Posts by sten2012

I often rant about VAT on these. Really I think they should be deductable from income tax too (as they would be from corporation tax if my employer paid).

The benefits to future income tax from the skills people could learn and the benefits to national productivity are surely overwhelmingly overpowering the pittance of tax received now.

So they get delayed, my employer often pays for them but is held back by an accumulating 6-12 month delay per course/exam that I could just pick up and buy myself if I didn't loathe paying 40%+20% than my employer for the exact same product.

On the flip side, taking a legacy code base that everyone is scared to touch:

Having a process like this write as robust tests for it as possible and constantly verifying the existing application against them then porting that code to a more presently supportable (from a staff perspective) language. Now with test suites!

Seems like a great application to try out and well worth a 40k price tag (doubling 20k to account for the initial test suite building) for many organisations if successful.

Even if humans end up rewriting that final code or contextualising those tests, if that's what it takes to migrate from COBOL (or whatever). Essentially PoCing that project that the business never starts.

Re: Incentives need to change radically

I agree completely. _Most_ unsolicited bug reports for most companies are probably dumps of low hanging fruit line SSLLabs, automated tools and/or complete chancers.

I do, however, agree with protections for researchers and there are questionable vagueness in the laws for professionals (even solicited pentesters and researchers) that mean we/they essentially have to work at risk - section 3A has kept me up at night on occasion:

"Making, supplying or obtaining articles for use in offence"

Particularly (2).

"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence" which rules out.. well, releasing anything, frankly. How Microsoft get away with windows being on sale is beyond me.

But let's not quite go so far a normalising the unsolicited blackmail attempts.

Re: Slack should ..

And run it as SaaS..? The moral of this story is to control your own data:

> “This ordeal has made us think more deeply about entrusting data with external SaaSes and ensuring that we own our data is definitely going to be a very big priority going forward. I’d encourage you to think the same way!”

The hacking club should contribute to open source they rely on, maybe help create generic service bridges others and at most maybe help people/organisations migrate to self hosted. They should not become the next company that gets bought/invested in/donated to and has to apply pressure to others to keep financiers happy.

Re: Crapilot ... AKA Coprolite

Maybe transcription and translation with the use of native language is part of that culture shift that might never be worth it but could actually be the standout benefit of the technology. Hell just having the excuse of getting out of group video calls from echoey offices definitely is one in my books.

I mean it definitely struggles with acronyms casually pronounced and things at the best of times, but generally I've found automated transcripts of some non native speakers helpful where I particularly struggle with the accent.

I don't mean real time transcripts when I say I actively find them useful despite proposing that in paragraph 1 though. I've never used them in realtime but I strongly suspect feedback of context from later or clearer conversation actually fixes mistakes made that just aren't possible for true realtime transcription. And I suspect that's part of the problem with news (I've definitely seen subtitles be fixed on news, but I assume that's human manual correction)

> I'd actually prefer it if they don't know about IT provided they listen to those who do

I hear that. While good techies and good managers are certainly not mutually exclusive having both skills isn't massively common. And taking a good tech and using their time on people leadership isn't often ideal.

The structure that pay is tied to seniority is the issue in my opinion. A good people leader earning less than their best reports shouldn't be unusual, and would mean people continue to do what they love or are most productive at.

Instead to get pay bump a lot of people are forced into leadership roles which makes them and their reports and the whole workplace suffer.

Sorted my beer at: "Not to be confused with Pegging"

Re: Workarounds?

Not strictly true even though I fundamentally reach the same conclusion, there are a few minor benefits outside SSL if you trust the VPN provider (and intermediate networks it traverses) more than your ISP or intermediate networks that traverses.

Your content probably isn't being stolen but DNS may be, and even using DoH then SNI in TLS often discloses overall site but not content if you can't trust the network and value privacy. To say they can't see "anything" isn't strictly a true assumption. But you address that already, it's just a common misconception.

Generally have the ethos that [insert foreign 'peacetime enemy' country] are better to handle my data than [local or friendly country] because frankly they can do less to make my personal life hell and less vested interest in my comings and goings. Doesn't mean I wouldn't rather be a citizen of local country with local country sniffing my data than the other way around.

Generally, I don't bother. I use my home as a VPN for open and public (WiFi for example) networks and accept the risk of my ISP more so than a 1, 2, 10 employee VPN company handling my data and wherever they host their servers (when they clearly don't own the data centres). I just don't really agree it's objectively fact.

Re: Maths

So what though? If talk talk weren't so bottom barrel then this data wouldn't have been leaked yet again.

Ultimately, investing a absolute bare minimum amount in actually securing data should be cheaper than not doing so. If failing to do so means you have to push prices higher than the competition to cover fines - I'd call that the system working as intended.

Talk talk going out of business: shame for many of the employees but the overall market size doesn't shrink so hopefully most could find jobs at those competitors that take their share and do give a crap about complying with laws.

This idea that fines are cheaper than complying with laws is a major reason this country is in the toilet (or at least swimming in sewage).

Re: Additional Tool - Not A Replacement

Hard agree here.

Huge delta between dumping all client data into an online API while having automated agents exploiting client systems and that critical headline keyword "assist".

I think you'd be hard pressed to find a pentester or red teamer who hasn't been "assisted" by AI in some capacity at some point by now. Just with mostly appropriate care.

How often are red teams in court anyway? Christ you've screwed up if you're in court, and AI probably wasn't your problem.

I'd be interested to hear experiences from anyone in forensics who might be expected to appear in court though, when doing the job right.

Re: Peplexity just another stochastic plagiarist

For the whole of 1978?! Quite the achievement!

Re: Disheartening

No horse in this race generally but:

"They encourage their engineers to work on open source project in their own time"

How generous of them!

Re: Full disclosure has been released - its cups-browsed, link in body.

It's a remote code execution with no authentication. Definitely a 9.9

CVSS base score doesn't care how widespread software is.

Heartbleed was serious and widespread but an information disclosure that in and of itself doesn't offer RCE.

A lot of people here are confused about the scope and utilisation of CVSS base scores.

But yes. There was much hype. Over a serious but not completely ubiquitous issue

Re: water from above?

I think I'm personally more surprised by the fact this equipment actually gets reused after such an event.

On the one hand why bin it, but on the other no manufacturer will uphold the warranty and how much can you trust it's long term longevity or really be certain what you're plugging in is safe?

Maybe I'm just not understanding what "equipment" they're talking about in this context. The statement and article both sound a little vague there and clearly Ive never really worked in datacentre operations, but is this standard procedure for recovery in such an event?

Re: How will AVs function without being in the kernel

To be fair malware in the kernel is already a problem that AV can't fix so it's not that much of a change there. We're already relying on it being caught before the point of being able to load drivers, or on kernel bug check kicking in if it tries doing too much kernel sneakiness for too long and just so happens to be detected.

Hooking techniques can already be bypassed in userland, etc

I do wonder if the change can look more like virtualization based security extension rather than the AMSI style userland approach though..

Re: Misinformation - Sweet Talking Citizens - While Doing Nothing......

(2) "massive teeth like GDPR"

Equifax sprung to mind here for me when reading it. The threat of massive fines was somewhat effective at forcing compliance in advance in many many companies. Sunk costs mean many boards are still carrying on with complying. But the lack of follow through means that "trick" will never be effective again for new legislation.

Equifax are the worst. They should have been nailed to the wall seeing as modern society forces you to have your data held by these agencies.

Re: Once upon a time in a distant land...

Also I think (as a layman not close to being able to call myself a developer) that if test driven development was in mind from the beginning, if you missed tests (or found bugs) at least the test cases are already mostly already available and the application architecture already in good stead for solid regression tests coming down the line.

That's a major bonus in itself I'd say.

Re: Your bug report was clearly an undeserved and unappreciated courtesy...

I disagree with this. I do see a place for responsible disclosure.

But if nobody is fixing it or acknowledging it's a vulnerability then there is no vulnerability to be responsible about - in which case public disclosure is fine.

If it truly is an actual vulnerability and not just an inert bug and vendors are denying this despite good faith efforts then public disclosure becomes the responsible course of action so people can make an informed decision as to whether to use the software. If so vendors become committed to fixing.

This story seems to fall into one of the above. Publishing is either OK, or publishing is required.

Not to mention, other hypervisors that are properly open exist too. And are thoroughly proven to be production ready (perhaps unlike when initial decisions for VMware platforms were made which momentum kept rolling for upgrades).

Can't just be me thinking I'd be avoiding any closed platform that can be acquired or squeezed for something so critical to the business after everything that's happened

Still though. Unless they used those credentials I can't see how unauthorised access to a computer system occurred.

Maybe some kind of fraud, copyright theft on the captive portal page maybe, and a beach of terms presumably as they were probably funneling victim traffic through the actual WiFi.

But I don't see the unauthorised access in these particular cases until the credentials are tested on something else.

I'd argue all the people above using fake emails to access a WiFi provider are closer to breaching that particular law

Re: Fail2ban helps timeline?

I'm not sure if a timed out login attempt would be flagged by fail2ban as a "failed" login per se and therefore might not be blocked. So might need some config tweaking to recognise it (or at least verifying) before relying on it.

Sorry, I haven't checked so probably should shut up, but wanted to comment in case someone sees your question and decides fail2ban is "probably good enough"!

Re: This is Russia.

That VPN isn't a browser plugin though..

It could prompt you with a small display and rotate through numbers though and achieve the same.

1212, 3434. Kind of like self cleaning. But without the self.. mandatory used based cleaning.

And I stumbled here directly after clicking through a twitter link that used to be public to view but now requires an account.

Re: Simple solution?

Having dealt with Currys in the past it's one high street retailer I'll actually celebrate going under.

Frankly, I'd rather support Amazon.

I don't know what they're like these days but they've screwed me enough times I don't intend to find out.

Re: I do not get the business rationale

I agree. Even if you really don't want the hassle of dealing with smaller customers, surely you partner with a large reseller and support shop or two you deal with in large concentrations and funnel them off to there?

Customer prices go up and you're splitting some of the profit, but it's better than this, surely?

Even at no profit broadcom's end (which obviously wouldn't be the case), it would keep people using VMware, for the skills market to not dry up, and prevent investment pouring into your competition when everyone jumps ship and keep you viable in the big customers you're trying to keep.

Re: Things AI will never be able to do

I absolutely don't believe the last one.

And in fact said boss could probably then be convinced by the AI to do the others:

"Honeyboss, I notice you are 15% more efficient at your management duties when you have your omega 3. Run out and get a kipper, oh and I think there are no plates clean so grab the cup from cubicle 6 on your way through and microwave it in that. There's a parking spot on bay 7 closer to the building - that should save you time"

Re: dafuq

Is this employee data or what?

Why health, for example? If it's customers:

A) why would anyone choose to supply it?

B) under what premise was it collected?

C)why would they possibly want to collect it? They know the answer already, and collecting it is just removing any deniability for "they knowingly sold unhealthy food" lawsuits in future.

Re: I rather like HP printers and Instant Ink

Pretty sure I'm paying more per page because I only use the printer a few times a year and it's always needing new ink because the lack of use. So maybe print 30 pages a year, but that means going through maybe 3 ink carts a year at 20 odd quid each.

The way you describe it sounds like a good deal for me too to be completely honest, even though I find the idea abhorrent.

I probably should have quoted more, but it wasn't all released. With the vague implication being 10% had been sold.

I guess maybe they list separately credentials via access brokers and any card information via carding sites if it doesn't sell, but 10% sounds a LOT for just those. But I guess I'm mostly just curious what the 10% being withheld is, and why, and if paid for - by whom and for what purpose. Questions I can never find out the answer to!

Re: I may be wrong but...

I left over a decade ago, right when you could tag friends in photos without their consent.

It was creepy in so many ways on FB's I could never and still can't see past it. The day business expected and okayed acquaintances to upload and tag PII about you rather than yourself. While they let you delete data when you leave (ostensibly) you know that facial recognition model isn't being reset every day. And suspect none of the data itself was either.

Possibly, but getting CC'd in with the evidence probably didn't happen too often!

Re: "supposed expert who turned out to be anything but"

Proxies are still pretty widely used. I'm not talking about web server configuration here but the original posters "dev having their system proxy set to localhost"

I'm not a dev (maybe I fall into the etc category though) and I use the previously listed all day, most days.

Maybe a better example devs would be more familiar with is Telerik Fiddler. A local intercepting proxy.

But - that's truly a brilliant story nonetheless. I thank you for it.

Re: No moving parts

Same point maybe, if not closely related. Maybe not this device specifically (as they aren't marketing that way), but solid state cooling is great for industrial computing in dirty environments where fans are particularly prone to gunk, drawing in dust and seizing.

Even if they did, most companies lean so heavily on consultancies for pentesting specifically (seemingly contrary to other information assurance roles) that I don't see how that can ever scale in this market. The retainer doesn't seem practical in the UK at least (cant speak of US market) to really, honestly work that way. It's a nice ideal. But unlike development and operations the resources were never sufficiently staffed internally in the first place - friction and handover aren't the fundamental underlying issue here.

That's without firing anyone, even in the best case scenarios.

Possibly that's why the evangelists get so rabid though?

But yes, I completely agree with you. Ignore if you weren't looking for a response.