back to article Congress wants CVE stability, China wants your LinkedIn details, and Adobe wants you to patch Creative Cloud

Another week has come and gone. This one included some Fortnite flaws, a nasty Intel bug, and a voting machine maker whining about hacking contests. Here’s a bit more of the recent news in security: Exciting new LinkedIn use case: Chinese spying Be careful the next time you get an invite to connect on LinkedIn: you might be …

  1. fm+theregister

    Out of the box, gray thinking

    “This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries"...

    https://www.theregister.co.uk/2008/10/14/darkmarket_sting/

    We need to be careful pointing fingers. Double standards are everywhere. Hackforums+Omniscient+LEA (you know which one) also have been looong date partners, including in sting ops.

  2. Anonymous Coward
    Anonymous Coward

    LinkedIn?

    Are there really people still using it?

    Like MySpace, it seemed a good idea at the time but then MS got their stick mits on it.

    Skype has gone the same way, descended into a POS dung heap.

    I still get emails from LinkedIn despte me deleting my account years ago after MS wanted me to link my MSDN account to my LinkedIn one. Not on your nelly.

    It was then that I realised that I hadn't used it in eight years so it went to the great bitbucket somewhere... or did it?

    1. Alan Brown Silver badge

      Re: LinkedIn?

      "Like MySpace, it seemed a good idea at the time"

      No, unlike Myspace it spammed unceasingly from day one with "invites" that could only be turned off by going to the website and signing up for an account - which then switched on a stream of other crap mail that couldn't be disabled.

      And despite GDPR laws, THEY'RE STILL FUCKING SPAMMING

      LinkedIn and the people behind it deserve to die, horribly - preferably in a way that involves flensing whilst still alive and with added salt.

  3. Anonymous Coward
    Anonymous Coward

    That's why I got a request from a young Chinese girl lately....

    ... just I accept requests only from people I worked with. Jobs offer can come following their own path. If someone is too mean, and prefer other ways, it's clearly not a reliable employer.

  4. onefang Silver badge

    "Evanina is now calling on LinkedIn to take on a Twitter-esque mass culling of fake accounts."

    I'm hoping that includes my old account that I renamed to "Deleted User" before "deleting" it. The one that sometimes gets emails sent to me that start "Dear Deleted,".

    1. robidy

      When did u rename it?

      Are you confident your security is good?

      Could evidence a more recent data breach at Linkedin.....

    2. Anonymous Coward
      Anonymous Coward

      I'm hoping that includes my old account that I renamed to "Deleted User" before "deleting" it.

      Don't get your hopes up. Scummy "social media" companies justify their existence on numbers of users, and fraudulent login attempts on your account probably qualify you as a "live user".

      I've got two Linkedin accounts - the one under my real name solely for keeping in touch with business colleagues not close enough to be on my private email list, and the made up name so that when looking up other people ahead of meetings, my name doesn't show as "Jonathan J. Scumbag has recently reviewed your profile". Ever since Microsoft bought Linkedin, I've been in two minds whether to delete both accounts.

  5. Lusty Silver badge

    CVE Funding

    No, no, no, no NO! US government funding for CVE will remove any and all trust I have in the system. Instead, why not require commercial software companies to pay for the system? It's their bugs being reported anyway. The US Gov is too eager to have access to backdoors and exploits already, and this kind of funding would allow them a way to retain exclusive access to these for longer while the rest of us are spied on. Not OK.

    1. Anonymous Coward
      Anonymous Coward

      And CWE?

      From a developer point of view, the CWE system (also managed by MITRE) is more important as it shows the common failure modes that lead to CVEs.

      However, that one could do with some restructuring. There are different "views" into the data and the way they structure it makes it more complicated than it should be.

      For example, there are a load of CWEs allocated to buffer (array bounds) related issues - 119 "Improper Restriction of Operations within the Bounds of a Memory Buffer", 121 "Stack-based Buffer Overflow", 122 "Heap-based Buffer Overflow", 124 "Buffer Underwrite", ... 129 "Improper Validation of Array Index", 131 "Incorrect Calculation of Buffer Size". These all come back to "array bounds violation" and, from the point of view of software, you don't really care where/how it happened, you just want to make sure it doesn't happen.

    2. robidy

      Re: CVE Funding

      The industry (closed and open source) has had over 3 decades to do something.

      The only notable action was Google's and that is hardly adequate.

      The alternative is not worth contemplating.

    3. Alister Silver badge

      Re: CVE Funding

      No, no, no, no NO! US government funding for CVE will remove any and all trust I have in the system.

      Did you miss the bit where it says the CVE is already government funded - just not on a long term basis.

      1. Anonymous Coward
        Anonymous Coward

        Re: CVE Funding

        There's a difference between getting money now and then and the US Gov owning it as the rest of us found out with SWIFT a little while ago when America thought it owned the world. Trump was obviously asleep that year as he seems to have reverted to the same behaviour, which will hopefully be the final push to the Yuan replacing the Dollar and the closing down of the US owned SWIFT payment platform.

        1. Michael Wojcik Silver badge

          Re: CVE Funding

          There's a difference between getting money now and then and the US Gov owning it

          Yes, but it's not the difference that you think it is, and it doesn't apply to MITRE and the CVE system. You clearly have no idea what you're talking about. MITRE has always been a Federal contractor, and CVE funding has always come from the Feds. The only change here is making that "hard" money (a budget line item) rather than "soft" (taken from fixed-term grants and contracts).

          In any case, MITRE's role as CVE coordinator is relatively small. They provide a central clearinghouse for the CNA (CVE numbering) function - but it's the actual CNAs who assign the numbers, and they don't work for MITRE. MITRE determines the format of CVEs, but CVEs don't contain much information anyway; all the meat is in the linked document, which the CVE publisher controls, and if MITRE tampered with the link the publisher would take note and announce that through other channels. There's no usable vulnerability there. And MITRE provide the CVE submission and publication mechanism, but it's open-source and could be duplicated in a matter of minutes.

          There are multiple, independent repositories of published CVEs and related information. The CVSS scoring isn't done by MITRE; it's done by NIST, as part of the NVD process, and is duplicated by other organizations such as Red Hat (who often publish scores before NIST anyway).

          There are a lot of eyes on MITRE's CVE coordination role - not because anyone (who knows what they're talking about) is suspicious that the government has coopted it, but because so many people use it. And the possibilities for attack are extremely limited.

  6. Anonymous Coward
    Anonymous Coward

    LinkedIn - the Google of the professionals ....

    Like a lot of US-owned sites, LinkedIn is of limited use elsewhere. (Like all those SaaS recruitment sites that talk about your "resume").

    A few times it would have been useful to search for candidates by "nationalities held". Even LinkedIn product support said it was a good idea. Much like LinkedIn product support then (respect to Gandhi !).

    1. Anonymous Coward
      Anonymous Coward

      Re: LinkedIn - the Google of the professionals ....

      I find LinkedIn occasionally interesting for tracking what old friends are up to but that's about it.

      1. Ken Moorhouse Silver badge

        Re: tracking what old friends are up to

        A client of mine who was a substantial LinkedIn user died two years ago now, almost to the day. I'm still getting prompts to wish him happy birthday, happy work anniversary, etc.

        I can understand his family's desire to leave his account enshrined on the site, he was a charismatic personality even in his twilight days and deserves remembrance.

        Perhaps MS should put a "deceased" checkbox option on people's profiles to stop the inappropriate messages.

        Pointing this out to them would probably result in the account's deletion (ah, we're not likely to get any more revenue from that source: therefore delete), which is not really the outcome required.

        PD RIP

        1. Giovani Tapini

          Re: tracking what old friends are up to

          Agreed on having an ability to memorialise or equivalent.

          On the other hand, my better half's linked in account is entirely inaccessible as it was created with an email account that no longer exists. You cant change your password, you cant log in, there seems to be no rational process to get to it ever and that's with the owner still alive. Who knows what byzantine process would be invented to allow your suggestion, albeit it seems reasonable in principle.

  7. Pascal Monett Silver badge

    “Funding this key cybersecurity program through piecemeal, short-term contracts..."

    is exactly how the true amount of funding can be obscured to the public eye, so I really doubt much will change there.

    And while on that kind of funding, does the White House still buy $1,000 toilet seats ?

    1. Orv Silver badge

      Re: “Funding this key cybersecurity program through piecemeal, short-term contracts..."

      They now choose to distribute excrement via Twitter, instead.

  8. amanfromMars 1 Silver badge

    Keeping IT Spectacularly Simple .... The Surreal Naive Root Route

    Reuters reports that Chinese agents have been contacting thousands of users on LinkedIn via fake accounts, trying to find high-value targets who can then be recruited to hand over sensitive information to Beijing.

    A simple email link to the likes of a Unit 61398/APT10 operation would allow another direct avenue which would transport sensitive and even top secret information to both beings and systems specifically geared to making novel and better use of intelligence which is greater the more it is freely shared.

    The fact that it may easily crush and crash oppressive secret systems of elite executive administration of human command with globalised controls is not so much an added bonus but more ITs raison d'être.

    However, even that is simplification is trumped with the free open source sharing of Intelligent Intelligence Developments on the web pages of well respected Registered journals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019