Posts by mutin

speculation without knowledge id BS

It would be good to read some comments concerning technical details of this article or MS info or Iran's hacking in general. However, ALL went to whistle rather than moving -political speculations without any real ground. Iran will not help in political games to President Tramp and neither Democrats. Both are enemies to Iran. So, hacking was not about US politics, President Tramp and stupid attempts to hurt the President basically on nothing. So, the article speculation is pure BS and the most of comments as well. The real purpose was either money or information. The same as China, N. Korea and others alike.

Trump is right

All is very simple. Only people who do not know the situation on US borders joking around. I've seen how guys coming in track loads and useless attempts of police to catch them. That is in Arizona. Each person illegally coming costs us money. Stopping them will reduce waste of our taxes. That is not about liberty or what ever human rights. Did you like crows coming from Middle East for better life in EU in millions? More likely you do not. Trump talks about money. Mexico cannot stop? Ridiculous! They definitely can but just do not want such headache. Then - pay for your inactivity. That is the same story as of narco-traffic. It cannot be stopped by one country. That requires mutual efforts.

Of course, #1 is China, the second is Russia, and Saudis are attributed to aftershock. But, the problem is that the university as well as CalTech and others is full of Chinese student. Would be nice to know the percentage of China funded students in each of ivy league. That is much more risk than any ZTE or Huawei. Americans cannot pay MIT astronomical number of $70K/year. Plus, US basic school education cannot compete with Chinese. Guys there drilled and grilled while at school. Within 10 or 15 years China will not need to spy on US technology anymore.

what?

What service? Informing of attacks and helping (!) to resolve? Redmond? Unless they collect info from other reputable sources, that will be just crap. Or they figured out how to index and search Dark Web?

Fun never ends!

They gonna say Ooops! right?

What people are usually saying when found that pwned? Oops ... we do not believe!

With all China great reputation for hacking and stealing secrets what else is needed to stay away from them handling your major resources?

May be some influx of Chinese immigrants to keep Merkel happy?

security is not chinesity

I wonder about stupidity of both guys caught by Apple security, see the article how that happened. China is known very much for stealing secrets. So, why to hire a guy with certainly weak background (dad in China, i.e. the family is there) for the secret project when it was already the same kind of case?

Do not tell me about EOE when we see in US East Coast IT departments 100% guys from India. So, just avoid hiring guys with questionable background. Or we do not have enough American citizens to do coding? Then why? Would it be better to educate guys here for free than exporting potential spies?

I also see very bad security level at Apple secret facility - guy was able to copy from network (!) to his personal storage (!). Why do they permit storing secret files on personal computers? Apple network does not work?

It seems to me that Apple is fitting in the case "security by obscurity". They are building Maginot Line to defend while not so stupid guys can always go around.

so many concerns - about what?

I'm not in London, I'm in THE US. And frankly, do not understand people's concern. may be with the exception of wasting tax money. All your faces are in ID/passport etc. systems. All your faces have been captured on various security cameras. recorded and saved and kept for long time. So, what is your "privacy" concern over guys playing hi-tech toy with low level of success? Liberty and overall liberals' politically motivated speculations when nothing wrong happened and will not? Anybody detained, behind bars?

As I always said being CISSP - do not expect any privacy when you are in public space, do not use Internet if you are worry about you freedom rights, do not encrypt email as it is useless. Only people who have something to hide should worry about stupid hi-tech toys. Ask guys for your picture and have a fun!

old news sometimes not a bad news

BMC actually is not "baseband management controller" but Baseboard Management Controller. And alterations of management system in BMC flash memory have long and great story. You guys can take a look back in 2008 when Russian guy found hidden hypervisor in Intel motherboards. If you do not read Russian see the site www.rubos.com for both Russian and English. The people who think it is minor stuff can possibly change the mindset. See also articles on malicious hypervisors there. Have a fun!

Another inconsistence in this article that to change management software one needs root access. Actually not. Root is about "ring-0" level. And root belongs to the OS. System management software is ring -2 and that is two levels down from root. It is really funny that people do not know that such embedded software CANNOT be identified from OS level using any currently available security means. Sorry, it is ring -2.

components of critical infrustructure

Technically speaking, Huawei equipment installed in a country Internet infrastructure seems as controlled by local specialists and not by guys from China. Not entirely correct. The update of Huawei equipment will come from China. It means UK guys wasting time checking the code. They are checking "public" version. An update to new "private" version may easy bring as many backdoors as China government wants.

People who did not read about world and particular China history do not understand Chinese mind set. It was last 5000 years the country of slaves, I would use "robots" as it is much closer. It was always the upper not even class but a group of governing people. Not Emperor but his closest circle always ruled the country. Nothing changed. CH government while presenting as "modern communists" are actually the some junta as before. 5000 years back. And current purpose is to dominate the world. They have 1,500.000.000 people, they have a lot of cash, and they sent millions young people to study in the best Western universities. US universities of the best quality occupied by Chinese. The idea is very simple - we have money, we have #1 industry, we want to be the technical and thus real leader of the world. The problem still exists - by gens, Chinese guys cannot think free as Western race. China still needs inventions, trade secrets - in general - ideas. Millions of slaves can do manufacturing but cannot do ideas. So, millions youngsters in the US and other Western countries is the attempt to create a class of Western-thinking technology leaders.

Until they overcome their nature, they will need backdoors and other hacks in Chine Made equipment.

Patching? Actually it should b Vulnerability Management cycle

Auto patching system may fail. I've seen that. In particular funny (sorry) was that I explained IT director that vulnerability scanning is standard way to check if patching works. He was not idiot but ... So, when they hired IT boss on the top of him and we resumed scanning, we found that 30% of computers were not patched while system reported they were. Then virus outbreak happened on the top of multiple vulnerabilities.

So, patching we discuss here IS NOT THE GOAL. It should be always Vulnerability Scanning after.

Is it possible to do within a month? Very hard. Almost impossible considering complex IT systems. The only one success story was when I did VM for Navy installation of 4,000 computers ten years back. Somehow IT guys managed to patch and I was able to do my scanning. Since that I see only sad stories.

The chaos result of of what we have now was created by IT giants rushing for profit no matter what.

They created the environment of "IT jungle" where we - the food for predators and them aka "hackers" - will coexist forever. The only one way to limit your risks is to limit your Internet connections. Pack your bag, forget your computer and go South. Bingo.

yet another good news about Kaspersky

So, guys want to be on bad news again. They created a buzz after being caught on collecting and sending user info to Russian FSB and following US government embargo to use. That damaged reputation and others are following US government, or at least thinking. Instead of paying something even if not legally obligated, they want the K-name to be in discussion again. However, IT/Security world is not a Hollywood. Bad reputation is really bad thing.

I would suggest researches to sell Kaspersky related bugs on open market as K-guys are really cheap and in bad shape financially. Or PR is stupid as it gets.

Money goes where people retire

I understand Oracle's concern. A piece of big pie is worth of trying.

I impressed that Pentagon is going to trust cloud while it has been proved that clouds are less secure than traditional local enterprise infrastructure.

However, the story background is different from public. Such huge money usually appear on play table when one of a few high ranking generals are going to retire. Somehow happens that they finally lend up in companies which were rewarded contracts. After a few months of legally required waiting period.

I've see myself such story when US Navy decided to build useless Navy and Marine Corp Intranet and a few billions got in IT companies. Participating admirals finally moved in IT companies chairs.

The same happened with Vivek Kundra who was Obama federal CIO and ended up in Salesforce which got 50 millions. After hiding in Harvard hole for six months.

No leadership - no security.

I commented on a few posts. Now are my 10 cents.

It was never a time when US government agencies had good security. May be CIA and NSA. But others, including DoD, are affected by internal politics. IT never wanted independent security management. However, CIO will never be good CSO, and first of all because there is ONE budget for everything. Only at the end of 2016 OMB got Director of Security, which still reports to Federal CIO. The worse case was Obama ruling. His first CIO nearly escaped jail right in the beginning of his job. But having absolutely no knowledge or experience in security this Guy Vivek Kundra initiated with Obama blessing federal "Cloud First" program. He had no clue about cloud security, NIST had no related documents and nether anybody in the government, but they started and started with moving in "cloud" NASA. NASA got OIG assessment in the same way as DHS and found disastrous situation.

So, what should we expect from US government concerning security when they do not have independent leader even in perspective? A couple of years ago US government estimated that they need 30,000 REAL security professionals. Where could they get them? Inside DC boarders? There are no security pros living in DC ... Come and see.

Is stupid as its gets

Just to add my ten cents to public opinion that the proposed law is completely stupid and the result of incompetence. As CISSP and PhD I can say that people are right. It is stupid law. My POV is that it will not improve security at all. State of Georgia Cyber Security Task Force (I do not think it exists) will not be able to identify who exactly is trying to access a computer residing in this state. FBI will not. They are not stupid to help this state in such useless activity. Needless to say that the most serious penetrations happened came from spams. Wanna try to catch spammers? You'll get a bot probably sitting in one of G-senators' computer. Then jail this guy who actually was voting for this fake law.