Re: Doesn't add up
Don't worry.. in about three months from now, we'll be back here with new corporate statements.
29 posts • joined 6 Jun 2020
Looks like I'm not that far off on the split nut design.
What I don't get is why you would spend $200 on casters because $700 was too much, and yet... the kit comes with wheel chocks to prevent unintended rolling. (Scroll down a bit, they don't use HTML anchors.)
Thought this shit could only be made up in Hollywood. Guess that and in Apple Jeamland.
I don't know about OWC today, as the last time I dealt with them was when they were selling Gateway Destination TVs faster than they could stock them. Back then their warranty was basically no quibble and their support team excellent, as long as you were honest. (Meaning you weren't trying to pull shit over them.)
I'd suspect the patent is a "D" patent, or a design patent. Doesn't take too much. Design a different molding for a power cord and ta-da, "patented design".
A quick search at the USPTO doesn't come up with anything new from them.
I can't help but notice that the thing above the castor looks like a slip-on twist nut.
Perhaps a tad bigger is all.
I'm sure this will look just as natural as the non-Chroma Keyed background obfuscation/picture injection from Teams.
Where ears and the sides of your head get cut off when you turn your head and if you aren't fully bald or with a full head of hair... all sorts of weirdness is going on above you.
Oh and to answer your question on why... this is because with everyone WfH, they've come to realize that it's actually hard to talk TO a camera while trying to NOT focus on your return video feed or any number of other distractions going on. :)
Just looked into SRI and that seems like some cool ass stuff. I am a bit concerned that W3 consider SHA384 as the baseline hash... seems like a bit of overkill, especially when considering mobile devices and power consumption. Maybe SHA computing has been optimized in hardware? But then again, scripts don't tend to be that big I guess.
But re-refreshing myself with the BA breakin, their core website was broken into and had their own HTML hacked to pull a script loaded from a non-related domain that kinda looked like it might belong to British Airways...
So, I'm not sure how SRI would have helped here. This wasn't a third-party hosted script that was changed. This was their first-party website hacked to load a third-party script.
The correct solution would have been to (carefully) monitor changes to critical files.. and I'm assuming that their payment pages should have fallen under PCI 11.5(a).
Well.. DNS is decentralized. You may recall that before DNS, name resolution depended on a flat-file and you had to retrieve that flat file in order to get any updates/changes.
You're also conflating two (or three) sides of DNS. The client's side and the authoritative (the client's resolver is somewhere in-between) side.
Your client can have as many resolvers listed and they'll resolve whatever it is that they can communicate with (within reason... there's a whole host of other rules that the OS relies on before dismissing the primary DNS server and moving to the secondary/tertiary server). On the other end, well... that's only as good as the DNS servers chosen by that domain's operator.
You mention AWS... it is interesting that AWS takes a very peculiar approach to this issue. In order to prevent downtime either from overload and/or some weird outage of say the .com or .net or .org TLD DNS servers, they actually use four different TLDs... .com, .net, .org and .co.uk for their nameservers.
The issue isn't that DNS isn't decentralized.. It is that CloudFlare is becoming "too big to fail".
My question is why weren't they following the golden rule, "read-only Friday". Routine is routine, until something shits the bed.
A lot of big businesses moved quickly and with relative aplomb to switch to nearly 100% Work from Home for millions of employees across the world just a few months ago, often with only 1-2 weeks notice.
If that type of coordination can be mustered and executed across the entire enterprise, I think five days to swap out certificates are within the realm of possibility.
Plus, I would hope that those who deploy EV certificates read the fine print, fully understood what they were purchasing and put this into their Risk Assessment, before deploying EV certificates.
Certificates are a bitch and chore. If done properly, they're hidden within a HSM and given the second word of that name, those are no joke.
And the average website isn't going to acquire an EV certificate. Only companies that need/want the extra level of accreditation and protection that EV provides is going to take this route.
And part and parcel of that protection are audits like this and the nuke it from orbit response when something doesn't pass the sniff test.
Because all these things matter to shareholders.
I'm not sure your list of banks are entirely correct.
The ICAs that are being revoked (if you read the linked KB from the article) are -
DigiCert Global CA G2
GeoTrust TLS RSA CA G1
Secure Site CA
Thawte TLS RSA CA G1
Cybertrust Japan Secure Server ECC CA
DigiCert Global CA G3
GeoTrust TLS ECC CA G1
Thawte TLS ECC CA G1
NCC Group Secure Server CA G3
Aetna Inc. Secure CA2
DigiCert SHA2 High Assurance Server CA
NCC Group Secure Server CA G2
Plex Devices High Assurance CA2
TERENA SSL High Assurance CA 3
Looking at AMEX, I don't see their EV cert chained to any of these ICAs. Yes, they are chained to "DigiCert", but not one of these specific ones. And the cert for AMEX was issued back in February, so this isn't a mitigated certificate. Plus, the signing ICA isn't one of the replacement ICAs.
Same with HSBC, that's issued by the same ICA as AMEX, DigiCert SHA2 Extended Validation Server CA, which isn't listed on for execution tomorrow.
Same with Clydesdale Bank....
I haven't checked your whole list, but I wouldn't get entirely out of breath here.
That is O365, so Microsoft has a baseline configuration for send connectors, but their tenants are free to do whatever they want, including enforcing TLS for one or all destination domains or relays, so on and so forth.
It is unfortunate that they don't execute a QUIT either and instead allow the socket to age out.
Maybe the sender's send connector enforces TLS.
Given the DNS PTR naming convention, it looks like this might be part of their low-quality/SRS IP pool. At least that's what I gather from reading the tea leaves.
But it doesn't sound like you're missing anything important, nevertheless. :)
And the dude in the chair being blown away by the audio from a tape - https://www.youtube.com/watch?v=Zjf5pdJJ44Q
Now I wonder what came first... the commercial or Apocalypse Now. Based on a two-second google, seems that the movie came first. And of course the song predates the commercialization of electricity or the discovery of viruses, so that came first.
Because lawyers are also officers of the court. While the proceedings are adversarial, they are not without scruples.
Plus their license to practice law in that state could be on the line for any shenanigans detected by Apple after the devices are returned.
And we're talking about Apple here, not Fazio Mechanical Services. I'm sure these are self-contained laptops and have some decent auditing cranked up on them.
Did you like intentionally misquote the article? I also checked the court filing and don't find your quoted text anywhere.
Here is the paragraph, copy-pasted verbatim from the article with the emphasis mine -
"The reviewers also have to give Apple at least an hour's notice before they start up the machine, so they can be given a single-use password to access the computer for that session, and inform them the moment they have finished. "
So it's done with a TOTP code that probably has a 60 minute lifespan.
ISPs have plenty of information on you without DNS. DNS is just a cherry on the top that puts a name to an IP (which isn't a PTR RR). They record every single data flow in and out of your home. They know the IP you're going to, how much data is transiting that flow, what AS you're communicating to and over what port and packet type (6 or 17 most likely) that flow is communicating over.
With that information, your ISP can infer the places your going based on the IP(s) that other ISP customers are getting from unprotected DNS queries.
And with a bit of inspection, it is trivial to know precisely where you're going with a little packet inspection of the TLS ClientHello packet and the bit of it called "SNI" (Server Name Indication). This is a critical piece of the TLS protocol that allows for more one secured FQDN to exist on the same IPv4 address and the website FQDN is listed in plaintext. I don't know if this is a thing for IPv6 hosted sites.
Fortunately, this glaring hole was sorted in TLS1.3 with the creation of ESNI (E=encrypted). But I'm sure all the firewall and security appliances manufacturers out there are looking for ways to re-filter corporate comms. Maybe they'll just block "_esni.FQDN" queries.
Hopefully TLS1.3 will be adapted faster than IPv6. But it does seem to have almost as many moving parts and fall-back processes to provide continuity.
For what end?
In this example, Comcast can inspect all your UDP/53 traffic coming out of your home which contains all your questions.
Sure, might be a bit harder than correlating some DNS logs and it (shouldn't) allow them to choose one answer over another... but Comcast is running DPI throughout their environment, so let's consider it a trivial matter.
The correct answer to this is to look no further than DoT.
I might add that DoH (and DoT) isn't the panacea that everyone is talking about. Pure opaqueness (outside of the company that's providing that DoH infrastructure) for DoH and DoT requires TLS 1.3, Encrypted SNI and DNSSEC to be supported by both ends of each query/connection. We're still a long way from that, and that seems like a lot of potential weak links in each request.
> A drone operator is looking at a screen, possibly dozens of miles away giving them a detachment from the human situation unfolding below the drone that a helicopter pilot may not feel.
Not dozens of miles away. Hundreds or thousands of miles away in some cases - https://en.wikipedia.org/wiki/Creech_Air_Force_Base.
In this particular article, the drone took off from North Dakota (Grand Forks Air Force). I don't know where CBP houses their "pilots", but given that it flew from the "top-left corner" of ND to Minneapolis, MN, it flew at least hundreds of miles to or from its pilot (unless it was some perfect triangle between the start, flyover and pilot)
Of a Jim Jefferies quote from his comedy show Bare regarding the second amendment...
"See, the one thing that I do really agree with with the right to bear arms, I really agree with… That the real reason it was written was so that you could form a militia to fight against a tyrannical government. In case the government became a bunch of cunts, you could all get your guns and fight back, and that’s why it was written. – [Audience cheering] – Yeah! And that made a hell of a lot of sense when it was just muskets. But you do know the government has drones, right? You get that? You’re bringing guns to a drone fight!"
Biting the hand that feeds IT © 1998–2021