* Posts by A random security guy

334 posts • joined 20 Apr 2019


Elasticsearch server with no password or encryption leaks a million records

A random security guy

Re: Burn the fuckers.

That is like stating that Johnson was responsible for the party in 10 Downing Street. Geez. He just lived there.

A random security guy

5 Eyes

The 5 Eyes of security: Australia, Canada, New Zealand, the United Kingdom, and the United States.

The 5 Eyes of Cyber Security: No password, no TLS, No Firewall, No Monitoring, No Remediation.

Microsoft warns partners to revoke unused authorizations that drive your software

A random security guy

Re: Those Shortsighted Savings Will Cost You Dearly

Partnerships are a reality. Collaborations are a reality. Two companies may need to work together on projects, account payments, approvals, etc. Many times a company will create separate groups: employees who deal with IBM and, separately, employees who deal with MSFT. It is normal for these employees to collaborate with their customers and vendors on a very close basis.

The best examples are employees of audit companies, which by the very nature of their tasks, can't be the audited company's employees.

Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first

A random security guy

The US has actually embraced cryptocurrency. There is an Executive Order doing just that.

A random security guy

Re: Mixer services

A public blockchain does not lend itself to any form of privacy. You may be able to muddy the waters a bit but you are left with a finite list of suspects. It is only when the numbers get to 2**128 that you have a semblance of privacy.

Cloudflare stomps huge DDoS attack on crypto platform

A random security guy

Wannabe pretentious pillocks.

Smart contract developers not really focused on security. Who knew?

A random security guy

Smart contracts are not required to be secure

After looking at the Decentralized finance apps for over a year, I have come to the conclusion that the code is about as buggy as any other application code.

Moreover, being decentralized is a boon to hackers.

Security practices don’t exist.

Reporting issues come back with: prove to that a bug can be exploited. The better approach is to ensure each block is secure and consistent.

The thing is that making this much money gets into the programmers head and they think they are Supermen.

Now Mandiant says 2021 was a record year for exploited zero-day security bugs

A random security guy

Re: Maths?

Not every exploit can be definitely attributable to a specific country.

Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

A random security guy

Re: The Key is...

WIth MSFT: Everyone's key is under their doormats and they are all the same.

Hackers remotely start, unlock Honda Civics with $300 tech

A random security guy

Re: Very quick way to fix this.

I work with insurance companies (not for) on security issues and, to tell the truth, they are not the bad guys. They are the people who are behind lots of the features like proximity sensors, lane assist/drift sensors, etc. They have number-crunchers who find patterns and force car companies to change their ways.

For example, their lawyers must already be talking to Honda, telling them that they will not absorb the cost of any theft. And Honda may quietly cover the cost.

Biden says Russia exploring revenge cyberattacks

A random security guy

Putin may have outsmarted himself

I do see state-sponsored attacks by Russia being attempted.

I also think Biden is giving a heads-up to the industry folks.

OTOH, what we don't know are the tools that NSA will use to block the attacks. In the industry, the going mantra is: state-sponsored cyber-attacks require the NSA to step in.

Putin never realized that democracies look splintered and slow but on the whole are much more powerful than dictatorships. He just handed the West the keys to Russia. They are going to grind him down and destroy the Russian army and the economy once and for all.

Android's Messages, Dialer apps quietly sent text, call info to Google

A random security guy

Gdpr 3% fine

I wonder if they will pay the standard rate or just a few dollars. Just a rhetorical question.

Samsung shipped '100 million' phones with flawed encryption

A random security guy

Re: Why leave implementation to the vendors ?

Most processor vendors do provide the tools. Android also comes with the tools. Time and again I have seen engineers neuter the systems as it is too hard to wrap their heads around the system. I see fixed keys all the time.

The additional problem is that Samsung is also the processor vendor.

A random security guy

Typical Samsung

This is the most basic of most encryption and they messed it up. AES-GCM is especially brittle to this attack IIRC. I guess the word "counter" did not register.

China's APT10 cyber-spies 'targeted Taiwanese financial firms'

A random security guy

Re: Clarification wrt Taiwan

This territorial fight is so useless given that the wealth of nations and people are tied to bits in ether. Earlier you conquered because you wanted land, slaves to till the the soils, and gold to fight more battles. Now, you don't need any of the 3.

Or am I being naive? That we humans are destined to kill each other ...

Top chipmakers ignore India's semiconductor factory subsidies

A random security guy

I wonder if their corrupt politicians can hide their money now

Given that there are all these anti-corruption laws that companies like ours have to comply with, I am surprised at the amount of corruption that the politicians engage in. They live in palaces, have private planes, etc.

I wonder where they are hiding their money ... probably somewhere around here as prime silicon valley property or other instruments.

Maybe the VPN interception will be a good thing? Maybe make the IP addresses public?

Spot the irony: India's Reserve Bank says outsourcing and offshoring are risky

A random security guy

Re: Indians too expensive ?

Indian teams are very expensive to run. I pay around 80% of what I would pay for a similar engineer here in the US. The good ones know their value. The bad ones? Don't hire them.

Ransomware crew dumps stolen Optionis files online

A random security guy

Re: I bet it all comes down to services!

Ah, that is how I should run my security services company. We charge top dollars but do everything we can to keep our customers safe.

Intel chases after Bitcoin miners with dedicated chip

A random security guy

Re: "Intel will start selling a chip to mine bitcoin"

Blockchain is the thing that will survive. It is just a good ledger system.

It should be a way to move money, not speculate.

A random security guy

Re: If it's that good

Merchants made more money selling spades to gold miners than actually mining for gold.

I am talking about the California gold rush.

Canadian Netwalker ransomware crook pleads guilty to million-dollar crimes

A random security guy

People still think BTCs are anonymous.

I'd rather be paid in gold.

Use Zoom on a Mac? You might want to check your microphone usage

A random security guy

Most of their Engineering still is

The last report said90% of engineering was in China. The other 10 % could be support engineers.

Privacy is not a concern in China.

So all those businesses talking to each other over zoom?

Guess what. Just the meta information of who is talking to whom at what frequency and time is good enough.

Ukraine shrugs off mass govt website defacement as world turns to stare at Russia

A random security guy

Salami tactics

The Russians are using salami tactics. First take a small part, something you will not start a war over. Then take another. Then another. Soon you have one tiny slice left. And that too is nothing to fight over.

Signal CEO Moxie Marlinspike resigns, leaves WhatsApp co-founder to run things until a successor is named

A random security guy

Re: Moxie Marlinspike.

Matthew Rosenfeld

WebSpec, a formal framework for browser security analysis, reveals new cookie attack

A random security guy

Re: Time For a Systemic Reconsideration

> Why run a script in the terminal…

Snappy, responsive, and easily modifiable user interface.

Also means more hackable, badly designed, I’ll-configured, badly implemented, etc.

IBM bosses wrongly sacked channel salesman after Tech Data joint venture failed, tribunal rules

A random security guy

This was in the UK. In the US …

This would be business as usual.

Windows giant seeks Pluton-ic relationship with chipmaker: AMD first out of the gates with Microsoft's security processor

A random security guy

Re: If true...

Yeah, Intel is using minix. However, Intel is not used universally. MS is used in the cloud and on most desktops. It is several trillion dollars big.

But the question remains: what happens with Linux.

Bad things come in threes: Apache reveals another Log4J bug

A random security guy

Re: Isnt all of this due to evaluating input strings?

And I should be careful about posting from my iPhone and check my spelling and anything the autocorrect system did to my input.

A random security guy

Isnt all of this due to evaluating input strings?

Why on earth would you want to EV add laute strings logged?

US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions

A random security guy


Sorry to bring this to you but Saudi Arabia is a valued partner of the USA, because they have oil and buy our weapons.

Microsoft Defender for Endpoint laid low. Not by malware, but by another buggy Windows patch

A random security guy

Re: Wait a minute!

Microsoft cares?

A random security guy

Re: Windows Server, a contradiction in terms

You serve it.

Let us give thanks that this November, Microsoft has given us just 55 security fixes, two of which are for actively exploited flaws

A random security guy

Who pays for it? Us

Remember that we pay MS for the Windows licenses. Then we pay for the IT staff to ensure that the updates don't break the other applications. Then we pay for the IT staff to update all the systems. Meanwhile, we spend an appreciable part of our IT budget on AV systems, Patch Management, all kinds of network protections, etc.

Just so that we can run Word, Excel, Outlook and PowerPoint. Not that these applications are any more secure. And we pay for them too.

What a scam. And we are responsible for our ignorance.

I remember a a presentation by MS Senior VP their Mountain View buildings around 2003-2004 where they touted how many fixes they put out and the effort they were putting into securing their systems. One gentleman politely asked the SVP if Microsoft was going to pay for all the costs required to update systems. The SVP's answer was, "Why should we?" Which either meant that he did not understand the gentleman's question or that he really didn't care about the downstream costs of Windows.

Trojan Source attack: Code that says one thing to humans tells your compiler something very different, warn academics

A random security guy

Re: Unicode was created to prevent this thing from occurring:

Thanks!!! For CJK, I remember that unification created more "political problems", not technical problems, I believe. It has been 25 years since I worked on it (when it was first introduced) so thanks for the clarification and the updates. I am behind times. Have to look up why they added Vietnamese to the set...

A random security guy

Re: This reminds me of the prank...

The thing is, Unicode was created to prevent this thing from occurring: characters that look the same should encode to the same value irrespective of the language. This philosophy created real problems for CJK character from Japan and China getting encoded to the same values.

Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

A random security guy

Re: "... easy to overlook..."

The standard way to get approved forSoC2,PCI, etc is to declare an errant system out of scope.

Not just deprecated, but deleted: Google finally strips File Transfer Protocol code from Chrome browser

A random security guy

Re: Overkill for many sites

The German paratroopers also penetrated fort Eben-Emael (sp?). Which was disconcerting for the French and the Belgians because the Germans turned around and used it to control everything the fort was supposed to. For the wrong side.

Without zero trust and the current shift from perimeter based architecture to a mesh system, I can’t even imagine any justification for ftp.

FTP depends on everyone else doing the right thing.

A random security guy

Re: Overkill for many sites

You would generally use a file transfer system as part of a tool chain that is used in a process. Starting with a fundamentally unsecured system that can be readily exploited is fairly difficult to fix when security just happens to be required.

Make everything zero-trust. That way you avoid one system failure to become the Maginot line failure.

Simple examples: power distribution systems used FTP and FTP like protocols and then they suddenly became distributed. You can't even change the password because it was appropriate security 50 years ago. Router boxes are another example.

I wonder where FTP would be appropriate vs. SFTP. Just opening up the port is grounds for dismissal. I see small devices use it for firmware upgrade. Unsigned firmware upgrade on the top of it.

You've heard of HTTPS. Now get a load of HTTPA: Web services in verified remote trusted environments?

A random security guy

Intel can't even get there Secure Enclave secure on a single processor

If Intel can't get their systems secure just for a simple OS, how can we trust that they do their entire computation on your behalf, including a large set of services, in a secure manner?

Frankly, the concept is interesting but the devil is in the details. Moreover, it is just not possible for Intel to execute anything securely. Their bean counters will be pushing for higher speeds and will run over their security people.

LAN traffic can be wirelessly sniffed from cables with $30 setup, says researcher

A random security guy

Shielded ethernet cables are rare except in factories and other similar environments

I think I have come across only one instance where shielded cables were used. Otherwise it is all twisted pairs. For shielding to work properly, you have to ground it. The plastic RJ-45 connectors are not grounds.

And yes, I do make my own cables to length and have for more than 20 years. You need special connectors to help ground the shield, if present.

US nuclear submarine bumps into unidentified underwater object in South China Sea

A random security guy

Sonar can be heard by other ships, thereby giving away your location.

A random security guy

The sub hit the Chinese real estate housing company that sank: Ever Grande

You remember by Ever Given blocked the Suez Canal?

Ever Grande : hold my beer. I can do better.

Russian spies reportedly used SolarWinds hack to steal US counterintelligence details

A random security guy

Re: Clinton campaign lawyer Michael Sussmann indicted for lying to FBI during Russia investigation

I think he wants to tell you what non sequitur means? </humor>

Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik

A random security guy

Re: Inalienable rights

Assuming you mean aliens are people who are not citizens, do you mean if we travelled to France or Germany or some other country they can shoot us without a fair trial as we are aliens there?

Unless you mean alien as a real extraterrestrial being.

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years

A random security guy

Microsoft will not because they can

Microsoft is back to where it was 20 years ago; arrogant and too big to change.

So they have NO need to change. Organizations change only when they face pain. Organizations feel pain only when management feels pain. The pain has to be personal; they have to lose their jobs.

I still remember programming to Windows, Outlook, and exchange API's which crashed at random intervals. There is even a library called Outlook Redemption to help you write somewhat decent software.

'Quad' group seeks to set security standards for global tech industry

A random security guy

Re: Excellent

Yup. I expect the following:

1. Whataboutism as a distraction: Well the NSA and the GCHQ does it

2. Attacking the countries for putting out the message without addressing their concerns (they are ganging up on China but without mentioning that it is China that is attacking them)

3. Denying that even happens, ignoring the recent revelations

4. Stating that the Chinese government is actually far better than the others.

A random security guy

Finally something, even if it is sloow and maybe too late

The Chinese companies are hellbent on spying on their customers. Xiaomi can even censor your content. Most of the countries are getting overrun by Chinese products which have been deliberately designed to track and, at least one case, control people's communications.


Lithuania tells its citizens to throw Xiaomi mobile devices in the bin

A random security guy

Re: Lithuania: US puppet government

Are you disputing the facts or mud-slinging? Because no one (other than the manufacturers) has disputed the facts.

A random security guy

Re: Lithuania: US puppet government

The Baltic states and Finland are extremely entrepreneurial. And they are definitely scared of Russia and can't even pretend to be pro-US. They just keep their heads down.

Zoom's $15bn merger with Five9 probed by Uncle Sam for national security risks

A random security guy

Zoom is going into speech, data analytics

Zoom tracks meta information about who is talking to whom. They would like to know if company A and B are talking to each other and is the traffic going up or down. It can help with business decisions, competitive analysis, etc.

It can tell if a dissident is talking to someone or not.

Length, frequency, speech analysis, etc. will all help them control the entire world.

With Xiaomi having been caught censoring content on phones, we know what the world is going to look like: 1984.




Biting the hand that feeds IT © 1998–2022