Posts by Joe Dietz

I'm all for getting rid of passwords, but passkeys != security

Passkeys have security value because it stops password reuse across domains and eliminates the need to write them down if I didn't and forces the attacker to shift tactics. But stopping credential theft outright, not as much.

For years now attacks have shifted focused on post-authentication credentials. It doesn't matter at all how you authenticate an account if you leave the resulting shared secret lying about on your local device waiting for somebody to drop by and read it/use it. OAuth tokens are particularly bad here because they are frequently not validated against other factors like the sending host (or even if they are, clever reverse proxies are not that unheard of), or even password resets (looking at YOU Gmail password resets!), have a long lifespan (again Google) and are frequently renewable (Google).

I run a ransomware research system. We make no effort at all to cloak that we are running samples in a virtual machine. For certain _some_ do refuse to run when they detect the virtual machine... But we get healthy malicious activity from at least 30% of them. This is mostly payload execution, so in the real world the bits you want to hide from anti-virus and avoid analysis have already come and done their thing. So, while running vmware tools does prevent some infections... it's not a sure thing. It's cheap insurance though, so why not?

I'm going to hold them to this promise of no more updating...

I've taken the view that no more updates is what I'm after. Honestly, about the only thing I *might* need an update for is a network facing unauthenticated 0day in the kernel. But I do have a firewall, so not that scared about it either. And for the rest, patched or not, your just as vulnerable since nearly all attacks involve HUMAN BEINGS sitting at the keyboard clicking on things. Can't patch that.

I for one welcome the new more stable windows 10 without 'updates' to break shit constantly.

Barking up the wrong tree as usual.

Most vulnerable drivers are vulnerable because the design exposes APIs that do dangerous things to anybody that happens to be able to load the driver. (I'm looking at _YOU_ DELL, HP, ASUS! ... and many many others...) an actual _exploit_ is rare and kind of a 'meh' issue when the design level problems are a bigger issue.

This sounds far too intellectual

Why would anybody think the orange one would be interested in something that was thought out planned, or worst of all desired by experts?

Solution problematizing

The whole thing is very much a classic find a problem my solution solves! NPU being the solution DuJour. And ironically having created a massive (privacy) problem they are not using the NPU to solve it! Brilliant sh*t!

I expect whoever dreamed up copilot wasn't aware of 'browser tabs' which is more or less the reigning scheme for handling remembering wtf I was last doing... and its working just fine thank you.

This is classic Intel. They get into something, pour lots of money into it and find a few customers... but do not become an instant success overnight... management pulls the plug hard and customers find out because the folks they worked with at Intel stop showing up to previously scheduled meetings. Nobody with more than a few years' experience would ever adopt an Intel technology that wasn't a core CPU chip because they don't have any staying power. Which of course is why they can't seem to find any markets outside of their core CPUs... nobody wants to work with Intel and get burned when they pull the rug out from under them suddenly in two years' time.

The only surprising thing here is that this distro had a 10 year run.

The first step to recovery is admitting you have a problem. Hopefully a step now taken.

afterall why should space science be special?

If we aren't going to do R&D for things that matter directly to people - like medical research... why would we then continue to fund things that only indirectly make my life better?

I've no idea what motivates the fool, but his goal is fairly obvious - destroy the USA as a superpower... and NASA is very much symbolic of the USA being a superpower... its gotta go.

(basically, it's pretty simple: take the literal meaning of anything he says and invert it - that is what he actually intends to do).

One could argue that it is _sticking_ with 'the core' for too long that has been the downfall of Intel. X86 had it decades.

Its obviously a govt project... but

... how exactly how do you spend $10B if you are going to use 'already existing' assets to build it?

Try it with mv

In the dawm of time I downloaded something called "linux" onto recyled NT3.1 floppies donated to our school by Microsoft. Rushed home installed for several hours. Acheived root.... typed: "mv / /tmp" ... and things got weird fast. Think that bug was fixed somewhere in the 0.98 kernel release.

This sort of reminds me of the trend in retail of check my ID when I buy beer. I'm nearly 50. I'm not sure what purpose this actually serves. You can check my id all you want, but it doesn't stop me from handing off the beer to the teenager waiting outside one bit. (I don't do this... but it all comes down to trust eventually doesn't it?).

TLS is broken, cert longevity has nearly nothing to do with that. It's broken because the CAs don't really do their job either because they are run by MBAs or because they exist to be shady... and due to politics browsers end up trusting a lot of CAs that I don't really want to trust ever. Furthermore, unless you actually use DNSSEC fully the domain I'm connecting too isn't necessarily mapped to an authoritative IP address...which can have a perfectly valid cert from letsencrypt.

Very much an easy thing to say... and obviously the view of somebody that has never built any software, nor has to actually pay for the result. The thing about software is it just doesn't work that way. You can design with the best of intentions build in quality at every step and really grind on it... and still have bugs. NASA is an interesting example. They spend some crazy amount _per line_ of code and still crash into Mars about half of the time when they do something new.

The truth is security is an manageable risk that is in the rounding error of the net productivity that software brings to the user.. even if its insecure by design, especially given that insecure by design is the only _usable_ design. I mean hell.. the internet isn't very secure.. but we get by.

CISO isn't a technical role

It's my job to talk with CISOs. I've discovered there are a few types:

1) former 'technical' person. Probably worked on a SOC team or did some red teaming at some point in their carrier. They view CISO as 'defend the network'. These guys tend to fail in the boardroom but tend do a competent job with what little budget they get.

2) former 'cops'. Law enforcement, legal backgrounds, program managers for TLAs etc. They view being a CISO as 'risk management'. Do somewhat better with the board room, but also tend to be a bit brittle since they have impostor syndrome pretty hard with their technical team that reports to them.

2b) Subset of 2 that has done X things that have now 'solved security'. These are the ones that get hacked hard.

And finally, I'll take objection to the Senators statement:

"The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors"

MFA is a good thing, but the REAL question is how did somebody already have credentials? They were already breached, and they still haven't found root cause.

Okta and MFA has nothing to do with it.

If you have a renewable token with access to things... that is a post authentication token. It's a shared secret between you and whatever API that honors it. If I as an attacker happen to read it out of your browser's session data... (which is exactly what an info stealer like Lumastealer which is the specific variant cited here does) I have the exact same access as you do, and if its renewable, I can get new tokens just as easily. Info stealers aren't after your passwords as much because to use them they need to also defeat MFA... but who needs a password if you already have access with a token?

Bet this never flies.

The program is going to get cancelled or redirected yet again or simply underfunded until one of those happen.

You can't fix people, but you CAN fix tools!

Actual blog post link: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html

And a hearty hear hear! "You can't fix people, but you CAN fix tools! "

Its not just the door plugs...

It's obvious Boeing is culturally bankrupt. It's not just the MAX fiasco. And the door plug was one week after a previous 'ground them all' inspection where there where loose bolts on a safety critical system in the tail assembly. This shit should be checked and rechecked... probably IS being checked and rechecked and it's still wrong.

The Starliner program has also had some serious issues. And not just the ones on flight hardware where it didn't quite make it to orbit. They managed to also take _checkout photos_ to document the state of the parachutes on a drop test that clearly showed one of the parachutes was NOT connected to the airframe... and somebody then proceeded to pack the parachutes in that state. I'm sure they are ISO compliant in more ways that I could even imagine... but compliant isn't the same thing as giving a damn about quality. I mean good news! 2 out of the 3 parachutes opened, good thing for redundancy... but wow, they had _photos_.

A one time payment is nice, but what we need is a recurring revenue stream...

Ransomware is a business, not a tactic. The trend in this business is towards 'Surprise backups' of victim data. Ransome isn't quite the right word; blackmail is more like it.

Imagine you have gained control over a law firm, it has many people's secrets in their files and a professional obligation to protect those secrets. You could 'sell' a onetime license to the law firm so they can avoid using their backup.... Or you could sell an _annual_ subscription service of not telling others about all of their secrets. Any MBA will tell you that the recurring revenue is better... and so much harder to defend against.

As an EV fan... still rings true

I've had I think 6 EVs now:

- 1 Chevy Spark EV died due to a minor crash that caused the insurance to total it due to the cost of electronics.

- 1 Chevy Bolt EV was sold on the used market at a loss - it was basically a Chevy malibu and had tons of software glitches and piss poor design possibly due to the retro fit.

- 1 Tesla Model X died 30 minutes after delivery upon arriving home. Some sort of central computer had stopped working. This was a COVID build, so Elon himself may have fitted the QA failed part from the scrap bin in it himself. Twas returned to Tesla.

- 1 Chevy Spark EV died after 2 years due to the charge controller failing. GM was unable to find a replacement board after 9 months of it sitting at the dealer... I got a buy out check from them.

... Kia rental EV was 'fine'.. but it was a rental so who knows what happened after I returned it 9 months of me driving it around....

- current Nissan Leaf - still going strong. Very boring car... but I've high hopes of it having a natural end as a result.

The Chevy Spark EV is still my favorite... But I suspect the fundamental problem is that people expect more from EVs due to the price, so the normal build quality issues stand out more and when it does go wrong, its very wrong. What you might accept in a $25k malibu, you are going to be pissed about in a $37k bolt.

Passwords are all vanity if you leave the post auth token laying about.

The real action is in getting post authentication tokens. All I need to do is read your tokens out of your profile directory and I _am_ you to whatever you happened to be logged into. I don't need your username or your password, and I don't care if your MFA is legit or SMS. I'm still _you_.

VT is just a static check...

Malware and the AV engines that VT is aggregating across are so 1990s. Attackers don't send you malware. They sent you _links_ to malware, or better yet they Macgyver it from bits you already have on disk using duct tape and zip-ties. In this case a fairly pedestrian dll abuse to download malware as part of an update.

As such, checking your binaries against VT isn't going to flag anything, and a goodly amount of the time neither is your AV scanner. This was a multi-stage attack - the malware part that VT would be able to flag is downloaded much later in the attack.

NSS: "Broadcom buy of VMware may be bad for competition"

Duh, but hardware as to why it would be bad? Seriously? Hardware is just going to keep on working with vmware, it's nearly impossible for it to not. You should be far, far more concerned about the _virtual hardware_ being inaccessible. The choice is VMW or "the cloud". AWS, Google and Azure look forward to this acquisition no doubt, THAT is the bad you should be worried about.

Fear the future? Change the past.

I'm pretty sure my Irish and Scotts ancestors didn't come to the USA because they woke up one morning and decided to emigrate. There were reasons; possibly including judicial murder, starvation and general religious suppression. Those same ancestors went on to homestead in the west, in some cases literally over the graves of the previous inhabitants. Apologies are owed all around... but this is an accounting that simply can't be settled. Learn and live for the future.

Is linking to the Kaspersky report that you quoted at length under sanction? Cite your sources please.