* Posts by reGOTCHA

20 posts • joined 14 Oct 2020

Cloudflare, Akamai: Why we're not pulling out of Russia


"I don't want to start a flame war" but let me proceed and start a flame war.

Beijing wants to level up China's software industry, with an emphasis on FOSS


Re: Too much anti-China rhetoric

You're entitled to love anything. But let's be rational together, if your phone has a Huawei/Xiaomi modified OS is less secure and private than other Android phones, it has the unintentional problems other android phones have, plus the intentional ones added on top. This is just how it is, it has been documented many times over, the blocklists, the trigger word lists, remote installation capabilities, the persistent ping home of system apps and other not documented but assumed to exist because they are in the law the companies are subject to. This is just how it is, it's a sad reality but the reality.

And don't tell me your data going to Google and Facebook is the same as going to some CCCP owned data center. These are two very different levels of bad.

Microsoft: What's that? A patch for make-me-admin vuln? Sorry – can't hear you. Have a new jumper instead


It's a free OS... you can't ask much from them...

...What do you mean it's not free? I always got the ISO from them and used an open source Key Management Server?!

Boeing 737 Max chief technical pilot charged with deceiving US aviation regulators over MCAS


Re: Some extra info

"There was a moral code there somewhere between the 50s and the 80s." - This is just nonsense! Ever heard anything about Edward Bernays and his peers and their influence on modern society? How he redefined the term "public relations" because propaganda was too strong of a word? How, in their view, the average person is an idiot and should be manipulated because they don't know what is best for them?

Chinese state media describes gaming as 'spiritual opium' that stunts education and destroys families


Re: Gaming

Next in line TV series and movies, binge watching something is basically the same as smoking another one because the previous felt good. Then comes books, god forbid people throwing away half a day reading childish comic books, holding the pee because they have to turn another page. After that is music, you learn nothing from it and most current music is garbage anyways.

NSO Group 'will no longer be responding to inquiries' about misuse of its software


Re: imperva.com fake certificate?

imperva[.]com is one of those companies offering protection against DOS attacks. Your traffic goes to them to be checked for 'legitimacy' and then goes to the destination. They have powerful machines receiving the traffic of all their clients and only the traffic deemed benign passes through. This explains why so many domains under one certificate. They probably have many certificates with many more domains in them, it's not so obvious who their clients are based on one certificate.

The good thing about certificates is that they are not magical and they don't appear and disappear without leaving a trace.

This trace would be visible in some Certificate Transparency logs. Google, Cloudflare, Facebook, and many other certificate issuers monitor the issuing of certificates so it's damn hard to just issue a certificate linked all the way up to a root CA for a domain you don't own without getting noticed.

For example, the 123-flowers[.]co[.]uk domain mentioned in the globalsign/imperva certificate, a bit down on the cert details page you can see in the "Embedded SCTs" section that this cert in particular was included in 3 transparency logs - Google “Xenon2021”, Cloudflare “Nimbus2021” and Sectigo (Comodo) “Sabre” CT.

I searched a few of these logs and no certificate was ever issued by globalsign to the sse[.]com[.]cn domain or any of subdomains...

It was probably a small mistake in your research that yielded those suspicious results.

Another good thing about certificates and certificate transparency logs is that you get to know a lot of subdomains - even the ones not for general public - for research and academic purposes ofc.

Regarding trace routing changing routes - that's just dynamic routing and traffic shaping working. Two tracert from the same place can have different routes and nothing guarantees you that your web traffic will have the same route as these two, also because you're using different protocols.

'We're finding bugs way faster than we can fix them': Google sponsors 2 full-time devs to improve Linux security


They don't trust the binaries so they compile themselves

Do they trust the compiler? or they compile the compiler from source too?

Someone once gave me this link some time ago:

Reflections on trusting trust - Ken Thompson


Man arrested after UK school finds wiped hard drives on devices connected to network


sophisticated and certainly state sponsored

By the either Russian or Chinese 28-year-old elite hacker... as always.

Ad-scamming, login-stealing Windows malware is hitting Chrome, Edge, Firefox, Yandex browsers, says Microsoft


imagine a future without ads

It's beautiful isn't it?

Has anyone ever studied (as in real science) who is really taking the benefit from advertisement? The buyer or the seller?

Someone would have to come up with a viable idea for supporting content based business besides ads.

People would consume less, and every time you need something you would actually have to search for it and compare solutions. The environment would appreciate it. Companies would have to actually create value and drive innovation instead of slowing innovation for the sake of capitalizing on each insignificant evolution step with the help of marketing. Online markets would flourish and small business would play on the same arena as big corporations. The current economic indicators would probably go down and blink yellow, but those are in need of replacement anyways.

Court orders encrypted email biz Tutanota to build a backdoor in user's mailbox, founder says 'this is absurd'


Re: And they're going to do what about me doing this?

Don't be so dismissive.

The same 'they' did to TrueCrypt, and at least attempted at Veracrypt, for example.

Targeted attacks, confusion and disinformation can amount to such a level that at a certain point you just have to trust the software.

Was openssl ever audited?

Can you trust all parties involved in the audit? To what extend?

What was the scope of the audit? Core libs or GUI code?

Which version do you use? Before of after the audit?

Do you get a compiled binary and you verify the hash if there is one?

Or you build from source because you don't trust the available binaries or no hash available?

Does it use OS libs or it's 100% self-contained? If not, ask the same questions about those libs too...

But wait, there's more! (imagine the guy in the TV commercial)

Encryption software was once subject to export restrictions just like weapons and ammunition.

Which version you have? the export ready or the other one?

What OS are you running those binaries on?

What firmware is below that OS?

On what hardware are you running that firmware?

It gets very tricky very fast. In the end it's just about how high is your trust bar and how much effort are you willing to put into it, but be reminded that most of the planet has much lower bar.

If only you in your family/friends/work circle accept and know how to use openssl, what is the use of it for you?

All of this trust chain is being attacked constantly, the only thing in our side is that governments don't have infinite resources and they have bigger problems.

In an extremis careless scenario, only a few thousand netizens kind of trust something they build but it's complex to use, while most of the world trusts something else that is easy to use, but can very well be a 'fit for export' software. Think of how easy it could be for a North Korean to get their hands on hardware and software that would allow him to send you a message that only the two of you can read.

It's fine if you don't make this your life battle, I don't either, but don't be so dismissive about it.


Re: An idle musing

Thank you for the link, from that link I found hours - if not days - of fun material to read instead of working.

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools


Re: The premise seems COMPLETELY wrong......

Maybe for Fireeye it is, the hacked consultants hired Microsoft consultants to help sort out the mess. Such is the scale of the mess or the state of morale, or both.


Super h4x0r leet state sponsored actor - probably not, but they would never admit it

"They used a novel combination of techniques not witnessed by us or our partners in the past."

You're telling me that - in a world where stuxnet is just the tip of the tail of the hidden cat - you have never seen anything like this before?

Did someone implanted a satellite sting that uses custom protocols on inaccessible frequencies, burnt a bunch of 0 days for access/escalation, used thermal/seismic/wind techniques to bridge air gapped networks and finally extracted everything using a custom morse code with an invisible laser?

And all of that to steal red team tools and customer contracts and metadata from an infosec vendor that is no different than many others?

I'm sure they did. Might as well convince me it was aliens.

Why did Apple hamstring camera repairs on standard iPhone 12 but leave Pro Max module swappable? asks engineering group


Re: Amateur vs professional

It's just marketing don't overthink it...

"Our camera goes all the way to f/0.000001 just like the pros." - they say - hoping we forget a "pro" camera has more kilos of dedicated image taking/processing hardware that a smartphone will ever have for all it's possible purposes.

No, the creator of cURL didn't morph into Elon Musk and give away Bitcoins. But his hijacked Twitter page tried to


Re: About the Stockholm geolocation

What characteristics you use to identify a proxy during a scan? besides searching for common proxy ports.. For research purposes.

Google to end free unlimited online photo, vid storage, will eventually delete files if accounts go over their cap


My business plans, ruined

I wanted to set up a company that would sell cloud storage, I would encrypt client data a store in my free google account... they ruined it.

Apple suffers setback in epic Epic Games games fight: Federal judge zaps damages counterclaim


"...and Apple is happy with this." - they are not

The legal case is not about 30 or 10 percent. It's about not being able to sell in-app without apple taking a cut.

Your second paragraph is more to the point and is related to the intentions of Apple that gave origin to this case.

While you can subscribe in-app to Spotify without Apple taking a cut, Apple recently pushed new terms and conditions that forbid exactly that, In-app purchases can ONLY be done using Apple in-app purchase system and Apple taking a cut.

At almost the same time this case started, Google made movements in the same direction in their Google Play store... "Apple is about to get shot for this, let me put myself in the line of fire too..."

SAP stock price crashes 23%, €28bn wiped out as firm warns of Klein(er) revenues, profits ahead due to COVID-19


Re: Why use SAP ?

And that's why I quit my cyber security job in a big corp.. even though I loved my team.

It was not about doing things well once and moving on to improve security posture elsewhere, it was about making sure next year our budget was bigger so we could buy more crap we don't use/need.

At some point internal test reports and product comparisons were ignored, and the 3rd best (3rd least bad) was bought and half deployed - it would simply not work or conflict with existing infra.

I wonder if the expensive watch catalogues in the Project Manager office were given by PaloAlto or FireEye or others..

Back to topic;

I wish I had bough sp500 indexed stuff on 23 April this year :(

Your web browser running remotely in Cloudflare's cloud. That's it. That's the story



Outsourcing web browsing is a thing?

Cloudflare floats cloud grand unification theory based on zero-trust access and security


The future is now, old man

By network as a service they mean you route ALL your endpoints to somewhere on the internet through a fat pipe.

They will do routing/firewalling/segmantation/security for you with the most advanced AI/BigData/MachineLearning.

Zero trust I'm not certain, but I guess it relates to trust and the service they provide...


Biting the hand that feeds IT © 1998–2022