* Posts by GnuTzu

704 publicly visible posts • joined 1 Feb 2015

Page:

US Congress: Spying law is flawed, open to abuse, and lacking in accountability – so let's reauthorize it

GnuTzu

Re: Just goes to show that

Duocracy is just another word for damned if you do, damned if you don't.

Russia-backed crew's latest malware has discerning taste – when screening visitors to poisoned watering holes

GnuTzu

Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

...should have been eradicated long ago. But, no; this is why we have the Internet of Turds, as well as other embarrassing foolishness.

GnuTzu
Thumb Up

Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

"Are they going to try to push YouTube updates?"

Short answer: of course they will... along with many other chameleon-like variations--at varying degrees of effectiveness/deadliness.

But, getting down to fundamentals...

I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams, made such delivery easier, and therefore increased the rate of delivery. After all, that's what technology does. But, when we hear that there's a "new" scam, all I see is just a new variation of a repackaged scam, delivered by a slicker, faster method.

Once we decided that users should be prompted to allow an update, we effectively created a procedural convention that could be leveraged by fakes.

The fundamental problem is making it impossible to fake an official notification. Basic rule of security: you can make things harder, slow the rate of compromise, and mitigate the risks/costs--but you can't make fakes impossible--just costlier.

And then, if you've bothered to read this far, there's that final unfortunate trade-off. Barriers to fakes usually make things harder on users (think TSA), so we don't build the best barriers in the hopes that users will tolerate and comply with the ones we put in place. It's a bit of a juggle.

Flash is just one of those pervasive things that should have died long ago. It's persistence is simply easily exploited. It's a bit of low-hanging fruit that should

Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...

GnuTzu

I was able to capture this for Chrome, but not Edge.

The sample size for Edge was 1231 and included content from Google search results, Bing search results, CNN, CNBC, and others.

Someone's going to dig much deeper to be sure, though.

GnuTzu
Thumb Up

Re: GnuTzu - Proxy

Yes, CA certs for Chrome can in fact be pushed through GPO.

GnuTzu
Thumb Up

Re: GnuTzu - Proxy

Yes, but as long as we can add our own CA certs through GPO, we can fix that with SSL inspect/intercept. It'll really get scary when they start to try and take that ability away.

GnuTzu

Re: Proxy

P.S. One should wonder about what it means when tracking data is collected from browsers within businesses, say ones doing PCI or HIPAA, or government agencies. How about credit agencies, eh, Equifax?

GnuTzu
Megaphone

Proxy

Strip it out, proxy admins!!!

Secret-sharing app Whisper shared secrets like last known location and actual password tokens in exposed database

GnuTzu
Joke

Shhh, keep your voice down; no one's supposed to know.

Staffer emails compromised and customer details exposed in T-Mobile US's third security whoopsie in as many years

GnuTzu
Thumb Up

...as an annual event.

Actually, I'd at least like to see some special liability laws. You know how corporations hate regulations. So, let's just make it really easy to sue them into the grave.

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

GnuTzu
Unhappy

Re: Others have found this

"...too big to care."

Seems that's the precursor to too-big-fail. It'll be a sad day if the government ends up having to bail out cloud providers.

Anti-trust laws just aren't what they used to be... as if they were ever enough in the first place.

Fancy that: Hacking airliner systems doesn't make them magically fall out of the sky

GnuTzu

Re: Natural vs. artificial intelligence

..."human senses aren't."

Someone should decide where inattentional blindness fits into that. (https://en.wikipedia.org/wiki/Inattentional_blindness)

GnuTzu
Black Helicopters

Re: Natural vs. artificial intelligence

The synergy between the two will become part of the evolutionary process that leads to humans and AI becoming intertwined. Insert whatever dystopian scifi future you find fitting here.

Meanwhile, social media and addictive consumerism is programming the next generation of humanity, with the expectation that the data analytics used in that will eventually be guided by AI (assuming that isn't already secretly the case). And, these marketing and psyops strategies are now increasingly employed by political parties. We are so doomed.

GCHQ's infosec arm has 3 simple tips to secure those insecure smart home gadgets

GnuTzu
Trollface

How about a belt sander--done in short segments and turned into a slow motion video of a thing being eaten away layer by layer. Add special effects of oozing guts to taste.

Or, maybe a time lapse in a hydroflouric jar acid or suitable corrosive.

Departing MI5 chief: Break chat app crypto for us, kthxbai

GnuTzu
Joke

We know they'll never stop

But, I have to wonder if hackers will eventually have their own lobbyists pushing for this.

Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online

GnuTzu
Thumb Up

Ridiculum feles sunt in Tela undique

GnuTzu
Facepalm

"There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets..."

The thing is, I used to think this was missing. Well, maybe it once was. And, I suppose it could be better.

Yet more and more, it seems that there are too many out there throwing together projects at a level that is of the Dunning-Kruger variety.

AWS could well require a check box for a disclaimer form that would require acknowledgement that reasonable security scanners, development principles, and testing must be employed. But, we live in a click-through World.

Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments

GnuTzu
Thumb Up

Re: Infrastructure

That clarifies FIDO's claim nicely. Thank you. And, from a professional perspective, you're first point is well taken. Yet, my alter ego will be keeping an eye out for any emergent dysfunction. Funny how I end up supporting these things in the work place and railing against any emergent dysfunction elsewhere. Such is half a matter of professionalism and half a matter of having no choice but to support brands that I wouldn't have in my home due to their monopolistic control.

GnuTzu

Re: Get rid of the commercial middlemen

Thank you for answering my previous question. However, I fear your second point is in peril, given the list of sponsors that I found at the FIDO2 web site. This tends to cement what my spidy sense had warned of--that they fully intend to build an infrastructure controlled purely in the commercial space, leading to gawd knows what other kinds of evil. Oh wait, they're claiming not to be evil--even to prevent evil. Where have we heard that kind of thing before? I wonder if one might find a hint on their sponsor page.

GnuTzu
Thumb Up

Re: Infrastructure

Yes, some of us do have ways to manage passwords reasonably. If we don't get options, as some now offer, then this becomes a Harrison Bergeron issue. In fact, that would be another clue something fishy is going on, forcing everyone onto a platform designed for those who do a bad job of managing passwords.

GnuTzu

Infrastructure

Any commentary out there that is reasonably intelligent yet paranoid (short of the full-blown tin-foil hat variety) on this?

I've had a look at the sponsors of this project, and my spidy sense is tingling. The technology claims: "The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device."

Given the industry motivation for super cookies and other technologies designed to circumvent our efforts to not be tracked, I should wonder what kind of profiling might be in the future that would make their claim a blatant and utter lie.

Google exiles 600 apps from Play Store for 'disruptive advertising' amid push to clean up Android souk's image

GnuTzu

Re: Disruptive ads

They come and they go. I tolerate the ones that have the "skip ads" button, for the illusion that I seem to get to vote down the bad ads. It's the 5-second ones I despise, and I just close the tab for those--as if that somehow compensates for being abused. If they get bad, I'll start using an ad blocker.

As for Amazon Streaming, they started showing ads for every viewing--and most of them are horrid. So, I quit Amazon entirely. When I quit Amazon Prime, there was that warning of how many hundreds of dollars I had saved on shipping. I just laughed; I wasn't going to be paying for any more shipping with Amazon. They should have worried about how many thousands of dollars in revenue they were losing--because of abusively persistent advertising. Hah!

GnuTzu

On A Related Topic...

It would be nice if ad services could be held accountable for what sellers put into their services. That is, do ad services perform reasonable screening of the content coming from a seller, and can the ad service be liable for any resulting damages? Until that situation gets fixed, there are organizations in which ad services are blocked at the proxy--as a potential source of malware.

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

GnuTzu

API management seems to be the term du jour, with Google's offering being Apigee (not that I know all that much about it). Web services would reasonably need all the traditional security tools that a web server on the Internet should have. But, these are being expanded and enhanced for web services (though, there are surely others more knowledgeable about this than I).

GRU won't believe it: UK and US call out Russia for cyber-attacks on Georgia last year

GnuTzu

Re: Attribution can be hard but...

Could become the next non-existent WMD.

Don't use natwest.co.uk for online banking, Natwest bank tells baffled customer

GnuTzu

Re: URL Shortener

BTW, I know there are shortened-URL resolvers out there. Anyone know of a browser addon that resolves a shortened URL in a pop or such? Or, is this just a fantasy?

GnuTzu
Facepalm

Re: URL Shortener

Come to think of it, https://www.natwest.com is the exact length of the shortened URL's--which makes https://natwest.com shorter than the shortened URL's.

I'm not going to bother to look, but I suppose they were either login, support, or announcement pages. Still, it would be so easy to launch a phishing campaign with shortened URL's for this incident. Why condition customers to think that such a practice is normal?

GnuTzu

Qualys Results on the 404

Heh, had to look... Whether or not that's really the bank that they threw up the temporary server issuing the 404, it gets a B's and C's for weak TLS settings (no TLS 1.2 but does do TLS 1.0, etc.)--in addition to the name mismatch--not that there's anything worth securing there. I guess it was more important to get that out there quickly then well. But, it shows what happens when you don't keep up with your renewals?

(To be fair, the other destinations came up A+ though.)

GnuTzu
WTF?

URL Shortener

"The correct address is : https://t.co/..."

Does anyone want to try to convince me that the use of URL shorteners in a security discussion is a good practice or good example for the general public?

Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners

GnuTzu

Re: Same old same old

Capsize...

It's 2020, and I'm just getting so board with this.

Voatz of no confidence: MIT boffins eviscerate US election app, claim fiends could exploit flaws to derail democracy

GnuTzu
Thumb Up

Re: I'm baffled

Wow, that really put a bizarre idea in my head. (Oh, and upvote on your point about validated statements.)

What if the voting app hacked your banking app to cause you to make a massive donation to the wrong candidate.

I'm glad it's Friday. I'm seriously going to need to get toasted this weekend.

Android owners – you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw

GnuTzu
Thumb Up

Re: Re:A joke?

You're not alone. But, I'd like to see a decent survey of how many actually selectively turn their blue tooth off. Here's a proposed survey:

Q: How much time do you leave your blue tooth off?

1. Oh, do I need to see a dentist?

2. I just leave everything at the default settings.

3. I put the phone in airplane mode when I'm not expecting calls.

4. I only turn it on when I need to make a call.

5. I refuse to use it all together.

6. I rooted the phone and ripped out the drivers so that some malware can enable it against my will.

My answer is 4.

Sketchy behavior? Wacom tablet drivers phone home with names, times of every app opened on your computer

GnuTzu
Joke

"...they detailed it in their privacy policy."

Ya know, if this was really the way everything was supposed to work, then you'd see this sign at the entrance of every store: "By entering this store, you agree to the terms of service and privacy policy of this store. A copy of these policies can be obtained at the service desk within."

And, of course, products would also come boxed with this statement contained within: "By opening this box, you agree..." etc.

We're being sucked in to forfeiting our rights with hidden legalese. This can't go on like this forever.

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

GnuTzu

Re: Randomly change what's sent back ?

And, if you're a proxy admin for a big organization, why share your company's data with google. Just strip those headers out.

Oh buoy. Rich yacht bods' job agency leaves 17,000 sailors' details exposed in AWS bucket

GnuTzu
Facepalm

Re: We trusted them!

Dunning Kruger is rampant in IT. There's an imbalance in how people learn. Some focus too much on hacking. Some spend a decade or more in only one job and think the whole World works that way. Or they've only worked with only one kind of hammer and everything is just the kind of nail that such a hammer is for. And, watch out for the ones with sledge hammers. And, then there are those with long strings of certs after their name--and still have to be told how things work.

Finally, if it happens that you are in fact competent and work for those who are not, how are they going to be able to recognize that competence?

Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCC

GnuTzu

Re: Ugh.

"strings" yes... puppets of the duocracy.

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

GnuTzu

Re: How?

When your an administrator writing an init script or parsing logs from a properly authenticated shell, to a point, yes. When your writing a service for which a TCP or UDP port is opened to the entire Internet... well, to what degree do you want to be low-hanging fruit?

GnuTzu
Thumb Up

Re: How?

Well, I'll add to the votes then. It's like one of those fools writing a CGI program with Bash and not validating parameters... or with Perl and failing to use taint properly.

If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

GnuTzu
Thumb Up

"A plague of ignorance and misplaced priorities in government and law enforcement..."

I love that opening line. It just the foundation of everything, isn't it? I almost didn't read the rest of the story.

2015-member database floats off through breach in Royal Yachting Association's hull

GnuTzu

Re: Old Salt

To go with the hash from the mess hall.

GnuTzu
Pint

Re: To the lifeboats.

Now they're in the drink. Have a beer.

Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

GnuTzu
Thumb Up

Re: Hmm....

And, to state it more explicitly: any hacked phone would do to hide the true origin, so there must be a motivation to hack a dignitaries phone. But, why these two? What kind of war is someone trying to start?

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned

GnuTzu
Thumb Up

"Code is super buggy these days..." That point is worthy of comment. Once upon a time, one would have hoped for some logarithmic leveling off of bug growth. But, today's code growth, in fact code library growth, does not appear to be linear. Big-O notation for it is likely a bit messy, either polynomial, exponential, or the product thereof. So, what does that say for bug growth? Anyone got any solid statistics for identifying a trend?

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

GnuTzu
Devil

Re: "Private" not private

Verizon and Microsoft sitting in a tree, K I S S... Or, is it more disgusting than that? Certain South Park episodes are coming to mind.

GnuTzu
Thumb Up

Initially, yes. But, anything that grows large enough to have its CEO replaced by some soulless Wall Street type, as had happened to Google, will likely end up just as soulless. Surely, Verizon has one of those Wall Street types too. Their makeover is just can't be all that trustworthy.

GnuTzu
Thumb Up

And, don't forget, DuckDuckGo has is own anti-tracking add-on, which I use alongside Ghostery, EEF Privacy Badger, No-Script, and a UTM stripper. And, the UTM stripper is important, because there are just so many sites wanting to optimize their Google ranking that they just can't help giving Google everything it wants.

Spanking the pirates of corporate security? Try a Plimsoll

GnuTzu

Re: Mandatory rewards for bug disclosure and fines for failing to fix

Since you mention finance, I have to say that I've always been annoyed that PCI certification is not revealed/presented publicly. The banks get to see it, but the public does not.

Privacy activists beg Google to ban un-removable bloatware from Android

GnuTzu
Megaphone

Then on top of that, how would Google enforce it--if it actually did care? Manufacturers may well pull the same kind of sleezy data-slurping hackery that got us stuck with super cookies. If they're willing to hack a way for them to get around our tools to not get tracked, then they'll surely find similar sleeze code for bundled apps. {insert-my-usual-rant: we-consumers-need-our-own-DMCA-protection-from-corporations}

Google scolded for depriving the poor of privacy as Chinese malware bundled on phones for hard-up Americans

GnuTzu

Google Executives Not Who They Used To Be

We already know that the top executives are leaving behind the "don't be evil" mantra. I mean, have already left it behind.

So, pre-installed apps that can't be uninstalled and have control over permissions isn't the real news. The real news is that they are overtly visible apps and not something hidden behind the scenes. So, now it's brazen evil.

Page: