* Posts by gollux

302 posts • joined 11 Sep 2007

Page:

Airbus warns of software bug in A400M transport planes

gollux
Headmaster

Re: Under "wraps"? Seems odd....

The term is "Adversarial Law" or "Guilty until proven innocent". While the Church was a law unto itself and had it's fingers in the pie, the Secular System was a bit separate from the Inquisition.

2
7
gollux

At least it doesn't fly inverted on crossing the equator...

1
0

Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday

gollux

Pretty much the way Windows Server 2012 R2 operates out of the box. Buh? I had a process that was supposed to run overnight, why did it crash? Oh, jeeze the little icon in the tray says Windows Update rebooted the machine at 2:30 am...

Now when they get good enough to not require any restart except for kernel patches and give you fair warning that a system restart is needed, then I'll bite.

6
5

EXTREME COUPONING zeros checkout carts in eBay's Magento

gollux

Re: It seems like it would be slightly difficult to exploit

And if you're offering downloadables, it's all free.

0
0
gollux

Re: It seems like it would be slightly difficult to exploit

All sites running versions up to CE 1.9.1.0 are vulnerable... Until patched.

Your highly paid for Enterprise version also is a wide open swinging barn door.

And Magento suffers regression errors, when you upgrade, the core patched files are overwritten which causes your website to be open to the wide world all over again until re-patched with ALL the patches that apply to your current version.

The patch is a shell script patch that needs to be manually run with crossed fingers in the hopes it doesn't blow chunks.

After patching, you still aren't in the clear... Your fully patched website is still vulnerable.

If you're running the kludge compiler, recompile. Then clear your Magento cache, best if done by manually deleting the cache subfolders just to be sure. Then, if you're running an opcode cache, better clear that as well.

0
0
gollux

Mag-E-Bay...

Kind of a really snaky path from initial release to final exploit. It was one of Mag-E-Bay's best kept secrets that a patch existed till recently...

https://www.ostraining.com/blog/general/magento-shoplift/

0
0

When the Schmidt hits The Man: Look what the NSA made Google do

gollux

Google AI coming to a computer near you...

We welcome Google Cyberdyne Skynet into our daily lives!

Watch out NSA, the GDDN will be on your tail.

1
0

Watch: Nasty JPEG pops corporate locks on Windows boxes

gollux

Re: What’s going on here?

Heh, YouTube knows how to use HTML 5, but the Security Researcher doesn't... Amusing.

10
2

It's 2015 and a RICH TEXT FILE or a HTTP request can own your Windows machine

gollux

So, I had to deploy a brand new Windows 8.1 workstation the other day and by the time I got through, Microsoft had downloaded 1.8G of patches to install... Begs the question, where's the service pack to help prevent this? Oh, wait, we'll be getting Service Pack X (Windows 10) soon.

My question, after the same period of time after release, is Spartan going to be coming home on its shield?

7
0

Microsoft enlists web security pariah Adobe to help build Internet Explorer-killer Spartan

gollux

Re: Very much panicking here

Just remember, Microsoft needed help the first time as well. They bought SpyGlass in a panic over Mosaic's success on the infant web of the time. And think how NSA appropriate the original name SpyGlass for the Internet Browser sieve that got renamed to Microsoft Internet Explorer.

9
3

Blockheads bork Bitcoin Foundation board election

gollux

Yet another group of computer wizards finding out they need to hire competent professionals for a separate area of expertise. Always fear engineers who think that just because they can analyze the environmental forces, span requirements and loading calculations, create the plans and spec the materials for building a bridge, that knowledge confers on them the ability to do the ironwork, pour the concrete, run the crane or any other number of items necessary to create the finished work.

5
0

BitDefender bit trip slaps 'valid' on revoked certs

gollux

Time for a security audit.

One thing that Komodia has shined a light on. All MITM software that pretends to inspect SSL traffic for your security, privacy, intellectual traffic protection and malware protection has probably been doing it wrong.

It's just a given in the slap-dash "OMG, SSL's gonna bypass our packet inspection and everything will be insecure again" way that this stuff has been thrown together, especially since the Google push for EVERYTHING HTTPS!

Growing pains, gotta love them. For most programmers, as in all things, hindsight's 100%, after all. Schneier's law kind of thing, the people coming up with this need someone external to break their stuff as they've focused so well on the implementation, that they've forgotten that there are a million people out there willing to crack bad implementation and use their product against their "customers".

Expect all security/safety MITM scan software to have severe flaws that allow them to rubber stamp invalid, revoked, specially crafted and self-signed certificates as fully non-trust breaking connections via their faked reassigned certificates unless proven otherwise.

1
1

Psst, hackers. Just go for the known vulnerabilities

gollux

Re: Reactive only management

What I'm coming to realize over a lifetime is that there aren't that many competent people on the planet. A lot of the population who think they're intelligent, are merely clever. Competence and management are two words that often don't ever match.

4
0

Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish

gollux

A really exasperating point is that it will downgrade connections to SSL V2 and SSL V3 connections on request to your MITM bogus server in addition to converting its cert to a trusted certificate. What have we been wasting our time for over the last 10 years by trying to improve security. It's the Sony rootkit all over again, easily appropriated and usable by anyone out there with bad intent.

And that twin headed hydra Konovo/Lomodia gives us the same assurances Sony did back in the day that nothing's wrong. We've heard it all before, denial, spin, eventual capitulation. Time for some class action lawsuits by some fortune 500 companies who will soon get hit by a quick spearfish attack enabled by using Komodia's severely broken software.

8
0

So long, Lenovo, and no thanks for all the super-creepy Superfish

gollux
Mushroom

How not to do asymmetric key cryptography

The private key is stored as a string in the adware program package software.

Hey guys, the bank safe is uncrackable, don't worry.

For ease of use, I just set the clock to allow 24hr entry, taped the combination knob key to the door and wrote the combination code on the front with a jumbo indelible felt marker.

6
0

Did NSA, GCHQ steal the secret key in YOUR phone SIM? It's LIKELY

gollux

Re: The Five-Eyes-Of-Sauron are Legalized Criminals...

Somebody once told me that all freedom will be lost by the simple premise, "We're doing it for the sake of the children!", one of the most basic knee jerk, hotbutton issues ever invented.

11
0
gollux

Re: Don't be daft?

All you ever need to know about government is there in the "Yes, Minister" and "Yes, Prime Minister" BBC series.

It never was a comedy, but a detailed study on how we are on the gaff hook of bureaucracy.

Every time I hear any politician or bureaucrat talking, I just remember Jim Hacker, Sir Humphry Applebee and Bernard Wooley explaining the workings of government in detail.

Administration is eternal. Forever and ever. Amen.

18
1
gollux

The illusion of security...

The best way of handling telecommunications security is to assume that you've never had it and that everything you're currently doing to ensure it is ineffective or has been backdoored and bypassed.

The only thing you can do is attempt to prevent massive leakage to the lowest common denominators, but if you have anything that is wanted bad enough, it's already in someone else's hands.

Lenovo, NSA firmware hacks, now we know GSM was secure as the good old analog days if any intercept hardware was near. "May we live in interesting times!"

3
0

Microsoft's patchwork falls apart … AGAIN!

gollux

Kudos for a job well done!

Ooh, you mean I might escape "Death by Powerpoint" at that overly long, semi-necessary Power Point Slide reading session called a Weekly Strategy Meeting on Monday?

I vote we give Microsoft a bonus every time they make people talk from outlined notes and actually give shortened, hopefully content rich presentations, not those graphically literate fluff sessions we've come to know and hate.

13
0

Ransomware 2.0 'crypts website databases – until victims pay up

gollux

Welcome to more granite embedded in the cloud...

Your data is truly safe, just never to be seen again in this life.

1
0

Google boffins PROVE security warnings don't ... LOOK! A funny cat!

gollux

Re: I've seen and bypassed this message.

My impression of most Google offerings purportedly targeting the business environment is that they are trying to undermine their competition by offering "free" services,

Free consumer grade services at that even if you're paying for it.

Every time you get used to something being useful in business, Google changes it to be more touchy-feely and social, often gutting the reasons you started using it in the first place. I've come to despise Google Apps.

10
0
gollux

Re: POPUP ALERT!

Flash and Java popup alerts are always a good indicator you're on a compromised WordPress website...

Not that your long removed and nonexistent Oracle Java is in need of upgrade.

Or not that your recently manually upgraded Adobe Flash player is defunct because you didn't want to wait till the automatic update kicked in and you finally gave in and installed Flash Block because you don't really trust that the latest upgrade actually did anything (aka January 2015 0-day fatigue)

The annoyance continues with all the other popups including the marginal security goofery mentioned.

1
0

Some Androids can be HOSED by WiFi Direct vuln

gollux

Google vs. Microsoft. Consumer Grade product vs. Commercial Grade product.

0
0
gollux

Welcome to the Google's new clothes, get used to seeing wedding tackle flopping about.

3
4

Snowden doc leak 'confirms' China stole F-35 data

gollux

Re: This is probably very bad..

And that Sherman superiority in numbers had an acknowledged really bad history, such that tank crews nicknamed them "Ronsons, guaranteed to light on the first strike". Their popgun was a joke as they were out-gunned by the Panzers in range and striking power. You didn't just run a Sherman out to do head-to-head battle, you tried to get a group of Shermans positioned to exploit the weaknesses that Panzers exhibited.

Thankfully, as shown in Operation Barbarossa against the Russians, the German army had superior technology supported by inferior tactics and logistics.

4
0
gollux

Re: This is probably very bad..

Hmm, wonder were all that Apple product comes from? Don't worry, Japan got accused of the same thing before their automobile industry ate the US car manufacturer's lunch.

Borrowed engine designs modified for easier manufacture and field repairability

Mazda 626/Ford Courier = BMW 1600-2002 4 cyl

Toyota 4M = SOHC Mercedes 6 cyl

Toyota Landcruiser = Chevy 235 6 cyl

Datsun 1600-2000 = SOHC Mercedes 4 cyl

And then they came up with their own designs and the rest is history.

8
1

ISC.org website hacked: Scan your PC for malware if you stopped by

gollux
Mushroom

Heh, that beautiful CMS environment strikes again.

Maybe we need Microsoft to buy out WordPress and rework the security. While I'm not a particular fan of Internet Explorer, it would be nice for WP to at least be as good as or better at not serving as an infection vector.

0
4

Heads up! If Tor VANISHES over the weekend, this is why

gollux

Sounds like a designed in single point of failure. Time to eat the dogfood and make it distributed, like it should have been done in the first place. We been bein' dazzled by all those onion layers and multipath jiggery-pokery, only to have it vulnerable to this?

4
7

Attack reveals 81 percent of Tor users but admins call for calm

gollux

OMG, I'm all TORn up, my TORnography habit may be exposed...

Nice to know there's always an end run around this stuff. Get them to come in flocks, identify and flag the paranoid as some of them might be criminal... Sounds like a honeytrap to me.

0
0

The ULTIMATE CRUELTY: Sandworm uses PowerPoint against Swiss bank customers

gollux

Death by Powerpoint - heh, hehheh, hehh...

From all of us who've dealt with zombification by bullet point slide and an uninspired reader of said slides who purports to be giving an informational presentation.

'Bout time.

0
0

Pay-by-bonk 'glitch' means cards can go kaching-for-crims

gollux

Re: And yet...

Heh, my millwright uncle had no problems with the magstripe technology, he says a day at work around any heavy motors degausses them pretty effectively. His maximum life on card readability was about two weeks once.

We'll have to see how chip & pin and NFC fare under that environment.

0
0

Carders offer malware with the human touch to defeat fraud detection

gollux

Re: My golden rule since my card was cloned at a Texaco petrol station

"The Wife" doesn't seem to mind as she's also "The Better Half" and thinks "The Husband" is reasonably adequate to being a companion.

And what a thread hijack this whole discussion turned into... Worries of cloning Chip&Pin cards (soon to be standard in the US latecomer market as a platinum answer to all our woes) all swept aside in a flurry of pedantic semantics.

"The Better Half" tends to look after the bills and finds the discussion a waste of time as card security worries and dealing with credit card companies eats up real time unlike the gust of hot air and insignificance that has been the topic here.

0
0

Tor exit node mashes malware into downloads

gollux

Re: Never ever trusted TOR enough to use it

Too much stench of the G-Man on it...

0
0

Tor attack nodes RIPPED MASKS off users for 6 MONTHS

gollux

One of the first of many firsts...

Which will be repeated many times in the future.

Your TORnograpy isn't safe, your criminal activity isn't safe, your underground political activity isn't safe, your wish for anonymity isn't safe.

It's becoming increasingly easy to trap the paranoid, spread news that they can be paranoid in total anonymity and they will come sucking at the honeypot in droves.

0
0

MtGox allows users to see a picture of their money, but not have it

gollux

Re: Interesting times ahead

The average Bitcoin user doesn't understand runs on banks and not being able to cover lender's balances... Otherwise no regulation wouldn't be such a "feature".

1
0
gollux

Re: Goon Show moment

To complete that, it would be funny if any attorneys involved were required to take their payment solely in Bitcoin.

0
0

US BACKDOORED our satellites, claim UAE

gollux

Freedom from backdooring

Belongs to them what owns their own aerospace program with launch facilities, their own chip fabbers, electronics manufacturers and satellite manufacturing.

Outsourcing is the first step in losing national security.

0
0

Microsoft, HURTING after NSA backdooring, vows to now harden its pipe

gollux

The world needs more...

hardened pipes...

Free standing towers of data security.

Hardened against backdoor penetration by the NSA et. al.

May the Schwartz be with you!

0
0

Anonymous Indonesia gets it right, attacks Australian government

gollux
Mushroom

Get it on!!!

The A-Nutty-Mess wars against something will pass on to mean pretty much nothing...

Honk if you love Jesus and all that rot.

0
0

AVG, Avira and WhatsApp pwned by hacktivists' DNS hijack

gollux

Re: so far so good

You baggin' on Notwork Pollutions who keeps spamming me to have a free website built to better my business? Yep, they're still highly automated and deaf as they've always been.

1
0

NSA using Firefox flaw to snoop on Tor users

gollux

Re: VMs are your friend

Reduce your threat surface, don't follow the Silk Road.

1
1

It's about time: Java update includes tool for blocking drive-by exploits

gollux

Re: About damm time

The usual confusion, java != javascript

Java is a system where compiled bytecode runs under a runtime environment.

Javascript/VBscript is now merged under ECMAScript and is an interpreted script language.

The Java browser plugin hands off the execution to the Java runtime environment installed on your computer

ECMAScript runs within the browser

2
2

Tor traffic torrent: It ain't the Syrians, it's the BOTS

gollux

State it for what it really is, increased WAGS as to what on earth is happening. Welcome to faith based explanations over increase in traffic on a faith based TORnogrpahy network.

0
1

Boffins confirm quantum crypto can keep a secret

gollux
Mushroom

Re: Great Idea...

Simplicity by Complexity - or it takes another right Charlie to Foxtrot the system.

0
0

NSA: NOBODY could stop Snowden – he was A SYSADMIN

gollux

NSA HAS SERIOUS ISSUES

First thing, lock down sysadmin access to only what's necessary for the sysadmin to do his job. Shouldn't be a global account that has access outside his well define access level and job scope.

This is one reason to not trust the NSA. If he had GOD level status just because he was a puny SysAdmin, how do we know that Putin also doesn't have access... due to high level incompetence and the data leaks this enables.

Or they intentionally wished that the information be leaked so they can build a strawman.

0
0

Beware the ad-punting crapware-laden Firefox, warn infosec bods

gollux

New NSA Security Bundle

Keeps you from being spied on by offering Privoxy and TOR for anonymously accessing your pedobear stash. First proxy/TOR node is your friendly local strongarm looking for marks to extort. Wubba wubba wubba.

0
0

Hey, you know Android apps can 'access ALL' of your Google account?

gollux

But its so darn convenient!

0
0

Terror cops swoop on couple who Googled 'backpacks' and 'pressure cooker'

gollux
Happy

Re: Thank god for the war on Terror

Welcome over for tea, the Spandaus are warmed up, and the Jenny is dead.

0
0

Snowden leak: Microsoft added Outlook.com backdoor for Feds

gollux
Mushroom

In the haystack that is Linux, there is room for many needles to hide.

With all those lines of code, Detective Lecoq would be looking for the rumpled envelope in the letter basket.

3
0

'Chinese' attack sucks secrets from US defence contractor

gollux
Mushroom

Re: Congratualtions

In other words, it may have actually been a partner trying to expedite getting the job done.

Easiest way, hack QinetiQ.

0
0

Page:

Forums