Posts by Joe Dietz

afterall why should space science be special?

If we aren't going to do R&D for things that matter directly to people - like medical research... why would we then continue to fund things that only indirectly make my life better?

I've no idea what motivates the fool, but his goal is fairly obvious - destroy the USA as a superpower... and NASA is very much symbolic of the USA being a superpower... its gotta go.

(basically, it's pretty simple: take the literal meaning of anything he says and invert it - that is what he actually intends to do).

One could argue that it is _sticking_ with 'the core' for too long that has been the downfall of Intel. X86 had it decades.

Its obviously a govt project... but

... how exactly how do you spend $10B if you are going to use 'already existing' assets to build it?

Try it with mv

In the dawm of time I downloaded something called "linux" onto recyled NT3.1 floppies donated to our school by Microsoft. Rushed home installed for several hours. Acheived root.... typed: "mv / /tmp" ... and things got weird fast. Think that bug was fixed somewhere in the 0.98 kernel release.

This sort of reminds me of the trend in retail of check my ID when I buy beer. I'm nearly 50. I'm not sure what purpose this actually serves. You can check my id all you want, but it doesn't stop me from handing off the beer to the teenager waiting outside one bit. (I don't do this... but it all comes down to trust eventually doesn't it?).

TLS is broken, cert longevity has nearly nothing to do with that. It's broken because the CAs don't really do their job either because they are run by MBAs or because they exist to be shady... and due to politics browsers end up trusting a lot of CAs that I don't really want to trust ever. Furthermore, unless you actually use DNSSEC fully the domain I'm connecting too isn't necessarily mapped to an authoritative IP address...which can have a perfectly valid cert from letsencrypt.

Very much an easy thing to say... and obviously the view of somebody that has never built any software, nor has to actually pay for the result. The thing about software is it just doesn't work that way. You can design with the best of intentions build in quality at every step and really grind on it... and still have bugs. NASA is an interesting example. They spend some crazy amount _per line_ of code and still crash into Mars about half of the time when they do something new.

The truth is security is an manageable risk that is in the rounding error of the net productivity that software brings to the user.. even if its insecure by design, especially given that insecure by design is the only _usable_ design. I mean hell.. the internet isn't very secure.. but we get by.

CISO isn't a technical role

It's my job to talk with CISOs. I've discovered there are a few types:

1) former 'technical' person. Probably worked on a SOC team or did some red teaming at some point in their carrier. They view CISO as 'defend the network'. These guys tend to fail in the boardroom but tend do a competent job with what little budget they get.

2) former 'cops'. Law enforcement, legal backgrounds, program managers for TLAs etc. They view being a CISO as 'risk management'. Do somewhat better with the board room, but also tend to be a bit brittle since they have impostor syndrome pretty hard with their technical team that reports to them.

2b) Subset of 2 that has done X things that have now 'solved security'. These are the ones that get hacked hard.

And finally, I'll take objection to the Senators statement:

"The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors"

MFA is a good thing, but the REAL question is how did somebody already have credentials? They were already breached, and they still haven't found root cause.

Okta and MFA has nothing to do with it.

If you have a renewable token with access to things... that is a post authentication token. It's a shared secret between you and whatever API that honors it. If I as an attacker happen to read it out of your browser's session data... (which is exactly what an info stealer like Lumastealer which is the specific variant cited here does) I have the exact same access as you do, and if its renewable, I can get new tokens just as easily. Info stealers aren't after your passwords as much because to use them they need to also defeat MFA... but who needs a password if you already have access with a token?

Bet this never flies.

The program is going to get cancelled or redirected yet again or simply underfunded until one of those happen.

You can't fix people, but you CAN fix tools!

Actual blog post link: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html

And a hearty hear hear! "You can't fix people, but you CAN fix tools! "

Its not just the door plugs...

It's obvious Boeing is culturally bankrupt. It's not just the MAX fiasco. And the door plug was one week after a previous 'ground them all' inspection where there where loose bolts on a safety critical system in the tail assembly. This shit should be checked and rechecked... probably IS being checked and rechecked and it's still wrong.

The Starliner program has also had some serious issues. And not just the ones on flight hardware where it didn't quite make it to orbit. They managed to also take _checkout photos_ to document the state of the parachutes on a drop test that clearly showed one of the parachutes was NOT connected to the airframe... and somebody then proceeded to pack the parachutes in that state. I'm sure they are ISO compliant in more ways that I could even imagine... but compliant isn't the same thing as giving a damn about quality. I mean good news! 2 out of the 3 parachutes opened, good thing for redundancy... but wow, they had _photos_.

A one time payment is nice, but what we need is a recurring revenue stream...

Ransomware is a business, not a tactic. The trend in this business is towards 'Surprise backups' of victim data. Ransome isn't quite the right word; blackmail is more like it.

Imagine you have gained control over a law firm, it has many people's secrets in their files and a professional obligation to protect those secrets. You could 'sell' a onetime license to the law firm so they can avoid using their backup.... Or you could sell an _annual_ subscription service of not telling others about all of their secrets. Any MBA will tell you that the recurring revenue is better... and so much harder to defend against.

As an EV fan... still rings true

I've had I think 6 EVs now:

- 1 Chevy Spark EV died due to a minor crash that caused the insurance to total it due to the cost of electronics.

- 1 Chevy Bolt EV was sold on the used market at a loss - it was basically a Chevy malibu and had tons of software glitches and piss poor design possibly due to the retro fit.

- 1 Tesla Model X died 30 minutes after delivery upon arriving home. Some sort of central computer had stopped working. This was a COVID build, so Elon himself may have fitted the QA failed part from the scrap bin in it himself. Twas returned to Tesla.

- 1 Chevy Spark EV died after 2 years due to the charge controller failing. GM was unable to find a replacement board after 9 months of it sitting at the dealer... I got a buy out check from them.

... Kia rental EV was 'fine'.. but it was a rental so who knows what happened after I returned it 9 months of me driving it around....

- current Nissan Leaf - still going strong. Very boring car... but I've high hopes of it having a natural end as a result.

The Chevy Spark EV is still my favorite... But I suspect the fundamental problem is that people expect more from EVs due to the price, so the normal build quality issues stand out more and when it does go wrong, its very wrong. What you might accept in a $25k malibu, you are going to be pissed about in a $37k bolt.

Passwords are all vanity if you leave the post auth token laying about.

The real action is in getting post authentication tokens. All I need to do is read your tokens out of your profile directory and I _am_ you to whatever you happened to be logged into. I don't need your username or your password, and I don't care if your MFA is legit or SMS. I'm still _you_.

VT is just a static check...

Malware and the AV engines that VT is aggregating across are so 1990s. Attackers don't send you malware. They sent you _links_ to malware, or better yet they Macgyver it from bits you already have on disk using duct tape and zip-ties. In this case a fairly pedestrian dll abuse to download malware as part of an update.

As such, checking your binaries against VT isn't going to flag anything, and a goodly amount of the time neither is your AV scanner. This was a multi-stage attack - the malware part that VT would be able to flag is downloaded much later in the attack.

NSS: "Broadcom buy of VMware may be bad for competition"

Duh, but hardware as to why it would be bad? Seriously? Hardware is just going to keep on working with vmware, it's nearly impossible for it to not. You should be far, far more concerned about the _virtual hardware_ being inaccessible. The choice is VMW or "the cloud". AWS, Google and Azure look forward to this acquisition no doubt, THAT is the bad you should be worried about.

Fear the future? Change the past.

I'm pretty sure my Irish and Scotts ancestors didn't come to the USA because they woke up one morning and decided to emigrate. There were reasons; possibly including judicial murder, starvation and general religious suppression. Those same ancestors went on to homestead in the west, in some cases literally over the graves of the previous inhabitants. Apologies are owed all around... but this is an accounting that simply can't be settled. Learn and live for the future.

Is linking to the Kaspersky report that you quoted at length under sanction? Cite your sources please.

VMWare _is_ the cloud competition... but not as a cloud

The EU and really any government that has the public interest in mind should look _very_ skeptically at this... Not only from a competition standpoint, but a national security one as well. VMWare is the only technically viable and operationally mature alternative to 'the cloud'... A Broadcom acquisition would very likely shift things to a 'big 3 cloud or nothing' set of alternatives.

I see zero reason to think Broadcom would handle vmware any differently than CA or Symantec... VMW _is_ legacy tech and sort of 'missed that whole cloud thing' despite some frankly confused efforts in the past few years to 'also run' on the cloud. Unlike CA of SYM, VMW also happens to be very, very, important legacy tech and should not be meddled with.

Solution seeking problem

Like many cool things... if the first step is 'change everything': you've failed.

Successful technology improves upon the previous generations or layers in a way that acknowledges the technical history and keeps the old stuff working. See also: Windows backwards compatibility (yes, yes - they seem to have lost their way here a bit... but it built an empire for sure). Unsuccessful technology asks you to first change everything and do something a new way. See also: IPV6.

The later _can_ work... but it has to be pretty damn compelling.

As a software engineer, never work for a hardware company (and vs. versa no doubt)

I was at McAfee during the Intel era... It was always a complete mystery to everybody wtf it meant to put 200+ MB of MD5 hashes 'into the silicon'. Though it was apparently on several executive bonus plans that we needed to increase sales of 'sockets', not that anybody in McAfee mgmt chain had a clue how to make that happen. I'm pretty sure the confusion on the Intel side was pretty much the same.

See 'security'... as Intel understood it meant door locks, 'security' as McAfee understood it meant 'background checks'. I could see a sort of world where those two notions worked together... but customers where not that interested in paying _more_ for the privilege and given how Intel slices up their CPU features in pretty arbitrary ways... you end up with the 'why does this brand-new computer not run windows 11' problem all over, or in this case 'why does my door-lock fail open'. Thus ended any actual engineering attempts to bring those ideas together.

I'm not sure much has changed, but the main thing is software businesses should be software businesses.

Win11 may like _new_ CPUs but that doesn't mean what you want it too....

I spent a fair amount of time yesterday learning about the 'Bitmask Manipulation Instructionset 2' (BMI2) and in particular why a library I'm using was causing a #UD fault on a brand-new Windows 11 laptop from Asus. The reason is that it's an 'Intel Inside' (aka 'Celeron') and... despite meeting the weighty requirements for windows 11 lacks some Haswell era instruction sets. (Answer is to recompile the library with some defines that do things the hard way). Mind you, I know this is a cheap laptop, that is why I purchased it since I'm developing software and want to know the worst-case performance scenario. Naively I was hoping that win11 at least meant we could count on some sort of baseline of cpu features from say 2013. Nope.

I can't see the value to me ...

I can't see myself ever joining a union, nor could I really see myself staying at a business that had one form. Stagnation follows.

Utter bollocks. Cars? That is just loony.

The only party this deal is good for is Mr. Dell. VMware, its customers and employees will suffer, Broadcom is buying an empty bag of air because it plain does not culturally match VMware even a little bit, it literally can't help but kill VMware. What promise VMware held out for customers... some sort of neutral cloud layer... Well they will find they can run on AWS and Azure just fine without it not long after this goes through.

This reminds me of when Yahoo rejected a takeover offer from Msft. Msft's offer was way more than they eventually fire sailed it off for. It almost seemed like Musk woke up one morning bought 9% of twitter on robinhood and _then_ discovered that despite all of the noise... twitter isn't really that central to that many people's lives. Take the money and run fools.