"Just want to get rich and give you fucktards in the West the middle finger. [...] human society deeply disgusts me."
Yes. No thanks to egoists who just want to get rich and give everybody the finger...
A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems. The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain …
Sorry, but "everybody is a greedy a**hole" does not fly as a good excuse. But, yes, there are too many of those, good description of what is wrong. But essentially, by stopping using that excuse and trying to be a decent human being things might improve - maybe only on a local level, but hey, that's a start!
(still, I totally support going BOFH on those who deserve it - isn't it ironic, don't you think?)
"the main problem in the West are greedy people who just want to get rich, and don't care about anyone else"
WRONG. You are merely pandering to the "bourgeois vs proletariat" (i.e. communist manifesto) perception of "us vs them" and if you believe that, you're circulating your misconceptions amongst those who agree with you, and it proves NOTHING.
If you want to get down to it, the problem is the same one that's been there as long as there have been humans: A small group of elitists MANIPULATE PEOPLE and seek to CONTROL THEM, usually for nefarious purposes. Usually you find them in GOVERNMENT. People in BUSINESS, on the other hand, generally see everyone else as CUSTOMERS and, if they're smart, treat them accordingly.
A good customer is like gold pressed latinum. yeah even the Ferengi would agree.
People act according to THEIR OWN SELF INTEREST. period. I guarantee you there is NOBODY out there so altruistic (except maybe Jesus) to put EVERYONE ELSE ahead of himself and be self-sacrificing, etc. etc. etc.. Even those who jump on grenades have a self-interest in mind, such as "do it for the Corps/Country/friends". It may even be a matter of PRIDE. And this is _NOT_ a BAD thing... it is a GOOD thing!
So if you assume people act according to their own best interests, those in business WILL make money [because losing money loses the business, duh] and they will pay their investors, who ONLY invest to earn money, and their employees, who ONLY work to earn money, and so on. Then when the free market determines the proper return for investments and what wages the work is worth [and not gummints, special interests, unions, etc.] then we're ALL better off, because it works _WITH_ human nature and not AGAINST it.
SO if you you're looking for a SOURCE of "the problem", start with GUMMINTS, then ORGANIZED CRIME (almost the same as 'gummints' in many cases), then SOCIALIST ORGANIZATIONS and those who donate to them [i.e. Soros], as well as WHINY ACTIVIST JUDGES (and their l[aw]yer buddies) who ENABLE much of this.
Yes, Bob, but the problem with the US at the moment is you have an awful lot of large IT companies for whom the customers are advertisers and politicians, and the likes of you and I are the sheep they want to shear.
You ought actually to read Marx instead of thinking you know what he said, because he explains how capitalism works. And he isn't wrong, in fact he forecast later developments pretty accurately. Which is why the cons and neocons made a bogey of Marx; because they didn't want the sheep reading the book and understanding the function of the shearer.
Marx foresaw that capital would end up in fewer and fewer hands and that therefore they would control ever more of society, battening on people by controlling the supply of housing and food. If you have a monopoly or a combine monopoly of essentials for life, your customer retention is not a problem.
I have a vote in elections for the government, I have no vote in Facebook and no realistic prospect of buying enough shares to control it.
> forecast later developments pretty accurately
Which ones? Stalin? Pol Pot? Mao? Gulags? Katyn massacre? Great Leap Forward? The systematic rejection of individual choice in how to be governed, i.e. democracy, as implemented by his subsequent followers? The total failure of planned economies, past occasional initial success phases, time and again? Inquiring minds would like to know.
Unfettered power, by corporations, individual or governments has an extremely high risk of abuse. Dogmatism and the claim to know better than everyone else is one way to get there.
On the other hand, whatever you think of modern capitalism, it has had to tone down, or at least cover up, its greed a bit since the 1850s and Marx was very much a driving force behind things like unions or paid holidays getting adopted. Sure wasn’t the robber barons’ first choice.
I have a vote in elections for the government, I have no vote in Facebook and no realistic prospect of buying enough shares to control it.
A vote in elections is not quite enough to control the government either. But otherwise your point is valid: one is accountable to the public (more or less), the other is accountable to no-one by biggest bidders. In theory.
You are right and right and right. Its the first in years outside academia that I see someone actually talking about Marx with any knowledge of what he postulated.
I must add to your point that where history proved Marx wrong is not regarding his prediction on the trend in capitalism... Its was his prediction that the poor and powerless would somehow be organised and develop a common identity and rise up against the capitalist. In modern societies, they instead kick the dog, beat their wives, shoot their neighbors and drown their sorrows in drugs, the bottle or TV...
Mr 'Bombastic',
You were doing quite well untill the last paragraph !!!
Even the comments regarding 'GUMMINTS' and 'ORGANISED CRIME' could be considered fair.
BUT
the rest states more about your own biases (Political or otherwise).
From my experience there is nothing intrinsically special about 'Socialist' organisations that make them any more or less likely to be a problem .... ditto for Judges.
The general problem applies to all Political organisations of all flavours, where the 'Echo Chamber effects' encourage 'groups' to believe that they are special and normal adherence to the laws of the land are deemed not necessary as they 'know better' !!!
people act according to their perceived best interest
Even a passing glance at history or the relevant psychological research shows that is not true in general. People act according to a complex of psychic motivations which usually operate pre-consciously, and thus well prior to any reflective consideration of self-interest (accurate or not).
Conscious consideration of self-interest or other goals may condition those responses, and sometimes people correct their initial reaction following reflective consideration.1 But on average perceived self-interest is far from being a primary conditioner of behavior.
1It's also debatable whether various sorts of psychological rewards which are orthogonal or opposed to material advantage are in the subject's "self-interest", because self-interest can be defined in various ways. Ultimately this is a matter of definition, though, and there are certainly those who would lump, say, the satisfaction of an addiction or the reinforcement of a pleasing self-image, even at material cost, into "self-interest".
I was reading, back in the dear dead days beyond recall, the Clintonite 1990s, rather successful western companies were paying Chinese factory workers 13 cents [ USD ] an hour when a living wage there was 6 times that; and the Chinese government took the line that any job no matter how ill-paid was generous simply because it was a job; and over in the Economic Zones of the Philippines workers were paid $56 a week for 12 hour days with compulsory overtime if you wanted a job in the morning, and only 2 bathroom breaks a day: plus a shanty-town to live in when not working. Which wasn't that often.
Interestingly enough, the Filipino GUMMINT endorsed all this, banned the wicked UNIONS, and kept the workers safe from talking to SOCIALIST ORGANIZATIONS, and refrained from collecting TAXES, as the corporations were lured with tax holidays that either rolled over or began anew with a phoenixly reborn business at a rate which would have bought a blush to Companies House in the days when any rascal could buy an off-the-shelf company with useful tax losses as easily, and for roughly the same cost, as we pay for a domain now.
.
FUCK THE FREE MARKET.
.
Plus women risked infertility from the chemicals supplied by the companies.
"How about simply being a decent human being? How about realising that we are all beholden to each other to make this world a better place? How about simply acting like a damn grown up?"
Well, without meaning to do a modern paraphrased Godwin, maybe if Trump had not decided to attack the 'East', forcing major Chinese companies to be isolated and forced down a route of nationalism on a whim then there would be less people trying to disrupt Western tech companies.
I agree with the sentiments that sharing exploits to stop the 'bad' people exploiting them is admirable, but the more there is a war between Western and Eastern tech the more the underground cyber attacks will surely continue.
>How about simply being a decent human being?
This one cuts both ways. As has been pointed out, a big (US) company is making money out of this software - are the people with the chequebooks being "decent human beings" by not rewarding bug finders at rates that reflect the work involve?
I thus suggest "decent human beings" don't expect everyone to cover their own costs and work for free. In some respects I suggest finding a security hole and them crafting an exploit to use that hole is more akin to creating a work-of-art, so perhaps bug finders should be sending the results of their work to auction.
> In some respects I suggest finding a security hole
>and them crafting an exploit to use that hole
>is more akin to creating a work-of-art,
>so perhaps bug finders should be sending
>the results of their work to auction.
Funnily enough that is more or less what is happening - a PC with half a dozen bits of famous malware is up for auction
Just being a decent human being doesn't pay the rent, nor buy food. I don't know, but I'm guessing that finding these vulnerabilities takes weeks and months of research. Couple that with the fact that much of this research will be speculative and yield no fruit. Maybe it's Microsoft and friends who should start "acting like grown ups" and start paying these researchers properly for their results.
Just being a decent human being doesn't pay the rent, nor buy food.
Actuially if we were all to act like decent humans, there would neither be a need to pay rent nor </buy> food.
I'm growing enough of certain things that I can give away more than I can eat. One of my neighbours grows other things and also gives away more than they can eat - so between the two of us we're more than sufficient in certain fruits and veges. We have the two smallest (by 1/2!) plots on the block (and it's not a small block), lots of other houses with lots of room out back for decent gardens, and people with enough time on their hands to tend more than one of these plots. Our neighbourhood could be self-sufficient for fruit and veges if we worked together.
Among us we also have the means to repair any vehicle or structure, any computer or electrical repairs, even a plumber just up the road. But as a whole we'd rather pay a lot to someone 20 miles away than a little to the neighbour two doors away.
And yes, we have people who can prepare timber for building.
If we were to "be excellent to each other" then, well, much of the world's issues would be long gone. All it really takes is a little sharing with your neighbour, helping them to help someone else who can help you out.
How about realising that we are all beholden to each other to make this world a better place? .... Timmy B
Now when that is not exactly true, it can become problematical, Timmy B. Just ask Tony Blair. It does though make for a much more helpful approach to implementing solutions when true.
Whenever UKGBNI Parliamentary Governance Collapses do GCHQ's Special IntelAIgent Services Break Cover in InterNetional Defence of the Realms with Other Worldly Wise Solutions?
Novel Channels of Creative Discourse for Practical Realisation ..... Earthly Virtualisations for SMARTR Populations being one such AIMasterPlan in Advanced IntelAIgent Developments.
I totally disagree. We are, and rightly should be, looking after each other. Just because some people don't it doesn't mean that the principle doesn't stand. .... Timmy B
How very odd, Timmy B, that you should disagree with a comment that agrees with you.
That's a failure of intelligent information parsing, methinks, and that can very easily be problematical.
@Timmy B: "How about simply being a decent human being?"
Well, she's gone public, and the exploit will get patched, so there's that. Someone who was utterly nefarious would have either tried to sell the exploit on the QT, or used it themselves to hold people's data hostage, and she's not done that. What it makes me wonder is if she's the first person to discover these vulnerabilities, because better funded state institutions have entire divisions of people looking for them. State actors don't share, they don't get stuff patched, they hoard exploits (or try to, sometimes their hoards get discovered) and they use those exploits against their own citizens. So she's achieved one goal, the middle finger has definitely been given to the West's intelligence community.
I agree that one should be a decent human being and do the right thing and I or any/most of you would do that. On the other hand, many Corporations make most of their money in the developed economies and outsource their work to the developing economies whenever possible or simple reduce staff leaving existing staff with an increased workload. I find it very hard to have have any sympathy for any of them.
There seems to be widespread opinion in the hacker community (insofar as such a thing exists) that SandboxEscaper has emotional and behavioral issues. I don't mention that as an excuse for her behavior or to reconcile her statements and actions, but merely to point out that critiquing her as hypocritical or unethical somewhat misses the point. From what I've heard, I'm not sure she can be rational, in a sustained way, about these behaviors.
It's unfortunate because she's clearly a talented software-security researcher.
All of SBE’s vulns have been of the same class.
That’s not a dig at SBE. That’s a dig at MS. When you find a vuln, the best thing to do is assume they’ve screwed up in the same way more than once and go looking for the same mistake elsewhere in the code. It’s a very efficient method of finding vulns.
The first bug that was dropped was a fair while ago, and sounded like it could well be endemic. MS, with source code home advantage should have gone to town finding where else the same type of mistake had crept in and fixed it. Instead, we have this...
MS, with source code home advantage should have gone to town finding where else the same type of mistake had crept in and fixed it. Instead, we have this...
I agree but no self respecting middle level PHB is going to sanction the minions to go on a crusade searching for similar issues. It's that person's mission to hide all issues from their upper management.
When you find a vuln, the best thing to do is assume they’ve screwed up in the same way more than once and go looking for the same mistake elsewhere in the code. It’s a very efficient method of finding vulns.
That should be part of standard bug fixing process. That and trying to come up with some kind of change (code, or even process) that would make such a bug hard to repeat in future or at least raise a red flag if it did.
Wrong simile. If you don't like eating cabbage, you can not eat it.
Once you're born here, it doesn't matter if you like it or not : there's only one way out.
That is, until we have at least one colony somewhere else, but I suspect that that bitch would still gripe whatever the planet/moon/space station.
Not quite. You can eat things you don't like (starving people will), or find something else you like more. If you don't like where you were born you can try to change it. You don't have just the choice to leave. Though that is one choice.
Simile works as I didn't use an example where you were forced or eating would kill you. It's just a preference.
There's plenty in Western society to be disgusted by, but in tramping the wilds avoiding human contact, she is bypassing communities full of people that have similar feelings.
In my experience most people simply want to live reasonably comfortable lives amongst similarly-minded people, and are not out to screw everyone else. What disgusts her about Western society is largely driven by politicians, business leaders and those who aspire to 'elite' status who, for sure, just want to be rich and give the middle finger to everyone else.
Her words condemn her as being just the same.
Guess she has Aspergers syndrome and this has not been pickup up by the environment earlier. Asperger people can be great contributors to society, but they often can't deal with people around them and need much personal space. Often being bullied in early life gets these kind of results, but under all the hard talk, most aspergers just want to be good people...
Really she's just immature. .... Timmy B
As per any young Villanelle, Timmy B? That would be almighty challenging and rewarding helping her and sister spirits grow unbelievably strong and secure in host environments ..... Pandoras' Boxes Servering Lead Intel to Invested Clientelle for All Powerful AIMaster Command and Control Leverage/Virtually Almighty Great Game Play ‽ .
In a mad artificial world do the really crazy follow or lead media trails with daily tales from or for Seriously Vetted Source Centres/Misinformation Hubs/Disinformation Networks?
There is quite a difference and marked advantage in being one for rather than from the other.
"any young Villanelle" - IRL not just any, amanfromMars, and there are much one might be agree with in this pathetic sentence/sentiment (-:
The next year hike trip is being planned since this post. One knows the agenda. AId invite valid.
"still active on at least one other social media site. Some of those posts concern details of her (sadly quite troubled) personal life."
You are correct.
Unfortunately, Google now makes you log in using a valid Google account to read her blog.
From reading earlier entries in her blog, it seems her troubles were either caused by, or made worse by, her belief that the FBI wanting to "get in touch" with her.
Hence, her middle finger held high to the West.
“.. the exploit code .. clobbers pci.sys's access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.”
Didn't the Morris Worm use something similar, injecting a command into the task scheduler that over-wrote the password file.
Not really. The Morris Worm exploited vulnerabilities in fingerd, sendmail, and rsh/rexec. It did attack passwords, but not by overwriting /etc/passwd.1 It tried some heuristics and a small dictionary against the password hashes;2 according to a 1984 study this approach could be expected to succeed on about 30% of accounts on typical UNIX machines of the day.
The fingerd exploit was a BOF against gets() - perhaps the quintessential BOF, and likely the impetus for the interest in stack-smashing that eventually led to Levi's famous phrack article.
The sendmail exploit abused the DEBUG command in sendmail, which was essentially a deliberate command-injection vulnerability, from a more innocent era.
The use of rsh/rexec wasn't a program vulnerability but the architectural insecurity of the r-commands, which were often configured to allow remote execution to local users without credentials. The Morris Worm used that mechanism to spread among machines within organizations that used the r-commands.
See Spaf's analysis for more details.
1It didn't know anything about the shadow password file, which some UNIX variants, but not all, had started to use in '88.
2UNIX crypt-derived passwords of that era were salted hashes generated by iterated DES encryption of a zero block using the password as the DES key. Due to the salt and the network bandwidth and storage limitations of the time, the worm had to rehash the dictionary for each salt value; it couldn't use a precomputed dictionary. Obviously retrieving hashes and doing an offline lookup or attack would have been more efficient, but dangerous (the cracking server could be identified), and in any case password cracking wasn't the worm's main goal or attack vector.
No, it wouln't. I doubt that Micrsoft's customers are all blind or braindead - they are, however, hopelessly addicted.
Some are trying to fight that, which is why many, many servers in the corporate world are being switched to some flavor of Linux. The advent of Google Docs, among other things, means that small businesses no longer have to have Windows on their machines, so progress is being made.
In any case, punishing users for the master's failures is unfair by any count.
The advent of Google Docs, among other things, means that small businesses no longer have to have Windows on their machines, so progress is being made.
Is that not:
(a) swapping one proprietary file format for another and;
(b) voiding business secrecy and privacy via another route (instead of Windows 10)?
I know the answer to (b), but on account of not being in a position to use Gdocs (because of aforementioned (b)) I have no idea in what format that works so I would genuinely like to know.
Due to some politics and security requirements we mainly use Libre/OpenOffice and derivatives and use the European government document standard, ODF. There are maybe 2 machines left in our company with MS Office, also because we have no great wielders of spreadsheets (Excel is about the only product that has no comparable competition).
No and no.
A) Google docs works in open formats (as well as Microsoft closed formats), and works on anything that can run a browser, including a totally locked down read-only secure boot device.
B) Google paid business platforms have a totally different privacy policy to their free consumer products.
I would prefer to use Google docs over office any day, it works much better, and is massively cheaper, per seat and TCO
they change that shit without warning. at least when I ran office, if i didn't connect to the internet and didn't update the software, i had a stable operating environment.
I work with Google APIs (gmail, oauth, drive, calendar) and when I go in to configure something and they've changed it AGAIN and I have to poke and stab at it to find what I need, that is my major frustration with web / mobile applications.
other than that caveat, i can do some really cool stuff.
Dunno, if smart - which appears to be the case, why not toss out all sorts of fake clues. All intelligence community "state actors" do that - make it look like some other country or actor did it. Anyone can find a buncha pictures, you don't have to take them yourself.
(cough)UMBRAGE(cough)
So, theory would be it's some fat American slob in mom's basement wanting enough dough for more video games or similar?
This post has been deleted by its author
If this person is going to sell vulnerabilities then I would assume that she will quickly become of interest to various government agencies. She wouldn't be too hard to find as she's happily posting her destinations. A quick delta of flights into the local areas of her treks should quickly narrow down the list of perps.
someone with the security know-how to spot bugs like that COULD _EASILY_ earn more than this amount in an annual salary by being a Linux admin or security professional consulting with businesses, etc..
The criminal mindset, however, precludes making this wiser [and less risky with respect to legality] choice.
I think I'd get a salary that's TWICE the 60k, every year, doing a legit IT admin position, with everything else that comes with it. You know, like the BOFH. Despite the occasional problems with management, users, consultants, sales-droids, and so on, there's a nice 2nd floor window...
If a user can create an arbitrary scheduled task to run any given executable, it's game over anyway.
That Windows helpfully repermissions your file that you want to run from a legacy imported scheduled task is really just icing on the cake.
Presumably pci.sys is used because it's a "known" signed file that Windows trusts anyone to activate?
Ordinary users should not have the capability to schedule tasks, nor should they have the ability to access the folder where scheduled tasks are kept, nor should they be able to execute arbitrary executables. Hell, they shouldn't even *see* the scheduled tasks panel, there could be privileged information in there!
The problem is not some "new" exploit... it's just the same old complete lack of security on basic features, and "trusting users" the same way people did back in the days of Windows 3.1 or DOS.
Why? Plain users may have several reason to schedule tasks, and you don't want to give admin permissions to every user who may need to schedule a task.
Even in Linux you have per-user crontab files and jobs.
The fact that the task scheduler should be better implemented is a different thing.
SandboxEscaper's blog post reminded me of this classic.