* Posts by pc-fluesterer.info

130 publicly visible posts • joined 23 Feb 2020

Page:

xAI picked Ethernet over InfiniBand for its H100 Colossus training cluster

pc-fluesterer.info
Facepalm

Seriously - they did label that thing "Colossus"?

https://en.wikipedia.org/wiki/Colossus:_The_Forbin_Project

CISA boss: Makers of insecure software must stop enabling today's cyber villains

pc-fluesterer.info
WTF?

... not to mention the BACKDOORS implanted deliberately!

Each and very US company will have received a NSL, take that for granted.

There are by far too many "forgotten" hardcoded admin credentials and other faults clearly intended as backdoors.

But to address this issue is clearly off-limits.

Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security

pc-fluesterer.info

Backdoor

"negligence/incompetence" - that is the nice view.

I for one would presume intention.

They may have gotten a gag order (NSL).

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

pc-fluesterer.info
Facepalm

Hey, you! These backdoors were meant for the NSA only!

Nothing to add.

SolarWinds left critical hardcoded credentials in its Web Help Desk product

pc-fluesterer.info
FAIL

SolarWinds - I heard that name before

If only I could recall where ... <eg>

Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now's the time to junk 'em

pc-fluesterer.info
Black Helicopters

Re: Cisco, again

Yes, particularly: "An attacker could ... send a crafted HTTP request to one of the phones, ... making it possible to execute arbitrary commands – with ... root privileges."

Noooo, we don't build in backdoors, promised, honour bright!

Using 1Password on Mac? Patch up if you don’t want your Vaults raided

pc-fluesterer.info
Thumb Up

Full ACK.

I completely second that. I for one would NEVER give my credentials to a Closed-Source product, for various reasons.

Only way is FOSS. In terms of PW managers that is - depending on taste - keepass (and derivatives) or Bitwarden. Full stop.

Google gamed into advertising a malicious version of Authenticator

pc-fluesterer.info
FAIL

Trusted? TRUSTED?

"Google Authenticator is a ... trusted multifactor authentication ..."

What?

I for one would NEVER trust Google nor Microsoft, not at 2FA, nowhere.

For 2FA I use Aegis which is a FOSS TOTP App. The second choice would be FreeOTP, FOSS as well.

Intruders at HealthEquity rifled through storage, stole 4.3M people's data

pc-fluesterer.info
FAIL

"no malicious code was FOUND in its systems"

well ...

No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

pc-fluesterer.info

Not 'anything' but only FOSS!

https://forums.theregister.com/post/4890470

Juniper Networks flings out emergency patches for perfect 10 router vuln

pc-fluesterer.info
Thumb Up

Re: History Lesson??

Full ACK.

The bottom line is: proprietary products from China or the US CANNOT BE TRUSTED.

All of them might have gotten a NSL requiring them to build in backdoors for 3-letter agencies.

If you want security get a FOSS solution.

'Mirai-like' botnet observed attacking EOL Zyxel NAS devices

pc-fluesterer.info
FAIL

Just don't make a NAS reachable from the open internet.

Just don't. That's a no-go. It is called NAS not IAS. NETWORK attached storage, not INTERNET attached storage. The latter we call cloud nowadays, and that is hard enough to protect.

Dropbox dropped the ball on security, haemorrhaging customer and third-party info

pc-fluesterer.info

FOSS

Nextcloud is FOSS, so a secret backdoor would not for long run undetected.

Flaws in Chinese keyboard apps leave 750 million users open to snooping, researchers claim

pc-fluesterer.info
FAIL

"Flaw"? Works as designed!

Move on, nothing to see here.

Apple promises to protect iMessage chats from quantum computers

pc-fluesterer.info
Thumb Down

Smoke grenade

All this fuzz is made as a sham fight in order to distract public attention from the role iMessage played (and plays?) for zero-click infection with Pegasus and others.

Thousands of Juniper Networks devices vulnerable to critical RCE bug

pc-fluesterer.info
FAIL

Darn! Again a backdoor disclosed ...

US design? Oh well. No further questions.

Kaspersky reveals previously unknown hardware 'feature' exploited in iPhone attacks

pc-fluesterer.info

Recording of Larin's speech at 37C3

https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers

pc-fluesterer.info

Re: You receive some 'visitors'....

aka NSL.

Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes

pc-fluesterer.info
FAIL

OAuth is broken by design

Yes, a single sign-in is convenient. But it is inherently unsafe, too. I for one would never use it.

I use a password manager which automatically inputs my credentials into the appropriate website or application, and I use 2FA (TOTP) where ever possible.

Surprise! Email from personal.
information.reveal@gmail.com is not going to contain good news

pc-fluesterer.info
Thumb Down

And the role of the Chocolate Factory?

I see gmail and protonmail addresses used by the cyber gangsters.

At Protonmail they immediately delete accounts reported as abuse. BTDT.

And gmail? Reaction to abuse reports: Nil, nought, zero. :-(

pc-fluesterer.info
FAIL

Basically, never use exchange

https://alternativeto.net/software/microsoft-exchange-server/

Black Basta ransomware operation nets over $100M from victims in less than two years

pc-fluesterer.info
Linux

Will they ever learn?

Will any of the victims draw the obvious conclusion? Ransomware attacks rely on design faults and programming errors in M$ products. If the victims (and the to-be victims) wanted to protect themselves in the future, they could and should turn to FOSS.

Japan's space agency suffers cyber attack, points finger at Active Directory

pc-fluesterer.info
Facepalm

Will they ever learn?

AD is not inevitable!

https://alternativeto.net/software/microsoft-active-directory/

Ransomware-hit British Library: Too open for business, or not open enough?

pc-fluesterer.info
Linux

"let the barbarians in through the gate"

The name of the founder of Microsoft was "Gates", not "gate", wasn't it?

Microsoft pins hopes on AI once again – this time to patch up Swiss cheese security

pc-fluesterer.info
Facepalm

AI is a plain mock attack

Ransomware to 90% is not enabled by security holes in the sense of programming errors. Ransomware is enabled by design faults deep in M$' thinking. Most of ransomware comes with SPAM an the user has to contribute:

Open the SPAM (ok, take that for granted);

open the attachment (that's already questionable);

allow macros! (¹);

give the admin's password! (²)

(¹) How on earth can it be that a document (text, spreadsheet, presentation) sent by mail can contain macros so powerful that they can damage the OS severely? How on earth can it be that macros in an email attachment can be enabled at all?

(²) Following best practice, no user should™ have administrative rights, neither by knowing an admin's password nor by by normal working with administrative rights. But the latter happens way too often. Why? Because M$' products are "more comfy" with administrative rights - a design fault. Anyone remember Windows XP? That was effectively unusable with restricted user rights. The situation has since improved a little bit, but not enough by far.

Linux Mint Debian Edition 6 hits beta with reassuringly little drama

pc-fluesterer.info
Linux

Here is a happy and satisfied user

I for one use LMDE since version 2. LMDE 4 was quite good, LMDE 5 really grown-up. Looking forward to LMDE 6!

Will it offer an in-place upgrade such as Mint does?

Only thing I dislike is Cinnamon. I prefer Mate since the beginning, which I just installed additionally. So I use Mate plus Cairo-Dock.

Do Facebook's algorithms drive political polarization? Meta says no, but researchers say it's complicated

pc-fluesterer.info

No question here

Of course the tendency is away from the centre. The algorithms foster divisiveness, polarisation, radicalisation, because that catches peoples attention.

pc-fluesterer.info
Alert

Mock fight

The main menace for democracy is not the algorithms but the individual targeted advertising based on "big data" user profiles. That can be quite manipulating, as seen in the election campaign for the MAGA POTUS. In Germany we have a recent example as well: https://targetleaks.de/

Linux has nearly half of the desktop OS Linux market

pc-fluesterer.info
Happy

Re: "typical Linuxes are tools for nerdy hacker types" -- ?

""Mint is end user friendly to such an extent that it can beat Windows."

You're right, of course but to be fair, it's a low bar."

:-)

pc-fluesterer.info
Linux

Re: "typical Linuxes are tools for nerdy hacker types" -- ?

The ones I am talking about would never ever do a search (of course not goggle) and manipulate the system on their own.

After I have installed the system, it just runs. And runs and runs and runs.

Only when an upgrade is necessary (not earlier than four years) I enter the scene.

While in the meantime the process of upgrading is automated and works so seamless that any reasonably intelligent person can do that.

pc-fluesterer.info
Thumb Down

"typical Linuxes are tools for nerdy hacker types" -- ?

"... typical Linuxes are tools for nerdy hacker types"? I for one strongly disagree.

I have used many flavours of Linux since the mid-90s. For many years now Mint and LMDE are my number one (and debian as host for VirtualBox).

End users get Mint from me. And guess what? Even the most non-nerdy ones are happy with it. Mint is end user friendly to such an extent that it can beat Windows.

My stance is: Anyone who can read and write can use Linux.

Unsealed: Charges against Russians blamed for Mt Gox crypto-exchange collapse

pc-fluesterer.info
Boffin

Crypto is for crims an gamblers anyway, so what?

nothing to be seen here.

'Strictly limit' remote desktop – unless you like catching BianLian ransomware

pc-fluesterer.info
WTF?

In other words: Best practice

All that FBI advice boils down to one single sentence: Adhere to best practice.

Fast-evolving Prilex POS malware can block contactless payments

pc-fluesterer.info

How does it get there?

Well, that is what Prilex CAN do - impressive. But what's missing is step one: How does Prilex get into the POS system in the first place?

Bankruptcy probe: Celsius cheated investors 'from the start'

pc-fluesterer.info
Stop

If it looks "too good to be true", ...

nothing to add.

pc-fluesterer.info
Happy

Re: AST

Sell? To the "greater fool". ;-)

Russian meddling in 2016 US presidential election was weak sauce

pc-fluesterer.info
FAIL

Wrong subject, wrong findings

It may perhaps be true that Russia's trolls in the antisocial networks and the news didn't achieve too much - I for one still doubt that. But looking at the candid propaganda totally misses the point.

Anyone remember Cambridge Analytica / SCL / Emerdata? Run by a Russian named Aleksandr Kogan? He used data "stolen"¹ from F.c.book as basis for targeted advertising in antisocial networks. That discouraged suspect Democrats from voting. And the like. That was the real meddling.

¹) That is Zockerbergs narration. Still I believe that he encashed on that "stolen" data.

US House boots TikTok from government phones

pc-fluesterer.info
FAIL

Old white men and TikTok?

What the hell do old white men have TikTok (TT) for in the first place? Additionally, on "official" devices?

Up to now I thought that TT is only for teeny girls. ;-)

Zerobot malware now shooting for Apache systems

pc-fluesterer.info
Facepalm

"unpatched or badly secured devices"

And further: "... insecure configurations that use default or weak credentials".

All admin faults.

But I bet that this case as well will be attributed as "malware that can target Apache". :-(

Researchers smell a cryptomining Chaos RAT targeting Linux systems

pc-fluesterer.info
Linux

Initial compromise?

*IF* the malware is aboard it can do this and that - fine.

Big question is: *HOW* does it get there? What is the attack vector?

If it is installed deliberately I wouldn't call it malware. And the installation does need the /root/ pw, always.

To me this thing sounds more like "Give me all you money or I shoot myself!"

Legit Android apps poisoned by sticky 'Zombinder' malware

pc-fluesterer.info
Thumb Down

FUD

"This is why users should never install apps from outside of the Google Play Store." -- Plain nonsense. As others have pointed out already, the official PlayStore is full of malicious apps. Those are found on a nearly regular basis. Some may indeed have evaded Googles "checks", some others ...?

I for one use iodé instead of Android which doesn't have Google Play installed. I fetch what I need from f-droid or directly from the - trustworthy - manufacturer (e.g. AVM, Threema, Wire). I feel perfectly safe.

Apps (only non-paid) from the PlayStore, if really needed and not available otherwise, I get with the help of the FOSS Aurora app.

pc-fluesterer.info
FAIL

Rubbish

Each and every FOSS app from f-droid is more trustworthy than the PlayStore malware.

India set to extend deadline for absurd infosec reporting requirements

pc-fluesterer.info
Facepalm

REPORTING is an "essential national defence mechanism"?

Well, I still keep on learning.

Up to now I thought that it is better to PREVENT an incident than to REPORT one that happened.

Well, looks like I will have to rethink. ...

How do you protect your online systems? Cultivate an insider threat

pc-fluesterer.info
Linux

Re: "because of bad actions by employees"

To update your knowledge an opinion, I suggest you have a look at Denmark and Estonia.

In both countries public authorities rely on FOSS.

Here in Germany we had a lot of ransomware incidents hampering universities, cities, courts, revenue authorities, and the like.

Such incidents are unknown in the two FOSS countries!

Assuming that people are similar all over Europe, the only interpretation remains the intrinsic security of FOSS.

pc-fluesterer.info
FAIL

"because of bad actions by employees"

A vast amount of "bad actions by employees" would be totally innocuous if the IT wouldn't rely on M$ monoculture.

"Yes, people are the problem"? No, they needn't be.

Try the usual [email brings infection (malware or data stealer)] stunt in a FOSS environment.

Sophos fixes critical firewall hole exploited by miscreants

pc-fluesterer.info
FAIL

Best practice?

Since when is making your admin interface publicly accessible considered "best practice"?

Nearly one in two industry pros scaled back open source use over security fears

pc-fluesterer.info
Happy

Re: Happens here

easy explanation: FOSS doesn't contain the backdoors required by state agencies ...

pc-fluesterer.info
FAIL

Re: "open-source software is deemed insecure, so it's not allowed" (28 percent)

really, can you? Did anybody ever sue M$? Or Apple? Or Oracle? Or ... (you name it)?

Internet pranksters send hundreds of cabs to Moscow street, cause gridlock

pc-fluesterer.info
Megaphone

Uber

Perhaps it is worth mentioning that "Yandex Taxi" is a joint venture of Yandex and Uber, founded after Uber withdraw from Russia in 2017.

Critical flaws found in four Cisco SMB router ranges – for the second time this year

pc-fluesterer.info
FAIL

Isn't CISCO short for ...

Central Intelligence Secretly Covered Operation?

Page: