Re: Burn the fuckers.
That is like stating that Johnson was responsible for the party in 10 Downing Street. Geez. He just lived there.
Posts by A random security guy
334 posts • joined 20 Apr 2019
Elasticsearch server with no password or encryption leaks a million records
Microsoft warns partners to revoke unused authorizations that drive your software
Monday 23rd May 2022 02:09 GMT
Re: Those Shortsighted Savings Will Cost You Dearly
Partnerships are a reality. Collaborations are a reality. Two companies may need to work together on projects, account payments, approvals, etc. Many times a company will create separate groups: employees who deal with IBM and, separately, employees who deal with MSFT. It is normal for these employees to collaborate with their customers and vendors on a very close basis.
The best examples are employees of audit companies, which by the very nature of their tasks, can't be the audited company's employees.
Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first
Cloudflare stomps huge DDoS attack on crypto platform
Smart contract developers not really focused on security. Who knew?
Wednesday 27th April 2022 03:31 GMT
Smart contracts are not required to be secure
After looking at the Decentralized finance apps for over a year, I have come to the conclusion that the code is about as buggy as any other application code.
Moreover, being decentralized is a boon to hackers.
Security practices don’t exist.
Reporting issues come back with: prove to that a bug can be exploited. The better approach is to ensure each block is secure and consistent.
The thing is that making this much money gets into the programmers head and they think they are Supermen.
Now Mandiant says 2021 was a record year for exploited zero-day security bugs
Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
Hackers remotely start, unlock Honda Civics with $300 tech
Sunday 27th March 2022 17:49 GMT
Re: Very quick way to fix this.
I work with insurance companies (not for) on security issues and, to tell the truth, they are not the bad guys. They are the people who are behind lots of the features like proximity sensors, lane assist/drift sensors, etc. They have number-crunchers who find patterns and force car companies to change their ways.
For example, their lawyers must already be talking to Honda, telling them that they will not absorb the cost of any theft. And Honda may quietly cover the cost.
Biden says Russia exploring revenge cyberattacks
Wednesday 23rd March 2022 06:08 GMT
Putin may have outsmarted himself
I do see state-sponsored attacks by Russia being attempted.
I also think Biden is giving a heads-up to the industry folks.
OTOH, what we don't know are the tools that NSA will use to block the attacks. In the industry, the going mantra is: state-sponsored cyber-attacks require the NSA to step in.
Putin never realized that democracies look splintered and slow but on the whole are much more powerful than dictatorships. He just handed the West the keys to Russia. They are going to grind him down and destroy the Russian army and the economy once and for all.
Android's Messages, Dialer apps quietly sent text, call info to Google
Samsung shipped '100 million' phones with flawed encryption
Friday 25th February 2022 20:30 GMT
Re: Why leave implementation to the vendors ?
Most processor vendors do provide the tools. Android also comes with the tools. Time and again I have seen engineers neuter the systems as it is too hard to wrap their heads around the system. I see fixed keys all the time.
The additional problem is that Samsung is also the processor vendor.
China's APT10 cyber-spies 'targeted Taiwanese financial firms'
Thursday 24th February 2022 04:20 GMT
Re: Clarification wrt Taiwan
This territorial fight is so useless given that the wealth of nations and people are tied to bits in ether. Earlier you conquered because you wanted land, slaves to till the the soils, and gold to fight more battles. Now, you don't need any of the 3.
Or am I being naive? That we humans are destined to kill each other ...
Top chipmakers ignore India's semiconductor factory subsidies
Monday 21st February 2022 03:48 GMT
I wonder if their corrupt politicians can hide their money now
Given that there are all these anti-corruption laws that companies like ours have to comply with, I am surprised at the amount of corruption that the politicians engage in. They live in palaces, have private planes, etc.
I wonder where they are hiding their money ... probably somewhere around here as prime silicon valley property or other instruments.
Maybe the VPN interception will be a good thing? Maybe make the IP addresses public?
Spot the irony: India's Reserve Bank says outsourcing and offshoring are risky
Ransomware crew dumps stolen Optionis files online
Intel chases after Bitcoin miners with dedicated chip
Canadian Netwalker ransomware crook pleads guilty to million-dollar crimes
Use Zoom on a Mac? You might want to check your microphone usage
Thursday 10th February 2022 14:38 GMT
Most of their Engineering still is
The last report said90% of engineering was in China. The other 10 % could be support engineers.
Privacy is not a concern in China.
So all those businesses talking to each other over zoom?
Guess what. Just the meta information of who is talking to whom at what frequency and time is good enough.
Ukraine shrugs off mass govt website defacement as world turns to stare at Russia
Signal CEO Moxie Marlinspike resigns, leaves WhatsApp co-founder to run things until a successor is named
WebSpec, a formal framework for browser security analysis, reveals new cookie attack
IBM bosses wrongly sacked channel salesman after Tech Data joint venture failed, tribunal rules
Windows giant seeks Pluton-ic relationship with chipmaker: AMD first out of the gates with Microsoft's security processor
Bad things come in threes: Apache reveals another Log4J bug
US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions
Microsoft Defender for Endpoint laid low. Not by malware, but by another buggy Windows patch
Let us give thanks that this November, Microsoft has given us just 55 security fixes, two of which are for actively exploited flaws
Wednesday 10th November 2021 04:46 GMT
Who pays for it? Us
Remember that we pay MS for the Windows licenses. Then we pay for the IT staff to ensure that the updates don't break the other applications. Then we pay for the IT staff to update all the systems. Meanwhile, we spend an appreciable part of our IT budget on AV systems, Patch Management, all kinds of network protections, etc.
Just so that we can run Word, Excel, Outlook and PowerPoint. Not that these applications are any more secure. And we pay for them too.
What a scam. And we are responsible for our ignorance.
I remember a a presentation by MS Senior VP their Mountain View buildings around 2003-2004 where they touted how many fixes they put out and the effort they were putting into securing their systems. One gentleman politely asked the SVP if Microsoft was going to pay for all the costs required to update systems. The SVP's answer was, "Why should we?" Which either meant that he did not understand the gentleman's question or that he really didn't care about the downstream costs of Windows.
Trojan Source attack: Code that says one thing to humans tells your compiler something very different, warn academics
Monday 1st November 2021 23:25 GMT
Re: Unicode was created to prevent this thing from occurring:
Thanks!!! For CJK, I remember that unification created more "political problems", not technical problems, I believe. It has been 25 years since I worked on it (when it was first introduced) so thanks for the clarification and the updates. I am behind times. Have to look up why they added Vietnamese to the set...
Monday 1st November 2021 20:16 GMT
Re: This reminds me of the prank...
The thing is, Unicode was created to prevent this thing from occurring: characters that look the same should encode to the same value irrespective of the language. This philosophy created real problems for CJK character from Japan and China getting encoded to the same values.
Warehouse belonging to Chinese payment terminal manufacturer raided by FBI
Not just deprecated, but deleted: Google finally strips File Transfer Protocol code from Chrome browser
Wednesday 20th October 2021 23:55 GMT
Re: Overkill for many sites
The German paratroopers also penetrated fort Eben-Emael (sp?). Which was disconcerting for the French and the Belgians because the Germans turned around and used it to control everything the fort was supposed to. For the wrong side.
Without zero trust and the current shift from perimeter based architecture to a mesh system, I can’t even imagine any justification for ftp.
FTP depends on everyone else doing the right thing.
Wednesday 20th October 2021 17:23 GMT
Re: Overkill for many sites
You would generally use a file transfer system as part of a tool chain that is used in a process. Starting with a fundamentally unsecured system that can be readily exploited is fairly difficult to fix when security just happens to be required.
Make everything zero-trust. That way you avoid one system failure to become the Maginot line failure.
Simple examples: power distribution systems used FTP and FTP like protocols and then they suddenly became distributed. You can't even change the password because it was appropriate security 50 years ago. Router boxes are another example.
I wonder where FTP would be appropriate vs. SFTP. Just opening up the port is grounds for dismissal. I see small devices use it for firmware upgrade. Unsigned firmware upgrade on the top of it.
You've heard of HTTPS. Now get a load of HTTPA: Web services in verified remote trusted environments?
Wednesday 20th October 2021 05:23 GMT
Intel can't even get there Secure Enclave secure on a single processor
If Intel can't get their systems secure just for a simple OS, how can we trust that they do their entire computation on your behalf, including a large set of services, in a secure manner?
Frankly, the concept is interesting but the devil is in the details. Moreover, it is just not possible for Intel to execute anything securely. Their bean counters will be pushing for higher speeds and will run over their security people.
LAN traffic can be wirelessly sniffed from cables with $30 setup, says researcher
Friday 15th October 2021 23:02 GMT
Shielded ethernet cables are rare except in factories and other similar environments
I think I have come across only one instance where shielded cables were used. Otherwise it is all twisted pairs. For shielding to work properly, you have to ground it. The plastic RJ-45 connectors are not grounds.
And yes, I do make my own cables to length and have for more than 20 years. You need special connectors to help ground the shield, if present.
US nuclear submarine bumps into unidentified underwater object in South China Sea
Russian spies reportedly used SolarWinds hack to steal US counterintelligence details
Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik
Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years
Tuesday 28th September 2021 02:55 GMT
Microsoft will not because they can
Microsoft is back to where it was 20 years ago; arrogant and too big to change.
So they have NO need to change. Organizations change only when they face pain. Organizations feel pain only when management feels pain. The pain has to be personal; they have to lose their jobs.
I still remember programming to Windows, Outlook, and exchange API's which crashed at random intervals. There is even a library called Outlook Redemption to help you write somewhat decent software.
'Quad' group seeks to set security standards for global tech industry
Monday 27th September 2021 04:00 GMT
Re: Excellent
Yup. I expect the following:
1. Whataboutism as a distraction: Well the NSA and the GCHQ does it
2. Attacking the countries for putting out the message without addressing their concerns (they are ganging up on China but without mentioning that it is China that is attacking them)
3. Denying that even happens, ignoring the recent revelations
4. Stating that the Chinese government is actually far better than the others.
Monday 27th September 2021 03:54 GMT
Finally something, even if it is sloow and maybe too late
The Chinese companies are hellbent on spying on their customers. Xiaomi can even censor your content. Most of the countries are getting overrun by Chinese products which have been deliberately designed to track and, at least one case, control people's communications.
https://www.theregister.com/2021/09/22/xiaomi_phone_handset_censorship_lithuania/
Lithuania tells its citizens to throw Xiaomi mobile devices in the bin
Zoom's $15bn merger with Five9 probed by Uncle Sam for national security risks
Thursday 23rd September 2021 16:46 GMT
Zoom is going into speech, data analytics
Zoom tracks meta information about who is talking to whom. They would like to know if company A and B are talking to each other and is the traffic going up or down. It can help with business decisions, competitive analysis, etc.
It can tell if a dissident is talking to someone or not.
Length, frequency, speech analysis, etc. will all help them control the entire world.
With Xiaomi having been caught censoring content on phones, we know what the world is going to look like: 1984.
https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysis_env3.pdf
