* Posts by sten2012

84 publicly visible posts • joined 13 Oct 2021


Pentesters' fave Kali Linux turns 10 with version 23.1


Re: Unsavoury

Having used backtrack chroot on android and then Nethunter when it was first released it was completely ad free (except IIRC it did recommend a specific non-free APK upgrade for enhanced functionality, but I wouldn't even call that advertising, twas completely honest and upfront), I had no idea what OP was on about, thanks for clarifying.

Was playstore just squatting on the name then?

Check out Codon: A Python compiler if you have a need for C/C++ speed


Certainly not only interested in commercial use or even "mostly" commercial use, but also not interested in investing much time in something that I now know I couldn't use in any potential employer and would be better off committing to getting comfortable in a more suitable language instead.

When older releases are reaching GPL stage I might well revisit.

I'm a pentester not a developer so my commercial code is not ever shipped code per se, the stuff I do is pretty much all one off hacky scripts to help me out (data manipulation for example) that never see the light of day again and I'd be ashamed to have any real developer or data engineer catch a glimpse of.

I don't usually need this performance, but every now and again my junk code thrown together in a few hours can take a few hours to run and getting that down (and speeding up the many debugging runs) without spending hours/days optimising would be nice.

Nothing I do along them lines would ever take 3/4 years without me being fired, let's put it that way.

Also some network stuff of course but doubt that will see many gains here so not much point there.

Those slow runs are not a deal-breaker - usually runs in the background while I get on with other things.

GPU feature is nice. Had a few instances where password crackers for proprietary software have come up, and I've never used python for those nor have I ever committed to GPU for them, but then again I normally just use whatever the language the reverse engineered code is and flip it around to knock those up too. Assessment windows are short and so spending more than a couple hours on these things is just impossible.

But ultimately nobody would commit to licensing for this kind of software for "that one python guy" when teammates all have different language preferences, and I'd probably only benefit from these performance improvements a couple times a year.

While that might not even count as "production code" under that license I'll prefer to just find a "free as in freedom" alternative.


The @codon.jit decorator sounds like an incredibly useful compromise from the docs.

Definitely plan on trying this out as soon as possible!

Edit..Then I got down to the licensing information and suddenly lost all interest.

Can we interest you in a $10 pocket calculator powered by Android 9?


Re: it just doesn’t add up.

And, pray tell, what does PEN stand for, please?

As a pentester. Please don't capitalise it. You struck a nerve. Please, please don't capitalise it.

Most Londoners would quit before they give up working from home


Thank you.

I've been forced into offices for nearly a couple decades now. Never once have there been massive company wide calls or support on how to emotionally deal with being forced to interact like this even though nothing in my nature supports it.

Within weeks of working from home the support groups and meetings sprung up on coping and basically ran continuously.

I'm not even that sure I'm in the minority, certainly not as disproportionately the minority as the available support indicated.

Think it really highlights how workplaces in general (not just office life) are set up exclusively for extroverts. I found it very, very hard to sympathise after noticing that.


Re: I don't want my home to be an office though

Not sure why the downvotes to this. I love WFH and would hate/refuse to ever move to a job that demands it again.

But I get this. Not least the fact that work won't, and shouldn't, pay for this conversion.

So what is there to disagree with of the opinion someone that doesn't want to put their land aside for their employer, and spend 5-20k in the process?!

It's not my own opinion that a work area encroaches on my personal life. But it's sure as hell a perfectly valid and logical one.


Far easier than booking a meeting and/or dragging 3 people from 10 desks away (in different directions) over to come look at your screen to ask a question.

And those that are currently too busy aren't pulled from what they're currently doing to answer my inane, off the cuff, question.

Smart ovens do really dumb stuff to check for Wi-Fi


Re: Local network only

Amazing that consumer protection groups don't seem to give a crap about that part.


Power consumption for the TVs on the other hand probably massively increases price per week vs modernising.

Things supposed to kick out heat may not be worth the switch, but electronic equipment definitely needs consideration at the very least.

Defra 'confident' it has 'handle' on risk for 30% of apps out of support


Re: "It's possibly slightly worse than described"

I used to do these and the on site reviews "in the beforetimes" but..how on earth did you fail a self attesting scorecard check boxing exercise?

Clearly too honest to do business with this gov, guv.

If your DNS queries LoOk liKE tHIs, it's not a ransom note, it's a security improvement


Re: Transmission

Random looking subdomains is what I've seen before. Iodine and cobalt strike. Cant vouch for everything out there. But almost certainly for the reasons you say.

And if you don't need the recursion (so don't have to worry about intermediate caches) you just pump whatever data straight out of 53 instead and don't mess around with all this anyway.

NASA overspent $15m on Oracle software because it was afraid an audit could cost more


Re: It's a legit concern....

How are you using it? On end user devices or say on virtualisation servers?

To be totally honest since oracle has taken over it feels to me like vbox development has slowed to an absolute crawl. I used to be a huge advocate for it but my experience has only been going downhill.

It used to be that or vmware. Now there are loads of what were newcomers that are just as capable for 80-100% of use cases. KVM or Qemu on Linux. Hyperv (if you don't need h/w passthrough) on Windows (80%).

And I don't really see local user virtualisation going cloudy for vmware (a la workstation), just it becoming tighter integrated with, say, hyper-v on Windows and less focus on their own virt while vsphere stuff is looking less certain.

But I'm honestly clueless though so don't listen to me!

I'm sure I'm missing loads (xen still a thing?)

Between that and the uptick in containers taking on some workloads.. It wouldn't take much convincing for me these days, once their biggest fan, let's put it that way.

Someone has to say it: Voice assistants are not doing it for big tech


I've still got 4 light switches in the house we moved into nearly 5 years ago now that I still have no idea what they are supposed to do!

All on banks with 1/2 other switches with easy to easyish to work out purpose with some trial and error. But not these.

In that sense they really are a pretty terrible interface!

Patch Tuesday update is causing some Windows 10 systems to blue screen


But.. It is broke.

Just the fixes slightly more so.

Microsoft's grand unified theory of .NET advances a little


Interesting, thanks! I saw some things promising to fix it in teamwork circa 2018 but none made a bit of (beneficial) difference at that time. Haven't looked back since.

Have now given up on winforms much as I love the simplicity as a result of that terrible experience of high dpi screens becoming suddenly a thing that exists (initially macs with retina running windows vm's, then suddenly boom.. Everyone)

WPF was (is!) great but didn't have the nerve when starting a new project in a new language to adopt a new framework. Feel shame to this day about some poor decisions there.

And if neither were cross platform I landed on simple, thinking if it needed to go cross platform I create a second simple UI in QT or something.


Is winforms trudging along?

WPF absolutely, but you can always tell a winforms app by the way it doesn't remotely behave on a high dpi display.

And I haven't seen much of that at all lately

Mozilla, Microsoft drop TrustCor as root certificate authority


Re: Trust and CA's

I'm sorry, I was more referring to US, (and partly UK), but the context of the post I was replying to US and definitely should have been clearer.

You are right these get abused, or root certs added by govts or root certs added by software.

But what I haven't seen before is, say, evidence American TLA's doing that because there are softer and more deniable targets.


Re: Trust and CA's

I think if root certs were being abused there would be more evidence of this wouldn't there?

The way prism was set up seems to indicate that this isn't true.

Unless I've missed something.

Not that they couldn't abuse it, I'm sure, but I've seen nothing to indicate they do, and they'd probably prefer less visible attacks than swapping out certs on MITMd traffic

Stack Overflow bans ChatGPT as 'substantially harmful' for coding issues


Re: ChatGPT appears to getting glowing reviews

First try in most cases! But they were trivial. Its enough to convince me that actually this will help people like me who maybe code quite a bit, but basically just hacky single use scripts often in languages I'm not familiar - so often it's the syntax and api specifics and standard libraries I waste most time on, but if there's a bug in the logic, that's fine and easily found and dealt with.

If I was a proper developer, working in languages I'm familiar and comfortable with it would be far, far less useful.

I did get two different contradictory answers neither of which worked for messing with a couple specific windows APIs in python ctypes in a trivial example, one looked close but I haven't picked up to see what was up. One was obviously wrong, the other didn't work but a quick glance at msdn showed it must have been bloody close!


Re: ChatGPT appears to getting glowing reviews

I was giving it straightforward tasks, and what I asked it to do were generally small parts, like a function that does _simple task x_ in lang _y_ that easily could have matched a near exact question on SO or github verbatim (except if you then ask it to switch to another language it seems to actually covert the syntax rather than scrape a native example, which I thought was cool).

But I found it quicker (albeit I imagine hugely wasteful in energy) than finding the same on SO or github.

And of course I'm glossing over the licensing of where this code came from being completely left out. Because that's truly unforgivable.

But I guess I'm wrong looking at the votes.


Re: Same with no code generators

Again I see a time and a place for this.

Some companies cannot access developers at all, and if no-code does reach that effective point, then that doesn't completely hang them out to dry.

Similarly working proof of concepts can be knocked out really easily, and having that can mean a better project specification, because the DB schema and basic application has already stood the test of time as a workable PoC.

But that time and place probably isn't "major projects"!


Re: ChatGPT appears to getting glowing reviews

Having used it, it's very impressive, and generated working code for me several times, broken code that needed fixing but was very close several times.

Even in technical circles is getting glowing reviews for some applications, with the recognition it is far from perfect.

Not saying it should be allowed on stack overflow, but either generated responses appearing in a warning window or edited by humans to form answers I genuinely could imagine working and getting faster answers if the processes appropriately allowed for it.

Woman fakes pregnancy to smuggle hundreds of CPUs, iPhones into China


Was going to say the same.

Why would I go out of my way to enforce a rule against my own citizens on behalf of the people that imposed it only to hurt me? Odd!

Maybe the fact you can't charge import duty? I dunno

Intel reveals pay-to-play Xeon features with software-defined silicon


Re: How? Why?

It was briefly covered here in another reg article when the code first popped up in Linux.

With the appropriate level of cynicism



Re: Risky

Otherwise procurement will be a mess.

"This model has this feature, this and that one is optional, this one works but a bit slow unless you upgrade here, and this feature will never be available on your model."

As if life wasn't complicated enough already.


Yep. Much as I don't mind not paying for what I'm not using. I'm obviously paying for it if you're shipping it to my door regardless and then making me pay again to use it.

It taking all the worst parts of cloud, all the worst parts of on prem, and mashing them into one hideous middle finger to the customer.

AMD has a wide open door to walk through here at least. Made massive inroads in desktops and consumer. Intel is just letting them take servers now.

France says non to Office 365 and Google Workspace in school


Re: Delighted!

Possible social responsible business plan: An insurance style pool of support contracts for educational premises. Where the premiums are the consideration

They get the consideration, and pay centrally for support contracts from the open source vendors themselves and have some on the road techs ideally in local hubs

Keeps cost down for schools, keeps money rolling to the open source houses that offer support contracts, and a pool of knowledge of wider open source rather than piecemeal solutions.

Hell they could even put courseware available for the kids to learn infrastructure, networking and coding skills.

Could it work?

Musk tells of risk of Twitter bankruptcy as tweeters trash brands


Ah yeah, because those middlemen such as PayPal are literally getting money for old rope and offering nothing productive to society..



Hold on a minute..

NSA urges orgs to use memory-safe programming languages


Re: Elaborate

Keyphrase seems to be "that I could identify".

Also "memory leaks" rather than "memory corruption".

If we could identify them all then we wouldn't have this issue and need memory safe languages, but alas, we do.

No necessarily for every context but they should be the default and deviating from that default justified.

Use of unsafe languages should be a code smell by default, not necessarily forbidden, but called out for the risk it is.


Re: No Go =====>

Alright, I'll bite, what's wrong with python in this context?

If Ruby is on the list, they are so bloody similar as to be nearly interchangeable.

Basecamp decamps from cloud: 'Renting computers is (mostly) a bad deal'


Re: It's not just the cloud

(you are not anon I'm afraid to say!)

But been there mate. Internally "things take up to three days!" , so when outsourcing the the SLA has to be 3 days. Suddenly outsourced EVERYTHING takes 3 days, so they manage expectations, meanwhile after 3 days tickets are closed for absolutely no reason so stats meet expectations.

It's so transparent - I don't get it.

Also something about this article triggered me, clearly!


Re: It's not just the cloud

Hadn't considered the time value of money, that's a good point.

Up votes to everyone who replied - thank you all!


Re: It's not just the cloud

OK, this makes sense.

Using more realistic figures (£12-15 a year opex vs 30 over 3 years capex) this sounds like the messed up thinking that maybe true.

I assumed having that £20 at the end of the year 1 didn't count against you, because it was spent on something with value. So you have an additional asset in your + column

And then after 3 years, even though you've written off against tax the whole upfront cost, unlike Opex, you aren't really left with nothing, you're left with servers that can continue to run your product for another 5-10 years. Blows my mind.

Feels backwards, like production lines getting rid of robots to replace them with people.


Re: It's not just the cloud

As a non-finance person I have no idea why opex is loved so much by beancounters no matter the cost. Can anyone ELI5?

I have googled several times, but clearly not well enough

Bias toward office staff will cost you: Your WFH crew could walk, say execs


Re: Same ol' blame shifting

Yep. Calling out your own shortcomings is admirable I think.

This is a person I'd want to work for. Not someone I want to criticise!

My way or the highway managers are those I steer well clear of, those that have nothing to learn from or about how you best work, because they know best.

Bitcoin energy consumption a feature, not a bug, says crypto-miner


Re: the exchanges have been the point of the largest fraud.

It really does.

Lottery, trust fund babies, being born in wealthy countries, premium bonds, good local schools, natural intelligence, having good parents

It's not what reality should be but anyone who tells you they got rich off hard work, and hard work alone is either a liar or delusional. Its all down to luck of the draw.

Linus Torvalds to kernel devs: Grow up and stop pulling all-nighters just before deadline


Re: Err

I'm with you on this to be honest. One week merge window and one week merge review window sounds like it put this to bed.

Loads of PostgreSQL systems are sitting on the internet without SSL encryption


I didn't think postgres even uses the system certificate bundle out of the box, and you had to specify on the client.

Likely I'm wrong though..


Re: Linode no longer allows access listing

Only by somebody on a direct path between you and the spoofed address. Otherwise you cannot set up the tcp handshake in practical terms.

For UDP, single packet traffic this works without being on that route, but not for practical TCP attacks nowadays.

VMware teases replacement for so-insecure-it-was-retired P2V migration tool


Re: Im surprised they are bothering with this...

It's a good take and you're right, but there is absolutely a consideration that you could pretty much drag and drop any vmware experienced engineer into to the team if they leave, but a specific in house solution, KVM or not, will mean fewer people to fill the role and more time to get up to speed for newcomers.

Don't say Pentium or Celeron anymore, it's just Processor now, says Intel


Re: Too much choice

How many of the current lines are just binning of higher end parts with cores or features removed or whatever as well, it would probably drive up prices as they overbuild for acceptable yields or scrap out of spec processors.

Merge shifts Ethereum to full proof-of-stake, price slumps


Re: Where did the 99% energy expense go...? (spoiler: still there)

Even if all went to gamers and they ran their computers 24/7 and ran them alongside existing rather than upgrading the energy consumption wouldn't be anywhere near as high, they don't run at the same load even in heavy use for gaming, let alone when idle. Not a 99% saving maybe short term, but still very significant.

And the demand for new GPUs drops so while the true saving may lag, it still exists.

The waste is unfortunate yeah, but doesn't seem a good reason to burn the carbon for the sake of it.

USB-C to hit 80Gbps under updated USB4 v. 2.0 spec


Re: Oh good

Is it even really a bus? I often wonder this.

I think of busses as something that can be passively expanded and devices will negotiate, like SPI for example. The requirement of active hubs to do that makes it feel to me that its not.

It's probably a misunderstanding on my end though...

W3C's planned transition to HTTPS stymied by legacy laggards


Re: appeal to incompetence

On the other hand though we're talking about HTTP redirect upgrades, so a MitM attacker can still just return what they want in place of said redirect, unless the libraries also support HSTS and its implemented correctly. Which considering the hassle getting them to support redirects and HTTPS at all seems unlikely in my cynical mind.

If consumers are willing to change all the external references to HTTPS they can presumably already do that.

Without one of those, this change causes issues without actually solving anything from what I can tell? Apologies if I'm missing something obvious.

Digital Ocean dumps Mailchimp after attack leaked customer email addresses


Re: Sounds familiar

I just replied for before seeing this, but yeah, this... Even AWS block SMTP outbound without making you jump through manual hoops. DO do not, but can nearly guarantee that whatever IP you get is already blacklisted..

I too assume they can't rely on it themselves.


Re: Sounds familiar

Never happened to me but I see loads of complaints about this on DO's forum, far too many to all be abusive users it looked

1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers



Illegal seems overkill. Its preferable to single factor considering you mention mfa.

In these apps cases it's usually SMS being a single factor rather than a part of mfa is a big problem, but even then still better than Password1 for most users.

Perfect is the enemy of good and all that.

AMD has a lot riding on its 5nm Ryzen 7000 CPUs. And so here begins the hype


I thought I'd future proofed for a generation this time for my home desktop. Ah well. I'm not touching the limits yet anyway so would sit out this gen anyway. Glad to see AMD keeping it up, nice to see some genuine competition between the big players.

Despite the crazy price rises and shortages, it really does seem actual performance progress has been made in the consumer space for the first time in years last generation.

Weird Flex, but OK: Now you can officially turn these PCs, Macs into Chromebooks


Central MDM functions out of the box I imagine and also user management/permissions through a central portal - nothing that can't be done in Linux, but requires much more forethought and hoops to jump through.

I've only seen the education one, but imagine enterprise is similar - it really is very good and pretty simple