’ve checked out a few facts concerning the code.