* Posts by reGOTCHA

14 posts • joined 14 Oct 2020

'We're finding bugs way faster than we can fix them': Google sponsors 2 full-time devs to improve Linux security

reGOTCHA

They don't trust the binaries so they compile themselves

Do they trust the compiler? or they compile the compiler from source too?

Someone once gave me this link some time ago:

Reflections on trusting trust - Ken Thompson

https://dl.acm.org/doi/10.1145/358198.358210

Man arrested after UK school finds wiped hard drives on devices connected to network

reGOTCHA

sophisticated and certainly state sponsored

By the either Russian or Chinese 28-year-old elite hacker... as always.

Ad-scamming, login-stealing Windows malware is hitting Chrome, Edge, Firefox, Yandex browsers, says Microsoft

reGOTCHA

imagine a future without ads

It's beautiful isn't it?

Has anyone ever studied (as in real science) who is really taking the benefit from advertisement? The buyer or the seller?

Someone would have to come up with a viable idea for supporting content based business besides ads.

People would consume less, and every time you need something you would actually have to search for it and compare solutions. The environment would appreciate it. Companies would have to actually create value and drive innovation instead of slowing innovation for the sake of capitalizing on each insignificant evolution step with the help of marketing. Online markets would flourish and small business would play on the same arena as big corporations. The current economic indicators would probably go down and blink yellow, but those are in need of replacement anyways.

Court orders encrypted email biz Tutanota to build a backdoor in user's mailbox, founder says 'this is absurd'

reGOTCHA
Coffee/keyboard

Re: And they're going to do what about me doing this?

Don't be so dismissive.

The same 'they' did to TrueCrypt, and at least attempted at Veracrypt, for example.

Targeted attacks, confusion and disinformation can amount to such a level that at a certain point you just have to trust the software.

Was openssl ever audited?

Can you trust all parties involved in the audit? To what extend?

What was the scope of the audit? Core libs or GUI code?

Which version do you use? Before of after the audit?

Do you get a compiled binary and you verify the hash if there is one?

Or you build from source because you don't trust the available binaries or no hash available?

Does it use OS libs or it's 100% self-contained? If not, ask the same questions about those libs too...

But wait, there's more! (imagine the guy in the TV commercial)

Encryption software was once subject to export restrictions just like weapons and ammunition.

Which version you have? the export ready or the other one?

What OS are you running those binaries on?

What firmware is below that OS?

On what hardware are you running that firmware?

It gets very tricky very fast. In the end it's just about how high is your trust bar and how much effort are you willing to put into it, but be reminded that most of the planet has much lower bar.

If only you in your family/friends/work circle accept and know how to use openssl, what is the use of it for you?

All of this trust chain is being attacked constantly, the only thing in our side is that governments don't have infinite resources and they have bigger problems.

In an extremis careless scenario, only a few thousand netizens kind of trust something they build but it's complex to use, while most of the world trusts something else that is easy to use, but can very well be a 'fit for export' software. Think of how easy it could be for a North Korean to get their hands on hardware and software that would allow him to send you a message that only the two of you can read.

It's fine if you don't make this your life battle, I don't either, but don't be so dismissive about it.

reGOTCHA
Happy

Re: An idle musing

Thank you for the link, from that link I found hours - if not days - of fun material to read instead of working.

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools

reGOTCHA

Re: The premise seems COMPLETELY wrong......

Maybe for Fireeye it is, the hacked consultants hired Microsoft consultants to help sort out the mess. Such is the scale of the mess or the state of morale, or both.

reGOTCHA
Boffin

Super h4x0r leet state sponsored actor - probably not, but they would never admit it

"They used a novel combination of techniques not witnessed by us or our partners in the past."

You're telling me that - in a world where stuxnet is just the tip of the tail of the hidden cat - you have never seen anything like this before?

Did someone implanted a satellite sting that uses custom protocols on inaccessible frequencies, burnt a bunch of 0 days for access/escalation, used thermal/seismic/wind techniques to bridge air gapped networks and finally extracted everything using a custom morse code with an invisible laser?

And all of that to steal red team tools and customer contracts and metadata from an infosec vendor that is no different than many others?

I'm sure they did. Might as well convince me it was aliens.

Why did Apple hamstring camera repairs on standard iPhone 12 but leave Pro Max module swappable? asks engineering group

reGOTCHA

Re: Amateur vs professional

It's just marketing don't overthink it...

"Our camera goes all the way to f/0.000001 just like the pros." - they say - hoping we forget a "pro" camera has more kilos of dedicated image taking/processing hardware that a smartphone will ever have for all it's possible purposes.

No, the creator of cURL didn't morph into Elon Musk and give away Bitcoins. But his hijacked Twitter page tried to

reGOTCHA

Re: About the Stockholm geolocation

What characteristics you use to identify a proxy during a scan? besides searching for common proxy ports.. For research purposes.

Google to end free unlimited online photo, vid storage, will eventually delete files if accounts go over their cap

reGOTCHA
Unhappy

My business plans, ruined

I wanted to set up a company that would sell cloud storage, I would encrypt client data a store in my free google account... they ruined it.

Apple suffers setback in epic Epic Games games fight: Federal judge zaps damages counterclaim

reGOTCHA

"...and Apple is happy with this." - they are not

The legal case is not about 30 or 10 percent. It's about not being able to sell in-app without apple taking a cut.

Your second paragraph is more to the point and is related to the intentions of Apple that gave origin to this case.

While you can subscribe in-app to Spotify without Apple taking a cut, Apple recently pushed new terms and conditions that forbid exactly that, In-app purchases can ONLY be done using Apple in-app purchase system and Apple taking a cut.

At almost the same time this case started, Google made movements in the same direction in their Google Play store... "Apple is about to get shot for this, let me put myself in the line of fire too..."

SAP stock price crashes 23%, €28bn wiped out as firm warns of Klein(er) revenues, profits ahead due to COVID-19

reGOTCHA
Unhappy

Re: Why use SAP ?

And that's why I quit my cyber security job in a big corp.. even though I loved my team.

It was not about doing things well once and moving on to improve security posture elsewhere, it was about making sure next year our budget was bigger so we could buy more crap we don't use/need.

At some point internal test reports and product comparisons were ignored, and the 3rd best (3rd least bad) was bought and half deployed - it would simply not work or conflict with existing infra.

I wonder if the expensive watch catalogues in the Project Manager office were given by PaloAlto or FireEye or others..

Back to topic;

I wish I had bough sp500 indexed stuff on 23 April this year :(

Your web browser running remotely in Cloudflare's cloud. That's it. That's the story

reGOTCHA
Mushroom

Mind.blown.

Outsourcing web browsing is a thing?

Cloudflare floats cloud grand unification theory based on zero-trust access and security

reGOTCHA

The future is now, old man

By network as a service they mean you route ALL your endpoints to somewhere on the internet through a fat pipe.

They will do routing/firewalling/segmantation/security for you with the most advanced AI/BigData/MachineLearning.

Zero trust I'm not certain, but I guess it relates to trust and the service they provide...

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021