* Posts by A random security guy

246 posts • joined 20 Apr 2019


Intel's latest patch set plugs some serious holes in CPU, Bluetooth, server, and – ironically – security lines

A random security guy Bronze badge

Re: Soft is hard

Sometimes the "software" is used to work around hardware bugs.

FBI drops subpoena to identify readers of USA Today article about shootout with agents

A random security guy Bronze badge

Curious about a few things

1. FBI knows a person of interest was reading that particular article on that site in a particular window of time. How did they know that? They intercepted some communication?

2. FBI thinks that all readers of such articles are persons of interest.

3. The FBI found the information they needed using another method. Did they hack in? Or did the owner just give them the information?

Ahem, Huawei, your USB LTE stick has a vuln. I SAID AHEM, Huawei, are you listening?

A random security guy Bronze badge

Re: To be fair...

Knowing Huawei, I would not be surprised if the source code is open source that is not properly maintained, with multiple copyleft violations, and with simple wrapper scripts written by an engineer who probably had no oversight.

Why did automakers stall while the PC supply chain coped with a surge? Because Big Tech got priority access

A random security guy Bronze badge

Re: Car security

Yup. I would have agreed with them if they had said that they are more concerned about SAFETY.

A random security guy Bronze badge

Re: Car security

You have BLE with at least 1 critical vulnerability a quarter. You have TPM which can be used to hack into your system.

A random security guy Bronze badge

Automakers are brutal to their suppliers. Didn't work with chip companies

Most of the points raised by others are valid. Automakers and their suppliers have a very dysfunctional and incestuous relationship. The suppliers are normally at the beck and call of the automakers. Automakers are also very demanding about quality, price, and JIT. Yeah, all three. Qualifying parts for the auto industry is also a long process.

Most of the electronics is built by suppliers and if the automaker can't fund the supplier to fund excess parts while demanding JIT, a shortage is inevitable.

OTOH Chip companies have many customers. They will sell to whoever locks in the capacity. There is definite impedance mismatch here.

A random security guy Bronze badge

Re: Everything needs intelligence these days, except my Harley.

I still remember having to tune my dad's non-computer car every 6 months. It took a lot of time to get it to work properly. With computers doing non-linear control systems and various other optimizations, I do get a carefree ride.

And yes, I drive a 2013 Prius. Haven't taken the car into a shop. Ever. Don't trust those guys.

A random security guy Bronze badge

Re: They only have themselves to blame

Your point is correct. I think people club EV and Autonomous systems together as they are coming in close together when time is measured in terms of decades :).

Also, EV cars lend themselves to Autonomous driving as they are fully electronically controlled and we will see them lead the charge.

Autonomous cars definitely need more CPU power.

JBS Foods ransomware gang: White House 'engaging directly' with Russia about attack on massive meat producer

A random security guy Bronze badge

Bad IT Security are the symbols of Western success?

Is that what we are protecting?

Air India admits to data breach impacting 4.5m customers, sat on the news for five weeks

A random security guy Bronze badge

We are going to make a security breach announcement using HTTP as HTTPS .

HTTPS is too difficult/superfluous/e don't know what it is ... pick your excuse. Tried using HTTPS and was bounced back to HTTP.

Just another stupid lowest bid wins organization which can't get its head wrapped around quality.

Doncaster insurance firm One Call hit by not-dead-at-all Darkside ransomware gang

A random security guy Bronze badge

Re: This is what happens when you

Being a cynic with 20+ years security experience, paying a $100m for security is not going to get things done if the rest of the organization blocks your progress. I had a program manager block all security updates because she had to get features out. The security features were tied to our friendly WordPress and would have directly connected the hacker to the payment portal.

It's been a year and she still bristles and sabotages all security work.

Naah, she is not the exception. I have old-timers in another company nuke every security project. These are experienced men.

Just grit your teeth and hope the management wakes up.

Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days

A random security guy Bronze badge

Most companies consider security guys as obstacles to getting their stuff done

The real reason why one company I work with has not yet patched something for 1 year is because they are on a tight timeline (for a year) and can't use the security engineers they hired to do the work. They have reassigned the security engineers to do UI work.

Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents

A random security guy Bronze badge

Site does not use HTTPS

That says it all. A simple MITM with an infected PDF ... And many other attacks.

China hauls in 13 web giants for ‘supervision interviews’

A random security guy Bronze badge

Re: Fingernails

Add to that the fact that the gig-workers in the US keep on voting against their own interests. And the same with the Amazon workers.

We pretend that we live in a democracy, the Chinese pretend that they live in a communist country.

South Korea orders urgent review of energy infrastructure cybersecurity

A random security guy Bronze badge

Yup. That should work. Will not happen, though.

Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations

A random security guy Bronze badge

Re: On the bright side.

They will listen and do whatever they were doing before. The mandate has to come from the CEO and the board. Really the board has to politely tell the CEO that he needs to have the problem fixed. The CEO has to tell the yearly compensation and review committee that security has to be part of the employee KPI.

A random security guy Bronze badge

I wonder if oil companies made more money

Just like in the Texas freeze, where some companies made a lot of money, I wonder if people made a lot of money off the scarcity and fear.

Apart from that, they have to spend billions upgrading the equipment in the field. Why bother. That is the cynic in me. I see this every time.

Beijing twirls ban-hammer at 84 more apps it says need to stop slurping excess data

A random security guy Bronze badge

Re: Remind you of anyone?

I know they are scraping more data than they need to but there is a difference:

In China you can literally face the firing squad.

I have yet to see firing squads around Mountain View.

Britain to spend £22m influencing Indo-Pacific nations' cybersecurity policies against 'authoritarian regimes'

A random security guy Bronze badge

About the comment about fighter aircraft from Russia and the West

India, I believe, flies Russian Sukhois and MiGs along side French, British fighter/fighter bombers, US helicopters, surveillance & drones aircraft, and Israeli drones. Throw in some Italian choppers and Brazilian aircraft. All they now need to do is to buy a few Swedish Gripens to complete the logistics nightmare.

A random security guy Bronze badge

Doesn't the UK hoover data?

The UK doesn't have a good record. They have been implicated in looking into people's lives a bit too closely online and also with wire-taps and such. They also share the data with other countries without due process and also spy for other countries in order to get around due process requirements in those countries.

Finally, the UK has been trying to legislate backdoors into encryption.

Given those data points, I would like to ask the UK if they are the right advisors in this area. We could rely on the US instead; obviously the NSA and the CIA will give us better advice (sarcasm)

Tesla Autopilot is a lot dumber than CEO Musk claims, says Cali DMV after speaking to the software's boss

A random security guy Bronze badge

I live and work in an area infested by Google, in Mountainview, California It has the highest concentration of ADAS cars around. From many different companies. Late at night (2am) I see more autonomous cars than people driven cars.

I have always wondered if they can see my dachshund but I have decided not to test my theories. Dogs are better than humans.

Privacy activist Max Schrems on Microsoft's EU data move: It won't keep the NSA away

A random security guy Bronze badge

From what I gathered

1. US data is not protected

2. UK may pretend but it doesn't honor GDPR anyway

3. GDPR is for EU citizens really.

The NSA, FBI, MI5, MI6, Google, Facebook, and Instagram will get us.

Big right-to-repair win: FTC blasts tech giants for making it so difficult to mend devices

A random security guy Bronze badge

Battery and other realities

Not supporting AAPL. I remember when the iPhone first came out and we found out through AAPL engineers (yeah, they weren’t locked down so hard at that time) that a major reason they glued the battery was the drop test.

I was working on another phone product and we all nodded our head; we knew that our phone’s battery covers and many times the batteries would go flying off.

Moreover the contacts would not after some time and that was pure headache.

I can change iPhone batteries in roughly 5 minutes; who says nerds can’t impress girls.

In iPhone 12 it seems that cameras are paired so you can’t swap cameras.

TouchID is another area where any damage means you are not going to be able to use it for anything other than a push button.

Waterproofing is another reason you have to glue down components.

Most people have dropped something in the water. Dropping a $1200 phone in the toilet is not fun.

So yeah, it is a good goal to make repairability a high priority. But it may not be that easy.

Ransomware crooks who broke into Merseyrail used director's email address to brag about it – report

A random security guy Bronze badge

Re: Transparency

I was wondering about it too. Also, people's trips that were not disclosed to a significant other, people playing hooky from work, etc.

This will also be a good test of Britain's post-Brexit GDPR. compliance. We will find out if they really want to still treat Privacy as a human right or an MI5 right.

Do you expect me to talk? Yes, Mr Bond, I expect you to reply: 10k Brits targeted on LinkedIn by Chinese, Russian spies

A random security guy Bronze badge

Re: But I thought

Geographically, 77% of Russia is in Asia. So you may be partially correct in blaming Asians. I wonder, though, if the Japanese, Thai, Indians, etc. are included in the collection. After all, they all live in Asia.

Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

A random security guy Bronze badge

The usual answer I get from developers is: How ill anyone even know I have a key hidden in the binary? You can't expect them to run the software through a filter. I have one case where the key is compiled into the firmware and is present in the source code in GitHub but doesn't use GitHub secrets.

A random security guy Bronze badge

Additional character extra

A random security guy Bronze badge

Flawed integrity check of a bash script can be hacked

The Codecov integrity check itself can be hacked because the version string extracted from the shell file is neither properly quoted nor validated. Here is the proper Twitter reference:


What we know is the LAST file. There were many changes to the hacked file so we don't know what else the script could have done.

I was able to do a few more things with the flawed integrity check described at https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script

curl -s https://codecov.io/bash > codecov;

VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);

for i in 1 256 512


shasum -a $i -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM)


FOSS developer survey: Mostly male, employed... and many don't care about 'soul-withering chore' of security

A random security guy Bronze badge

Real examples will prove why security is difficult

Security is difficult but the main issues are related to people's mindset. Examples:

1. I discover a WordPress bug. PM punts the already tested dot security only update to after Black Friday. Site gets hacked. Client spends a month digging themselves out of the hole. Cost? Don't ask. We made a lot of money billing them.

Moral of the story? PM fires the implementation team.

2. Client believes that encryption of firmware is good enough. Digital signing is only for others. Appealed to the executives to get our contract terminated. One year later Codecov happened. Now they are scrambling to cover up their loss of IP. And yes, they stuck the symmetric keys in source code as no one will be able to figure it out.

Moral of the story? Managers don't care that they tried to burn the security people. We are expendible.

3. Vulnerable jQuery. Refused to update since we had not shown them all the ways they could be exploited. I told them that weaponization would take 2 months. Updating with just require testing. Fortunately, the execs stepped in.

Moral of the story? I should have them for the 2 months to write the exploit.

4. Password stuck inside JavaScript. Admin password, that is. Checks if user is admin. If true, uses admin as password. Refused to fix the issue as no one would be able to figure it out. They did.

Moral of the story? Should have gotten that ass fired. Which they did a year later. He now works for PayPal in their senior mgt.

Intel offers to produce car chips for automakers stalled by ongoing semiconductor supply drought

A random security guy Bronze badge

Automotive qualified parts take a long to time

From what I know of the automotive industry, they take a long time to qualify parts.

Maybe Intel is doing something different?

Indian defense chief admits China’s cyber-weapons would ‘disrupt large number of systems’ whenever Beijing presses the button

A random security guy Bronze badge

Re: Good to recognise the threat early

Good luck. A country that took 15 years to buy 30+ planes, 15+ years to buy badly needed howitzers, etc. will probably never do anything till they have surrendered to the Chinese. I don't see anything other than bidding for the lowest price as the only criteria for product selection.

A random security guy Bronze badge

RF Jamming is pretty easy. China is a leader in drones. When I mention the porous nature of their entire Infrastructure, my Indian friends have no clue. Each and every system they have is hackable as they have not invested in cybersecurity. And bureaucracy of India demands the lowest cost bidder win the bid.

Even home routers are subject to attacks as they call home: to China. PC's, laptops, cellphones etc. have bloatware that communicates with China.

Every time I get a pushback from my friends, I show them how their favorite site that can be hacked.

The whole state of complacency and denial is interesting.

Airline software super-bug: Flight loads miscalculated because women using 'Miss' were treated as children

A random security guy Bronze badge

Re: Not necessarily.

After talking to engineers, not so much anymore. The MAX was not a special case.

Intel accused of wiretapping because it uses analytics to track keystrokes, mouse movements on its website

A random security guy Bronze badge

Re: Why does Intel need to track users so closely?

Intel has played fast and easy with security. I bet it was also warned. And yet they chose to persist.

Depressing to see a company being so tone deaf.

A random security guy Bronze badge

Why does Intel need to track users so closely?

I can see FB doing it. But Intel?

Arm pulls the sheets off its latest Armv9 architecture with added AI support, Realms software isolation

A random security guy Bronze badge

Re: Ready... Fight!

Many devices may directly talk to the cloud and avoid the mobile app as a de facto router. That may be good and bad from a security perspective.

Cloud companies will end up controlling data and traffic.

A random security guy Bronze badge

Will chip makers make everyone’s life hard?

They are using realms. Anyone who has used trustzone knows that the chip manufacturers have made life exceedingly hard for hardware and software engineers. Each part has its own variation on which bits to flip for a particular functionality, what features to provide, what those features mean.

Using Arm’s software layer locks you down.

Just looked at one processor today with trustzone and no rng, no ecc/rsa, half a secure boot, etc. Add to that the chip vendor convincing my hardware engineers that it is good enough for secure boot and security.

Moving software from one chip to their next generation requires a whole redo of the otp maps and how the system even boots.

I just see a mess.

China added 300 million 5G subscribers and a million 5G base stations in 2020

A random security guy Bronze badge

Re: Conspiracy

Such high transmission rates!!!

A random security guy Bronze badge

Re: Sounds like the US trade war is really paying off.

Yup. The soybean farmers were also happy to take a beating for the sake of the trade war. /S

European Banking Authority restores email service in wake of Microsoft Exchange hack

A random security guy Bronze badge

Exchange servers were breached and nothing was compromised

I have heard that before. Does the GDPR let them get away with baldfaced lies?

Microsoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data

A random security guy Bronze badge

Why is Exchange so hackable?

It has been a while since I had anything to do directly with Exchange. I did get a look at a bit of their software 15 years ago and it was really badly written. Is it still like that? Probably. It is like Adobe's Flash; every month there were a zillion documented security fixes. And Flash took decades to die.

When will WE get rid of Exchange? Maybe MS is so used to patching things (to make billions) that it can't let go.

India's demand to identify people on chat apps will 'break end-to-end encryption', say digital rights warriors

A random security guy Bronze badge

Re: Another Priti Patel intiative

Indians don't need external idiots. They generate their own at a very high rate.

A random security guy Bronze badge

Re: Tiring

We should start with the US. Then move on to the British. Then the Belgians. etc.

A random security guy Bronze badge

Re: Meh

They are routed through systems in the US. We can block that is we tighten SS7 and the FCC starts doing its job (finally).

Apple's latest macOS Big Sur update stops cheapo USB-C hubs bricking your machine

A random security guy Bronze badge

Apple M1 crashes all the time

You may be lucky. M1 MacBooks have been crashing a lot. I get 2-3 crashes a day. No amount of reimaging, reformatting, calls to Apple support have helped. Apple support will make you do all sorts of crazy things to collect data and makes you feel like an idiot.

The Apple forums are filled with people who are complaining about this system.

Connecting devices on USBc can crash your laptop more quickly.

One can get locked out of their accounts; macOS can refuse your password. macOS can also refuse to let you reinstall the OS. You then have to do strange things in the right sequence.

The m1 going to sleep can crash your machine.

Restore from time capsule can fail.

The worst has been Apple Support. You end up spending hours with them and all you get is a reformat reinstall advice. This literally takes 3 hours for me every time.

A random security guy Bronze badge

One can’t simply push 160 or any number of watts into a MacBook. The external power supply can set the voltage and the MacBook can draw the regulated current it needs and it is designed to regulate that current.

What could be going wrong is that

A. the wrong pins had the voltage set wrongly.

B. Extremely high voltage

C. Apple reading the voltage wrongly and set the current flow such that it overheated something internally.

AI brain drain to Google and pals threatens public sector's ability to moderate machine-learning bias

A random security guy Bronze badge

Re: What is University for?

Useful role in society ...

Google had pretenses about that concept.

With the salaries they offer, I doubt there will any left to do anything other than to provide a useful role for Google.

A random security guy Bronze badge

If you want to learn a subject, try teaching it. I estimate I spend week for an hour training on security.

Nespresso smart cards hacked to provide infinite coffee after someone wasn't too perky about security

A random security guy Bronze badge

It is fair trade ...

Mi Fare trade coffee

AMD, Nvidia, HPE tapped to triple the speed of US weather super with $35m upgrade

A random security guy Bronze badge

Re: Obsolete before delivery?

In theory, I agree. However, software rewrites take more time. This could be the one where lazy gets you 3.5 speed increase this time. And then the rewrite gives you a bit more. And in 2-3 years they will order the next system where they will have many more GPUs ...

Wouldn’t be surprised if they already gave the teams working on the specs. And Intel desperately trying to get into the game.

Live competition.



Biting the hand that feeds IT © 1998–2021