Spectre shenanigans, Nork hackers upgrade, bad WD drives and more Here's a summary of this week's infosec news beyond what we've already covered in detail. Exploits for chip blunders spook antivirus land First up, January's Meltdown and Spectre processor security design flaws continue to haunt the IT world. Fortinet put out an advisory on Tuesday warning 119 variants of code that exploit …
WD has been a pain in the backside to deal with
I tried to report to them a reproducible crash of their storage software 4 or 5 years ago on similar kit. It was crashing reproducibly during uPnP query. Proper crash - to a full reboot.
They DID NOT GIVE A F*** about the fact that it crashes.
They DID NOT GIVE A F*** about the fact that crash may be potentially exploitable
Their answer was: "You are doing it with Linux? We do not support this". The fact that their software crashes in a potentially exploitable manner was somebody's else problem as far as they were concerned.
So nothing has changed. WD being WD.
Remember software development takes a while. If you are putting off patching Meltdown and Spectre because there are still no known nasties out there then you may be in for a nasty surprise soon enough.
As well as patching, why not use this a good time to check up on your backups, fix up the leaky firewall and push through a proper password policy. If you are particularly brave, why not see if you can scare the purse string holders into 2FA?
I actually like the WD drives I've used/purchased, but, whatever. At least it's just the 'MyCloud' (according to the article anyway) and not the drives themselves. Or... ? (don't make me panic, I'm already biting my nails over the Meltdown/Spectre news, and may end up in full-blown black helicopter paranoia soon if this keeps up, panic panic panic)
ok I was being facetious. Seriously, men in white coats, you do NOT need to take me away, ha ha!
I checked for more detail on what these are, exactly, and only found references to virus signatures, which isn't all that helpful in understanding what's going on.
So, is this:
* "executable file" malware
* client-side javascript
* cloud-based programs
* clever scripting in a spreadsheet or document sent via e-mail
* ???
or all of the above?
Can it be at least PARTIALLY mitigated by using NoScript and to avoid opening e-mail attachments or viewing e-mail "as HTML" ? you know, 'practice safe surfing'.
Unfortunately the references I found here didn't help me much in the knowledge department. Still good info, and I've seen entire series' of El Reg articles come about after a quicky "oops here it is" article [like this one], in which details and references and all kinds of goodies are presented. So I'm looking forward to it, in a way.
Otherwise, are we all just supposed to sit in our "Crona Corners" sucking our thumbs and wishing we'd never been born?
"but the key thing is: this is proof-of-concept code that tests to see if it's possible to exploit Meltdown or Spectre on a machine. It's not 119 pieces of new malware "
Since when did this blogger (not going to call him anything more than a blogger) give the luxury of differentiating between theoretical and actual to android platform? The answer never....
And you all know how it happened, right - the uber capable management, where it is OK to fire anyone at any time - decided the guy/girl who was coding important bits wasn't going to get a rise - so as she walked out, they just sealed the product as ready, swept their incompetence under the carpet - and of course won't be fixing any of it because doing so means admitting to the mistake in the first place.
To my shock, a whole layer of managers think this 'not losing face' approach if the bedrock of western management - imagine when those - and that's your IT mainstream in all but the most genius friendly companies - then need to fix things up - it will happen on 21st of Never (and then 4 years later).
Not original thoughts, I am sure, but ...
1. Email users—even senior, supposedly well-educated, qualified people with heavy responsibilities and big jobs—still absolutely refuse to understand that email is horrifically insecure, that you should trust nothing to email that you wouldn't be happy to see on a billboard; but that there are relatively cheap, simple to set up and easy to use mechanisms to (a) encrypt your messages and (b) sign them digitally so that others cannot implement masquerades. I was dealing with a law firm last month and even they thought it was ok to use email for legal documents. It is unbelievable. What is wrong with these people?
2. It will be supremely ironic if the appalling security flaws in chips (no, Intel they are not features, you lying b*****ds), which have to be "corrected" with patches which put a serious dent in CPU throughput, lead to a rennaissance of competent performance-conscious programming. If we see more articles about this or that OS/kernel/application having been tweaked, modified, rewritten, optmised, whatever, to provide a (say) 15% speed-up to mitigate the effects of Spectre/Meltdown patch, the question will be: if it was that easy to make this stuff work faster—if it was that fat, stodgy, inefficient and badly written in the first place—why on earth didn't you sort this out sooner? How much other lazy, sluggish garbage is running on our machines, picking its nose over a 618Mb library-for-the-lazy, when it could have been written for one-tenth the disk space and five times the speed?
I have a feeling we all know that a vast amount of modern code is third-rate shit which gets away with being obese dross because it depends upon using tiny fractions of enormous, bloated libraries and runs on very fast silicon with forgiving OSs. If there's an upside to Intel and others' monumental screwup with chip design, it may be that we'll see a return to professional coders writing really good stuff.
Well ... I can hope.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
