* Posts by sten2012

174 publicly visible posts • joined 13 Oct 2021

Page:

UK's National Cyber Security Centre entry code cracks up critics

sten2012

It could prompt you with a small display and rotate through numbers though and achieve the same.

1212, 3434. Kind of like self cleaning. But without the self.. mandatory used based cleaning.

Musk 'texts' Nadella about Windows 11's demands for a Microsoft account

sten2012

And I stumbled here directly after clicking through a twitter link that used to be public to view but now requires an account.

You're not imagining things – USB memory sticks are getting worse

sten2012

Re: Simple solution?

Having dealt with Currys in the past it's one high street retailer I'll actually celebrate going under.

Frankly, I'd rather support Amazon.

I don't know what they're like these days but they've screwed me enough times I don't intend to find out.

Broadcom ditches VMware Cloud Service Providers

sten2012

Re: I do not get the business rationale

I agree. Even if you really don't want the hassle of dealing with smaller customers, surely you partner with a large reseller and support shop or two you deal with in large concentrations and funnel them off to there?

Customer prices go up and you're splitting some of the profit, but it's better than this, surely?

Even at no profit broadcom's end (which obviously wouldn't be the case), it would keep people using VMware, for the skills market to not dry up, and prevent investment pouring into your competition when everyone jumps ship and keep you viable in the big customers you're trying to keep.

sten2012

Re: The End

Also you can't just ask all your customers to covert VMs to containers overnight as a cloud provider. And even if you could - secure multi tenancy is bloody hard, so you still need that virtualization as you mentioned to split clusters up between customers.

Although - it's got me thinking - can you run a cluster with firecracker VMs as nodes: forming clusters of clusters? I'm about to do some looking into that. (Imagine DNS of the children would be a nightmare if it's possible?!)

Ransomware payment ban: Wrong idea at the wrong time

sten2012
Megaphone

Re: Hospitals

*Emailing someone an EXE file isn't a sophisticated attack.*

Bloody hell. Nobody should be letting that through. Step one of managing email.

It does get nuanced. This is not one of those cases.

Edit to say: this isn't cutting edge developments in network security either. Or expensive gear to filter and block. 9 years ago it was still the norm.

Here's who thinks AI chatbots will eventually be smart enough to be your coworker

sten2012

Re: Things AI will never be able to do

I absolutely don't believe the last one.

And in fact said boss could probably then be convinced by the AI to do the others:

"Honeyboss, I notice you are 15% more efficient at your management duties when you have your omega 3. Run out and get a kipper, oh and I think there are no plates clean so grab the cup from cubicle 6 on your way through and microwave it in that. There's a parking spot on bay 7 closer to the building - that should save you time"

Hershey phishes! Crooks snarf chocolate lovers' creds

sten2012

Re: dafuq

Is this employee data or what?

Why health, for example? If it's customers:

A) why would anyone choose to supply it?

B) under what premise was it collected?

C)why would they possibly want to collect it? They know the answer already, and collecting it is just removing any deniability for "they knowingly sold unhealthy food" lawsuits in future.

HP exec says quiet part out loud when it comes to locking in print customers

sten2012

Re: I rather like HP printers and Instant Ink

Pretty sure I'm paying more per page because I only use the printer a few times a year and it's always needing new ink because the lack of use. So maybe print 30 pages a year, but that means going through maybe 3 ink carts a year at 20 odd quid each.

The way you describe it sounds like a good deal for me too to be completely honest, even though I find the idea abhorrent.

British Library begins contacting customers as Rhysida leaks data dump

sten2012

I probably should have quoted more, but it wasn't all released. With the vague implication being 10% had been sold.

I guess maybe they list separately credentials via access brokers and any card information via carding sites if it doesn't sell, but 10% sounds a LOT for just those. But I guess I'm mostly just curious what the 10% being withheld is, and why, and if paid for - by whom and for what purpose. Questions I can never find out the answer to!

sten2012

From the previous article on this topic:

> The criminals said there will be only one single-party winner that will be the sole recipient of the stolen data.

That to me strongly says the data won't be broken up. It's bought, or not.

Yet now:

> "Not-sold data was uploaded, data hunters, enjoy."

While I don't trust ransomware operators, obviously, their word is quite important to their business model. Under wild speculation here - was a ransom partially paid so it never ended up under auction?

Or was it just a lie?

Meta sued by privacy group over pay up or click OK model

sten2012

Re: I may be wrong but...

I left over a decade ago, right when you could tag friends in photos without their consent.

It was creepy in so many ways on FB's I could never and still can't see past it. The day business expected and okayed acquaintances to upload and tag PII about you rather than yourself. While they let you delete data when you leave (ostensibly) you know that facial recognition model isn't being reset every day. And suspect none of the data itself was either.

Tata Consultancy Services ordered to cough up $210M in code theft trial

sten2012

Possibly, but getting CC'd in with the evidence probably didn't happen too often!

OpenAI meltdown: How could Microsoft have let this happen after betting so many billions?

sten2012
Stop

Re: Or...

RecursionError: maximum recursion depth exceeded

CompSci academic thought tech support was useless – until he needed it

sten2012

Re: "supposed expert who turned out to be anything but"

Proxies are still pretty widely used. I'm not talking about web server configuration here but the original posters "dev having their system proxy set to localhost"

I'm not a dev (maybe I fall into the etc category though) and I use the previously listed all day, most days.

Maybe a better example devs would be more familiar with is Telerik Fiddler. A local intercepting proxy.

But - that's truly a brilliant story nonetheless. I thank you for it.

sten2012

Re: "supposed expert who turned out to be anything but"

Local proxies have loads of uses on web development adjacent work. And I can see why you wouldn't find it if you were looking for web server software instead.

Burp and zap for example - I'm from security world so they're the big two I can name off hand but they're handy tools for debugging too (though I suspect Devs can name better examples for that space)

Also in this example both Java based so don't have to be "installed" per se.

I can definitely see how that could have occurred. Particularly if they didn't really understand exactly what they were doing

Look ma, no fans: Mini PC boasts slimline solid-state active cooling system

sten2012

Re: No moving parts

Same point maybe, if not closely related. Maybe not this device specifically (as they aren't marketing that way), but solid state cooling is great for industrial computing in dirty environments where fans are particularly prone to gunk, drawing in dust and seizing.

Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

sten2012

Even if they did, most companies lean so heavily on consultancies for pentesting specifically (seemingly contrary to other information assurance roles) that I don't see how that can ever scale in this market. The retainer doesn't seem practical in the UK at least (cant speak of US market) to really, honestly work that way. It's a nice ideal. But unlike development and operations the resources were never sufficiently staffed internally in the first place - friction and handover aren't the fundamental underlying issue here.

That's without firing anyone, even in the best case scenarios.

Possibly that's why the evangelists get so rabid though?

But yes, I completely agree with you. Ignore if you weren't looking for a response.

sten2012

Oh. Sorry. Too late to edit but I guess my rant isn't over:

Devsecops hardcore evangelists who think all security testing should be fully automated vulnscans and audit tools to sit in the pipelines - so kick off about any manual pentesting against their precious clusters despite the aforementioned issues.

And - and - and same types being shocked and surprised that actually manual white box testing on kubernetes is actually longer and more complicated to set up and perform than the equivalent application running on a VM (where you'd check mainly the app and OS) somewhere because of all these additional abstraction layers.

Now rant is over, I promise.

sten2012

I would say they all point to a different issue: kubernetes being an overly customisable mishmash of various huge technologies with very little guidance on how to do it right and too much attack surface to be reliably pentested. On top of all this not much thought/protections given on how different settings and configurations interact.

So many vulnerabilities seem to revolve around "this setting with that container runtime" or "this setting with that specific proxy choice", but nobody knows until someone manages to put in some serious research against that specific configuration.

End rant - despite this I don't hate k8s, but it does seem a recurring theme to me.

D-Link clears up 'exaggerations' around data breach

sten2012

Well this is weird - I'm now trying to work out which I trust least, the black hats flogging the data, or a budget tier (or frankly, any) manufacturer to be honest about a breach.

No it's a tie.

The only thing they agree on was a breach. So my only conclusion can be - there was no breach? No. Not that either.

Hmm. Mystery.

Go ahead, let the unknowable security risks of Windows Copilot onto your PC fleet

sten2012

Re: Bring your own device?

So glad someone pointed this out.

Copilot on enterprise devices may be a concern. But the BYOD scenario presented was already a horror story so much worse that copilot doesn't move the needle.

Amazon 'protects' against junk AI e-books by limiting author-bots to three a day

sten2012

"illegal NSFW acts"

Is it just me curious about which illegal acts are SFW?

Microsoft worker accidentally exposes 38TB of sensitive data in GitHub blunder

sten2012

The "whoopsie daisy, no harm done" response leaves a lot to be desired from a large company. Let alone one that goes out their way to force me to share data from operating systems coming preinstalled and several monopolies.

If they didn't own GitHub I bet they'd be trying to fingerpoint over there, but whoopsie daisy again. Bought their own scapegoat.

Apple's iPhone 12 woes spread as Belgium, Germany, Netherlands weigh in

sten2012

Re: TLDR; phantom issue

Since there aren’t actually any operators licensed in that band

What about unlicensed? If we define that range to be dangerous, then someone not holding the device shouldn't be able to coerce the phone into behaving that way through malicious equipment either.*

I'd still say it's valid if not necessarily a widespread issue.

Though personally I also think the hardware should be preventing transmission over these dangerous (albeit arbitrary and probably very safe..) thresholds too for similar reasons and potential buggy states never seen in a lab test. Back in the day I had it drummed into my head that you can't (not shouldn't, can't) have software safety interlock systems in the first place.

*Although if you wanted to choose someone with "unsafe" levels of radiation your malicious radiation emitter is probably quicker and easier place to exploit this than transmitting low levels and expecting the victims phone to do it for you..

Also I keep putting dangerous and unsafe in quotes as if I know what levels are safe and that regulations are extremely conservative. That's an assumption on my part and I've never checked.

Ex-Twitter employees pull Musk back to money table over missing severance

sten2012

Re: It would appear that…

What an outrageously deceitful comment.

You can be strong and poor and found guilty and punished too.

Amazon Linux 2023 virtual machine images still MIA

sten2012

Thanks for this. My example was purely and only anecdotal but the only experience I have. If there's been studies I'd be keen to get any names or papers. I'm glad my experience was an outlier.

Edit: also I wouldn't notice when it's faster. My only time pay attention is the occasion when I'm falling behind - so when Debian patches first it's not something I'd notice or worry about. When I start getting flagged for vulns and have no route to patch - then I'm paying attention.

sten2012

I've seen critical vulns that have taken Debian multiple weeks to patch into widely used daemons in Stable that Red Hat turned around immediately. So I see why enterprises are reluctant, at least it's why I would be.

No idea how Amazon Linux did in terms of time but if you're asking why enterprise users are reluctant then that might be one such reason.

If you're asking why Amazon engineers are making a proprietary Linux rather than contributing to Debian then sorry. I'm not sure

sten2012

> "The fact that it doesn't (for instance) work with upstream RHEL/CentOS repositories like EPEL is really what dooms it, because who the hell wants to sit around building RPMs in the year of our lord 2023?"

A while back I'd have called that a disadvantage too but not any more. Anything that creates or even appearing to be a dependency on RHEL upstreams for functionality is now a reason to avoid. Binary compatible with an upstream I can't rely on unless I'm a RHEL customer - and then I might as well just use RHEL.

OK EPEL isn't quite the same thing but may succumb to the same fate as CentOS and at this point in my view all benefits of ABI compatibility are already gone.

Wordpress sells 100-year domain, hosting plan for $38K

sten2012

Re: You might be better putting the money elsewhere

Too late to edit. Looks like I maxed out the online calculator there. Looks like it's about 7.5%..

sten2012

Re: You might be better putting the money elsewhere

I was going to say similar. $25 a year hosting at very recent history 10% inflation rate. Extrapolated to 2123. About $38000/yr.

So.. assuming it lasts that long (lol).

100 years for the price of 1! Bloody bargain.

It's official: EU probing bundling of Teams with Microsoft 365

sten2012

If unbundling O365, why is Teams special over, say, Excel and Word? Is it purely that it's new software and the others are long-standing?

I can see the argument that it's ostensibly "Office productivity software" so if others can be bundled, why specifically not Teams?

Not saying I like it-just don't get the difference as someone with a personal requirement for only Word outside of work and having to subscribe to the whole suite.

Tor turns to proof-of-work puzzles to defend onion network from DDoS attacks

sten2012

Bit legal dubious though, some clients may be coming from territories where mining is illegal - and yet you're forcing them to participate. Also I tend to leave browsers on while not actively using the site which is problematic for JavaScript miners. Assuming you're talking about the more malware-y ones I'm picturing - as opposed to "n challenges completed then halt". In which case just using a single page app with any JavaScript CSRF for API endpoints is practically as effective as anti-automation?

Also recaptcha isn't completely wasted effort either with it's AI training applications unlike some captcha mechanisms. But it's a shame that's not really for the wider good.

I liked the disaster response captcha idea that floated for a while but never saw it used, or even if it was used to train public rather than proprietary models would be better.

Alarm raised over Mozilla VPN: Wonky authorization check lets users cause havoc

sten2012

I think these blatantly false assertions probably shine a light on what is clearly the same AC's comments above about how those meetings with academics went and the difficulty in communicating with them.

There's some major knowledge gaps present here along with the guarantees that they've actually done this. This would be huge news if encryption was this broken.

All I can say is I look forward to their tutorial posts on how to decrypt TLS from a passive sniffing position because it would make my pentesting a million times easier.

"I'm probably thinking of SSLStrip" though. *eye roll*

Having said this, while importing a CA certificate is by far the most common method of intercepting TLS for testing, it is possible to start browsers with configurations and flags to dump the secrets and have wireshark read it:

https://wiki.wireshark.org/TLS

But I've only used that a few times because what you suggest is practically always the better approach for testing. But it's not quite, say, the only option if you have that kind of privileged access.

All I can think though: What they do say does kind of tally with WPA1/2 (no idea for 3 personally) where you know the preshared key though and still need to have captured the handshake to passively decrypt from that position, so I wonder if it's overconfidence and confusion with that rather than intentional outright lies?

sten2012

> You can also test this out by taking the SHA256 of an image that upload somewhere...then download it again via a browser, SHA256 it again and you'll see that sometimes they don't match. I'm pretty sure this is just compression to save them precious bandwidth on their creaking network...but there is nothing stopping them using this sort of thing for more sinister reasons.

You're saying a VPN fixes this? Because I don't believe it. The service at the other end may be compressing but I do not believe the ISP is.

> Remember, HTTPS is only effective if the listener on the wire doesn't have the HTTPS handshake with all the associated keys...your ISP can see everything, so it's relatively trivial for them to capture handshakes and decrypt your traffic, fuck with it, then re-encrypt it...tools for this sort of thing have existed for aaaaaaages...hell you can do it with Wireshark

Same point here I think, what? The CA may have the keys, where an ISP offers CA services. Or they may generate certs or have wildcard ones if they have CA privileges. But neither of these are transparent. Just warningless. So it would be seen eventually and the CA privileges swiftly revoked. People do monitor for this.

If they aren't a CA, or be hosting the destination servers why would they have the keys just from watching the wire? Back in AOL days, maybe. When you had to install their software but not any more. But sniffing the wire isn't enough.

sten2012
Devil

I would like to take your "ISP being able to look at network traffic on the wire" and raise you "installing software on on your machine to ensure we keep that wire private". Oh. And pay me extra for the privilege. Thanks!

Insanity.

I don't trust my ISP. But these often tiny "trusted internet access" VPN providers I trust even less and expect actually more privileged access to your data because people usually want to deliver a shiny UI instead of a VPN profile. Insane. Oh. And their boxes need internet access too. Soooo more ISPs in the loop, just ones you can't choose. But often whacked in a cheap data center, where they buy a box of some IaaS but don't control a massive amount of networking they pump your traffic through.

The only privacy plus is aggregation. IF you trust them.

Behold, Incus: Check out this fork of Canonical's LXD 'containervisor'

sten2012

Re: Why LXD instead of Docker?

> Docker is slowly dying, replaced by K8s and purpose-built and most saliently daemonless lightweight container systems to run under K8s such as CRIO and Podman.

What I mainly see in my very limited worldview is docker used for local development, The resulting images or dockerfiles end up being deployed/built on these alternatives (K8S under whatever container runtime) in the dev/test/prod environments and being "basically perfectly compatible". Not sure if that's standard, but it's very much alive in my circles - just not used for running in production, production-like, or shared environments (and even before those environments were docker under K8S in those environments)

Does that seem fair/accurate view of the state of things elsewhere or am I blinkered?

Neither here nor there, but in personal projects I still like to use docker compose and sometimes a subset I'll port to k8s as a final step if it's something I'd like to keep running long term. But compose is so quick/simple to get running in comparison and so much more enjoyable to use in my view.

sten2012

Re: Why LXD instead of Docker?

Thanks, makes complete sense, please don't take my confusion and own complete lack of research as any way critical of the article.

sten2012

Re: Why LXD instead of Docker?

I've run multiple processes under docker. It's not recommended but definitely possible.

So.. also unsure

Two US Navy sailors charged with giving Chinese spies secret military info

sten2012

Re: the US are such hypocrites

> the desire and act of espionage is as old as humanity, and just as deeply ingrained.

The further back these traditions go, and the deeper into human nature they reach often correlates with how immoral they probably are.

People are crap. Will always probably be crap. But we should and usually do aim to be less crap than we used to be.

s/crap/phraseofchoice/g

AlmaLinux project climbs down from being a one-to-one RHEL clone

sten2012

Re: Open and Shut

If RH/IBM say it's okay and most importantly the FSF don't say it isn't okay - then who are we to argue?

BUT I certainly don't subscribe to Liam's "well they're rich and have lots of lawyers and say it's legal so obviously its legal" point either though. The reg is littered with articles of lawyers for huge corporations being wrong, losing fights against other huge corporations and even just outright committing crimes and facing prosecution.

sten2012

Re: I would love for FreeBSD to seize the opportunity

> central package repository which is actually kept up-to-date with upstream versions

My downvote (sorry) mirrors the other comment. But to add - it doesn't suit enterprise exactly because it mirrors the upstream so closely. In my opinion. Then your compatibility and updates are affected by people all pulling in different directions for features Vs stability.

What I hear when you say that might be wrong, but I hear "rolling distro". And as someone who uses a rolling distro - it's the bane of my life. If that's the model even if BSD is stable now as rolling, once development ramps up and people migrate over it wouldn't and couldn't avoid the same issues.

Google toys with internet air-gap for some staff PCs

sten2012

Re: Internet for reference purposes.

That's more or less the Qubes model in a nutshell

Intel pulls plug on mini-PC NUCs

sten2012

Re: Small Edge compute clusters are ideal fodder for ARM already

Let's say I'm looking for this (spoiler alert-I am) what is there, specifically better than the Pi but affordable? When I look as an individual the options for decent performance are awful. I've looked a few times before without luck but you're describing what I'm looking for.

Right now even single node cluster K8S is a non negligible portion of the NUC resources. And while I'd keep the NUC going generally, I've no need for the K8S portion to be x64.

sten2012

> And with fewer PCs being bought these days, Intel exiting that aspect of the personal computer market seems obvious

As a NUC owner I've been eyeing up NUC like form factors with AMD processors but haven't pulled the trigger. But options are somewhat limited. With this gap crowbarred into the market that seems likely to change I've no reason to go Intel next time around, now.

So when it comes to selling chips while this certainly won't kill them, it will surely not benefit Intel either?

Fundamentally I suspect it's good change for the individual consumer. Less so or bad for corporate customers.

Edit: also suspect something like a NUC that's modern, cheap but with a 10 support lifespan (a thin client with serious grunt) is what windows 365 is targeting and how much this affects the decision?

Sorry for the complete speculation.

Red Hat's open source rot took root when IBM walked in

sten2012

Re: Great liberators ??

A* corporation, please? I don't care if they're American, that's not relevant. Red Hat were a positive force for a long time, and American the whole time as far as I'm aware.

The problem is the megacorp, not where the megacorp was born.

sten2012

> I blame IBM

As do I, but everyone knew some kind of crap would come from from the sale And Red Hat still sold, and everyone working there (that wasn't laid off) still works there, etc.

Only so many excuses can be made on their behalf. The fact IBM now owns them doesn't absolve them of anything at all.

Red hat sold to IBM knowing the risks. Red Hat are now IBM. Ergo, I blame Red Hat and IBM.

Rocky Linux details the loopholes that will help its RHEL rebuild live on

sten2012

Re: Licence

One such change could be that source code must made available to your supplier too, for example, to allow for enforcing pulling source code changes upstream on request too.

Then if Red Hat chooses to terminate that contract because someone invokes their right.. well.. at least it's mostly just screwing themselves.

Page: