Posts by MuleD

El Reg...you disappoint me

Let me start of with I am a HUGE supporter of The Register and normally find them generally non-partisan and I believe they try to stick to the facts as they see them BUT...they disappoint me with this article and specifically its title "Krebs throws himself on grenade..." The Reg is fully aware that Chris Krebs and Brian Krebs (of Krebs on Security ) are two different people and while they are in the same field using a play on their names rubs me the wrong way. The Reg knows full well that some people just scan headlines and skim articles and that they will assume that this is Brian Krebs making this sacrifice. Brian Krebs is a beloved cybersecurity cornerstone, Chirs Krebs is a corporate executive. I wish the article would have made that distinction. --Mule

E2EE question

Maybe I am reading this wrong or just don't understand E2EE but if it were true E2EE how would Google or anyone else be able to use their AI to stop Spam and Phishing. It would seem that to do any type of content analysis someone has to be able to decrypt the email. Am I missing something?

Spectrum Auction suspicions

In the spirit of "never let a good crisis go to waste" What if:

The whole Chinese/Huawei issue is really a sort of trojan horse or in more military terms a Feinting Maneuver with an end game of pushing large segments of population to use a frequency spectrum that the government already has monitoring and backdoors built into ? I am not saying that SaltTyphoon isn't real because I am pretty sure it is a real thing but what if all the hoopla about Huawei and pre-loaded malware built in the firmware is really just a giant game of three card monte and we are the marks because no one realizes that they game was already lost before they even put their money down.

Typical nonsense

"Federal Communications Commission (FCC) launched a public rule proposal requiring basic cybersecurity practices for telecom carriers."

I am losing hope that there is anyone in charge that actually has a clue about technology in general. Do they really think the 9 Telcos that were breached are not currently spending billions and employ some of the best cybersecurity talent money can buy? These are fortune 100 companies that already adhere to NIST, and CISA and a dozen other standards these dolts in DC have never heard of. It's like they think we need to buy more bullets to counter an enemy with a plasma weapon. We need a different strategy not "more" of what got us to this place.

Tearing my F&*king hair out

To start with I am old. I have been doing computer security for 25 years now so my opinion is jaded. BUT....

I Fu#*ing told you so.......For years I have been shouting into the void that a "cloud solution" should not be thought of as a cost savings strategy. It might be a great solution, I am pro-cloud for a LOT of things, but just because it has the word cloud in in does not mean its "faster, better, cheaper" I am not sure who first started saying that the cloud will be cheaper but they need strung up by their balls and twisted. It was Shakesphere said to "kill all the Lawyers first" I vote for the salesmen second. --MuleD

Criminals Don't Care

What nonsense !!! I read through almost all the comments on this article and in my opinion most missed the underlying issue. Criminals don't care if they "cause unnecessary panic, potentially undermining trust in public health messaging". We in the Information Security world get paid to think like criminals, ponder the absolute worst case scenarios, mingle with those who have absolutely no morals, conscience nor soul. Modern media has done a huge dis-service to the general public portraying "hackers" as a bunch of fat, pimply faced nerds living in their moms basement looking for on-line places to hide their porn collections. OR personable anti-hero types a-la-a Mr. Robot. Organized crime does not care if the money comes from an orphanage or from Satin himself as long as the money keeps flowing. Somehow we have to convey the seriousness of our adversaries to the general public. I have tried the softer easier way, no none listens. I say go to the whip. The Russian FSB and the US Navy Seals have an acceptable loss (death) rate in training and while that's awful the point is that they recognize that if you want extraordinary things you have to be willing to go to extreme measures. I feel bad for the CISO who undoubtedly was told to issue and apology or loose your job immediately instead of having 90 days to look for a new job. Live in the real world, not the world you wish it was. ---MuleD

What a Sorry State we have allowed Black Hat to become !!!!

First and foremost no one should discriminate, a cyber attacker is neither male nor female they are simply an adversary.

Secondly, Grow the F*&K up and put your butt hurt feelings away. I don't have time for them. Black Hat started out as a rachis bunch of nerds getting stupidly drunk and geeking out together. In the beginning there was much more outrageous behavior than paying two people to stand in a spot with a lamp shad on their head. Black Hat and DEFCON were never indented to be be for the general public!! They were offensive by design and those who participated in them accepted the fact that there would be outrageous, offensive and over the top behaviors. There is a reason a bunch of techno geeks picked Vegas for this event. Black Hat needs to get back to it's roots and take a step back from corporate sponsorship. My only complaint about what happened at this even is that they were not inclusive enough. There should have been hot guys with lamp shades, hot midgets with lamp shades, hot dogs with lamp shades, hot aliens, maybe a naked Trump with a lamp shade do you see how ridiculous everyone sounds when they try to project their version of morality on someone else. If it offends you don't go. We don't want your PC asses here. Stay away while we will keep overpaying the bartenders in lowcut shirts, the strippers in gstrings and bouncers to let us in clubs we would never be allowed in if we weren't rich techno geeks.

If you REALLY want to be offended next time you are in the vendor area at a large conference take a look around and see who is manning the booths. You will see something very similar. Young, skinny, pretty and excited to pass you off to someone who actually knows something about the product the company is selling. "Booth Girls" as they were called back in the day really did have something to complain about because they were also encouraged to accompany potential large spending executives. These unfortunate women really are told "put out or get out" we need this guy to buy our shit. But, nobody seems to be raising such a big stink about something that happens every week at various conferences.

MuleD

CrowdStride did bad.....BUT

There is no doubt that CrowdStrike has a mess on their hands and that mess is going to be ugly and expensive. But, before we completely crucify them maybe we need to look at some history and how we got here. Channel files exist for a reason, they are updated the way they are for a reason and CrowdStrike got access to write Kernel drivers for a reason. That reason is market demand...Go back in time and look at how some of the antivirus definition files had to be distributed via SMS or some kind of script. The unacceptability of such a time delay between a known signature and an AV update was too great and lead to some of the early virus variants being able to spread like wildfire. The solution..... "Channel Files" they update automagiclly, they meet the need for a quick reaction time that security is demanding, there is not testing delay from the customer because most don't even know they have an option to say no to them and lastly they come from big trusted names in the industry. Certainly they are doing testing before they push them out (sarcasm added for affect). And for years this model worked great, until it didn't. Some readers will be old enough to remember when Symantec did nearly the same thing back in the day and broke a bunch o shit. We the customers are asking nearly impossible things from CrowdStrike. React instantly, never miss a threat and never make a mistake. I get that we pay them well for what we are asking BUT I think back to my first project management training almost 39 years ago when the instructor explained the Triple Constraints of Time, Quality, Money and that you can only have 2 out of the 3 at any given time. In order to get the Time line we are demanding at a price point we are willing to pay CS had to make choices, one of the choices we ALL agreed upon when we allowed them to update Channel files without our own internal testing or even change control approval was that Quality might suffer. From all I have read, this was a human error. A big one and an important one but a human error none the less. If we want perfect we are going to either have to sacrifice speed or money. That's the unfortunate reality of the tripple constraints. No matter how much the Board or the C-Suite does not want to hear this message. There are some facts that even the all great and powerful cannot change. Just my thoughts, feel free to disagree.

Kernel Level Access who gets it and why

Time to pull out the tin foil hat. If I were a Intelligence agency with unlimited funding and unlimited access to large companies and I wanted access to everything I would demand that some of the big players in the market allow Kernel level access to seemingly above board software producers and then take a page from the Bad Actor playbook and pivot through some of the vendors who have been given low level access.

SMB Attack Vector

IF I were a bad actor looking to target a specific segment, such as those with elevated privileges, this type of attack might be perfect. Hear me out on this before you lambast me with criticism. Clearly this attack should not work on seasoned System Admins, PKI Admins, cryptographic gurus etc. BUT....There are millions of small and medium businesses out there who have one overworked system admin or worse yet an "IT Guy" who is also the shipping manager and the building coordinator whose job it is to keep the computers running. Even if these unfortunate souls have a little formal training on Windows Servers its very likely that they have no training on the black magic that we call cryptography or certificate servers or PKI. In fact I will bet you my private key that they run from the topic because the one thing they know is that a certificate problem can have major impacts and they don't want to be embarrassed when they don't know how to fix it. Sooooooo, if you made the bait look official and like something MS or GoDaddy or CISA would put out about fixing a certificate error, Bob's your uncle your in, at least with some. Then once you own the SMB you can see what deep pockets targets the SMB has connectivity to. --- Just a Thursday morning thought-- MuleD