* Posts by sten2012

193 publicly visible posts • joined 13 Oct 2021

Page:

UK telco TalkTalk confirms probe into alleged data grab underway

sten2012

Re: Maths

So what though? If talk talk weren't so bottom barrel then this data wouldn't have been leaked yet again.

Ultimately, investing a absolute bare minimum amount in actually securing data should be cheaper than not doing so. If failing to do so means you have to push prices higher than the competition to cover fines - I'd call that the system working as intended.

Talk talk going out of business: shame for many of the employees but the overall market size doesn't shrink so hopefully most could find jobs at those competitors that take their share and do give a crap about complying with laws.

This idea that fines are cheaper than complying with laws is a major reason this country is in the toilet (or at least swimming in sewage).

sten2012

Re: Further east now...

> And no this is not a TalkTalk router

Well I can pretty much guarantee talk talk don't support third party routers so a significant portion of the blame falls on your client for blindly following their rules on their own hardware.

Whenever reaching out to support for these crappy consumer level services (even when they offer "business" contracts) the golden rule is to grab their dusty hardware out the cupboard and connect that so you can go through their inevitably failing checklist until they can no longer deny the problem is their end.

Infosec experts divided on AI's potential to assist red teams

sten2012

Re: Additional Tool - Not A Replacement

Hard agree here.

Huge delta between dumping all client data into an online API while having automated agents exploiting client systems and that critical headline keyword "assist".

I think you'd be hard pressed to find a pentester or red teamer who hasn't been "assisted" by AI in some capacity at some point by now. Just with mostly appropriate care.

How often are red teams in court anyway? Christ you've screwed up if you're in court, and AI probably wasn't your problem.

I'd be interested to hear experiences from anyone in forensics who might be expected to appear in court though, when doing the job right.

Guide for the perplexed – Google is no longer the best search engine

sten2012

Re: Peplexity just another stochastic plagiarist

For the whole of 1978?! Quite the achievement!

Latest in WordPress war: Automattic says it wanted 8% cut of WP Engine revenue

sten2012

Re: Disheartening

No horse in this race generally but:

"They encourage their engineers to work on open source project in their own time"

How generous of them!

That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices

sten2012

Re: Full disclosure has been released - its cups-browsed, link in body.

It's a remote code execution with no authentication. Definitely a 9.9

CVSS base score doesn't care how widespread software is.

Heartbleed was serious and widespread but an information disclosure that in and of itself doesn't offer RCE.

A lot of people here are confused about the scope and utilisation of CVSS base scores.

But yes. There was much hype. Over a serious but not completely ubiquitous issue

Alibaba Cloud waiting for hardware to dry out before trying to restore customer data

sten2012

Re: water from above?

I think I'm personally more surprised by the fact this equipment actually gets reused after such an event.

On the one hand why bin it, but on the other no manufacturer will uphold the warranty and how much can you trust it's long term longevity or really be certain what you're plugging in is safe?

Maybe I'm just not understanding what "equipment" they're talking about in this context. The statement and article both sound a little vague there and clearly Ive never really worked in datacentre operations, but is this standard procedure for recovery in such an event?

Post-CrowdStrike catastrophe, Microsoft figures moving antivirus out of Windows kernel mode is a good idea

sten2012

Re: How will AVs function without being in the kernel

To be fair malware in the kernel is already a problem that AV can't fix so it's not that much of a change there. We're already relying on it being caught before the point of being able to load drivers, or on kernel bug check kicking in if it tries doing too much kernel sneakiness for too long and just so happens to be detected.

Hooking techniques can already be bypassed in userland, etc

I do wonder if the change can look more like virtualization based security extension rather than the AMSI style userland approach though..

Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy

sten2012

Re: Misinformation - Sweet Talking Citizens - While Doing Nothing......

(2) "massive teeth like GDPR"

Equifax sprung to mind here for me when reading it. The threat of massive fines was somewhat effective at forcing compliance in advance in many many companies. Sunk costs mean many boards are still carrying on with complying. But the lack of follow through means that "trick" will never be effective again for new legislation.

Equifax are the worst. They should have been nailed to the wall seeing as modern society forces you to have your data held by these agencies.

The port of the Windows 95 Start Menu was not all it seemed

sten2012

Re: Once upon a time in a distant land...

Also I think (as a layman not close to being able to call myself a developer) that if test driven development was in mind from the beginning, if you missed tests (or found bugs) at least the test cases are already mostly already available and the application architecture already in good stead for solid regression tests coming down the line.

That's a major bonus in itself I'd say.

Big Tech's eventual response to my LLM-crasher bug report was dire

sten2012

Re: Your bug report was clearly an undeserved and unappreciated courtesy...

I disagree with this. I do see a place for responsible disclosure.

But if nobody is fixing it or acknowledging it's a vulnerability then there is no vulnerability to be responsible about - in which case public disclosure is fine.

If it truly is an actual vulnerability and not just an inert bug and vendors are denying this despite good faith efforts then public disclosure becomes the responsible course of action so people can make an informed decision as to whether to use the software. If so vendors become committed to fixing.

This story seems to fall into one of the above. Publishing is either OK, or publishing is required.

VMware license changes mean bare metal can make a comeback through 'devirtualization', says Gartner

sten2012

Not to mention, other hypervisors that are properly open exist too. And are thoroughly proven to be production ready (perhaps unlike when initial decisions for VMware platforms were made which momentum kept rolling for upgrades).

Can't just be me thinking I'd be avoiding any closed platform that can be acquired or squeezed for something so critical to the business after everything that's happened

Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials

sten2012

Still though. Unless they used those credentials I can't see how unauthorised access to a computer system occurred.

Maybe some kind of fraud, copyright theft on the captive portal page maybe, and a beach of terms presumably as they were probably funneling victim traffic through the actual WiFi.

But I don't see the unauthorised access in these particular cases until the credentials are tested on something else.

I'd argue all the people above using fake emails to access a WiFi provider are closer to breaching that particular law

Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk

sten2012

Re: Fail2ban helps timeline?

I'm not sure if a timed out login attempt would be flagged by fail2ban as a "failed" login per se and therefore might not be blocked. So might need some config tweaking to recognise it (or at least verifying) before relying on it.

Sorry, I haven't checked so probably should shut up, but wanted to comment in case someone sees your question and decides fail2ban is "probably good enough"!

Apple tells emulator developers it's OK with retro games – not entire OSes

sten2012

> UTM SE was also rejected from certification for third-party app stores in the EU, the developer said, based on section 2.5.2 because section 4.7 only applies to apps published in Apple's App Store.

Sorry. I've had a few. My reading comprehension is suffering.

Why do arbitrary Apple rules for apps in their own legally determined to be monopolistic app stores apply to third party app stores they have been forced to provide? In fact, more stringent ones?

I'm ok with popping a big "potential malware" warning. "We can't deterministically prove what this app will do". But how can it be banned?

Mozilla defies Kremlin, restores banned Firefox add-ons in Russia

sten2012

Re: This is Russia.

That VPN isn't a browser plugin though..

UK's National Cyber Security Centre entry code cracks up critics

sten2012

It could prompt you with a small display and rotate through numbers though and achieve the same.

1212, 3434. Kind of like self cleaning. But without the self.. mandatory used based cleaning.

Musk 'texts' Nadella about Windows 11's demands for a Microsoft account

sten2012

And I stumbled here directly after clicking through a twitter link that used to be public to view but now requires an account.

You're not imagining things – USB memory sticks are getting worse

sten2012

Re: Simple solution?

Having dealt with Currys in the past it's one high street retailer I'll actually celebrate going under.

Frankly, I'd rather support Amazon.

I don't know what they're like these days but they've screwed me enough times I don't intend to find out.

Broadcom ditches VMware Cloud Service Providers

sten2012

Re: I do not get the business rationale

I agree. Even if you really don't want the hassle of dealing with smaller customers, surely you partner with a large reseller and support shop or two you deal with in large concentrations and funnel them off to there?

Customer prices go up and you're splitting some of the profit, but it's better than this, surely?

Even at no profit broadcom's end (which obviously wouldn't be the case), it would keep people using VMware, for the skills market to not dry up, and prevent investment pouring into your competition when everyone jumps ship and keep you viable in the big customers you're trying to keep.

sten2012

Re: The End

Also you can't just ask all your customers to covert VMs to containers overnight as a cloud provider. And even if you could - secure multi tenancy is bloody hard, so you still need that virtualization as you mentioned to split clusters up between customers.

Although - it's got me thinking - can you run a cluster with firecracker VMs as nodes: forming clusters of clusters? I'm about to do some looking into that. (Imagine DNS of the children would be a nightmare if it's possible?!)

Ransomware payment ban: Wrong idea at the wrong time

sten2012
Megaphone

Re: Hospitals

*Emailing someone an EXE file isn't a sophisticated attack.*

Bloody hell. Nobody should be letting that through. Step one of managing email.

It does get nuanced. This is not one of those cases.

Edit to say: this isn't cutting edge developments in network security either. Or expensive gear to filter and block. 9 years ago it was still the norm.

Here's who thinks AI chatbots will eventually be smart enough to be your coworker

sten2012

Re: Things AI will never be able to do

I absolutely don't believe the last one.

And in fact said boss could probably then be convinced by the AI to do the others:

"Honeyboss, I notice you are 15% more efficient at your management duties when you have your omega 3. Run out and get a kipper, oh and I think there are no plates clean so grab the cup from cubicle 6 on your way through and microwave it in that. There's a parking spot on bay 7 closer to the building - that should save you time"

Hershey phishes! Crooks snarf chocolate lovers' creds

sten2012

Re: dafuq

Is this employee data or what?

Why health, for example? If it's customers:

A) why would anyone choose to supply it?

B) under what premise was it collected?

C)why would they possibly want to collect it? They know the answer already, and collecting it is just removing any deniability for "they knowingly sold unhealthy food" lawsuits in future.

HP exec says quiet part out loud when it comes to locking in print customers

sten2012

Re: I rather like HP printers and Instant Ink

Pretty sure I'm paying more per page because I only use the printer a few times a year and it's always needing new ink because the lack of use. So maybe print 30 pages a year, but that means going through maybe 3 ink carts a year at 20 odd quid each.

The way you describe it sounds like a good deal for me too to be completely honest, even though I find the idea abhorrent.

British Library begins contacting customers as Rhysida leaks data dump

sten2012

I probably should have quoted more, but it wasn't all released. With the vague implication being 10% had been sold.

I guess maybe they list separately credentials via access brokers and any card information via carding sites if it doesn't sell, but 10% sounds a LOT for just those. But I guess I'm mostly just curious what the 10% being withheld is, and why, and if paid for - by whom and for what purpose. Questions I can never find out the answer to!

sten2012

From the previous article on this topic:

> The criminals said there will be only one single-party winner that will be the sole recipient of the stolen data.

That to me strongly says the data won't be broken up. It's bought, or not.

Yet now:

> "Not-sold data was uploaded, data hunters, enjoy."

While I don't trust ransomware operators, obviously, their word is quite important to their business model. Under wild speculation here - was a ransom partially paid so it never ended up under auction?

Or was it just a lie?

Meta sued by privacy group over pay up or click OK model

sten2012

Re: I may be wrong but...

I left over a decade ago, right when you could tag friends in photos without their consent.

It was creepy in so many ways on FB's I could never and still can't see past it. The day business expected and okayed acquaintances to upload and tag PII about you rather than yourself. While they let you delete data when you leave (ostensibly) you know that facial recognition model isn't being reset every day. And suspect none of the data itself was either.

Tata Consultancy Services ordered to cough up $210M in code theft trial

sten2012

Possibly, but getting CC'd in with the evidence probably didn't happen too often!

OpenAI meltdown: How could Microsoft have let this happen after betting so many billions?

sten2012
Stop

Re: Or...

RecursionError: maximum recursion depth exceeded

CompSci academic thought tech support was useless – until he needed it

sten2012

Re: "supposed expert who turned out to be anything but"

Proxies are still pretty widely used. I'm not talking about web server configuration here but the original posters "dev having their system proxy set to localhost"

I'm not a dev (maybe I fall into the etc category though) and I use the previously listed all day, most days.

Maybe a better example devs would be more familiar with is Telerik Fiddler. A local intercepting proxy.

But - that's truly a brilliant story nonetheless. I thank you for it.

sten2012

Re: "supposed expert who turned out to be anything but"

Local proxies have loads of uses on web development adjacent work. And I can see why you wouldn't find it if you were looking for web server software instead.

Burp and zap for example - I'm from security world so they're the big two I can name off hand but they're handy tools for debugging too (though I suspect Devs can name better examples for that space)

Also in this example both Java based so don't have to be "installed" per se.

I can definitely see how that could have occurred. Particularly if they didn't really understand exactly what they were doing

Look ma, no fans: Mini PC boasts slimline solid-state active cooling system

sten2012

Re: No moving parts

Same point maybe, if not closely related. Maybe not this device specifically (as they aren't marketing that way), but solid state cooling is great for industrial computing in dirty environments where fans are particularly prone to gunk, drawing in dust and seizing.

Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

sten2012

Even if they did, most companies lean so heavily on consultancies for pentesting specifically (seemingly contrary to other information assurance roles) that I don't see how that can ever scale in this market. The retainer doesn't seem practical in the UK at least (cant speak of US market) to really, honestly work that way. It's a nice ideal. But unlike development and operations the resources were never sufficiently staffed internally in the first place - friction and handover aren't the fundamental underlying issue here.

That's without firing anyone, even in the best case scenarios.

Possibly that's why the evangelists get so rabid though?

But yes, I completely agree with you. Ignore if you weren't looking for a response.

sten2012

Oh. Sorry. Too late to edit but I guess my rant isn't over:

Devsecops hardcore evangelists who think all security testing should be fully automated vulnscans and audit tools to sit in the pipelines - so kick off about any manual pentesting against their precious clusters despite the aforementioned issues.

And - and - and same types being shocked and surprised that actually manual white box testing on kubernetes is actually longer and more complicated to set up and perform than the equivalent application running on a VM (where you'd check mainly the app and OS) somewhere because of all these additional abstraction layers.

Now rant is over, I promise.

sten2012

I would say they all point to a different issue: kubernetes being an overly customisable mishmash of various huge technologies with very little guidance on how to do it right and too much attack surface to be reliably pentested. On top of all this not much thought/protections given on how different settings and configurations interact.

So many vulnerabilities seem to revolve around "this setting with that container runtime" or "this setting with that specific proxy choice", but nobody knows until someone manages to put in some serious research against that specific configuration.

End rant - despite this I don't hate k8s, but it does seem a recurring theme to me.

D-Link clears up 'exaggerations' around data breach

sten2012

Well this is weird - I'm now trying to work out which I trust least, the black hats flogging the data, or a budget tier (or frankly, any) manufacturer to be honest about a breach.

No it's a tie.

The only thing they agree on was a breach. So my only conclusion can be - there was no breach? No. Not that either.

Hmm. Mystery.

Go ahead, let the unknowable security risks of Windows Copilot onto your PC fleet

sten2012

Re: Bring your own device?

So glad someone pointed this out.

Copilot on enterprise devices may be a concern. But the BYOD scenario presented was already a horror story so much worse that copilot doesn't move the needle.

Amazon 'protects' against junk AI e-books by limiting author-bots to three a day

sten2012

"illegal NSFW acts"

Is it just me curious about which illegal acts are SFW?

Microsoft worker accidentally exposes 38TB of sensitive data in GitHub blunder

sten2012

The "whoopsie daisy, no harm done" response leaves a lot to be desired from a large company. Let alone one that goes out their way to force me to share data from operating systems coming preinstalled and several monopolies.

If they didn't own GitHub I bet they'd be trying to fingerpoint over there, but whoopsie daisy again. Bought their own scapegoat.

Apple's iPhone 12 woes spread as Belgium, Germany, Netherlands weigh in

sten2012

Re: TLDR; phantom issue

Since there aren’t actually any operators licensed in that band

What about unlicensed? If we define that range to be dangerous, then someone not holding the device shouldn't be able to coerce the phone into behaving that way through malicious equipment either.*

I'd still say it's valid if not necessarily a widespread issue.

Though personally I also think the hardware should be preventing transmission over these dangerous (albeit arbitrary and probably very safe..) thresholds too for similar reasons and potential buggy states never seen in a lab test. Back in the day I had it drummed into my head that you can't (not shouldn't, can't) have software safety interlock systems in the first place.

*Although if you wanted to choose someone with "unsafe" levels of radiation your malicious radiation emitter is probably quicker and easier place to exploit this than transmitting low levels and expecting the victims phone to do it for you..

Also I keep putting dangerous and unsafe in quotes as if I know what levels are safe and that regulations are extremely conservative. That's an assumption on my part and I've never checked.

Ex-Twitter employees pull Musk back to money table over missing severance

sten2012

Re: It would appear that…

What an outrageously deceitful comment.

You can be strong and poor and found guilty and punished too.

Amazon Linux 2023 virtual machine images still MIA

sten2012

Thanks for this. My example was purely and only anecdotal but the only experience I have. If there's been studies I'd be keen to get any names or papers. I'm glad my experience was an outlier.

Edit: also I wouldn't notice when it's faster. My only time pay attention is the occasion when I'm falling behind - so when Debian patches first it's not something I'd notice or worry about. When I start getting flagged for vulns and have no route to patch - then I'm paying attention.

Wordpress sells 100-year domain, hosting plan for $38K

sten2012

Re: You might be better putting the money elsewhere

Too late to edit. Looks like I maxed out the online calculator there. Looks like it's about 7.5%..

sten2012

Re: You might be better putting the money elsewhere

I was going to say similar. $25 a year hosting at very recent history 10% inflation rate. Extrapolated to 2123. About $38000/yr.

So.. assuming it lasts that long (lol).

100 years for the price of 1! Bloody bargain.

It's official: EU probing bundling of Teams with Microsoft 365

sten2012

If unbundling O365, why is Teams special over, say, Excel and Word? Is it purely that it's new software and the others are long-standing?

I can see the argument that it's ostensibly "Office productivity software" so if others can be bundled, why specifically not Teams?

Not saying I like it-just don't get the difference as someone with a personal requirement for only Word outside of work and having to subscribe to the whole suite.

Page: