Posts by chuBb.

What's so buggy?

Only real issues I've had is v old projects circa vs2012 format csproj, which once updated to be sdk based csproj have been well behaved and fights between package reference and packages.config which again is solved by upgrading the project format. Only real gripe with that is that an advanced view on project properties would be nice to save having to trawl msdn for all of the various project and build effecting config values, although that's much less of a hassle now you can edit the project file of a loaded project

Resharper is still hobbling vs though, if only I could find as good a test runner as Resharpers* I'd uninstall the performance killing nuisance

*vs's inbuilt test runner just isn't in the same league or even as functional too many times will it fail to start a test run because of a hidden build error and not having to install a nuget package per testing framework lurking in the code base is also a massive bonus i don't see why I should have to deploy a new build just so that a dev time activity works out of the box...

Re: Out of curiosity...

It's not so much the payload that's the problem (plain text interpreted script) it's that it's possible to execute an uploaded file that's the issue.

What must be happening (I've not looked at specifics) is:

Zip is uploaded and extracted

Tomcat is set to engage java for all file requests (typically you would exclude any static files from wasting server resources, manage engine have a very lan centric trusted environment expectation with their out of box configs runs as root and sets the execute bit by default on file permissions on the *nix installer for example)

Because of this misconfiguration the attackers script is executable and good bye server you've been pwned.

The payload zip file would be a couple of kb in size and would require actual inspection to be detected as a zipped pem file and a zipped jsp would look very very similar in a hex editor...

Re: RobinHood, RobinHood...

Or the weetabix advert...

Re: Having never taken the FB bait

Me either

As far as i can tell its the bastard lovechild of yahoo groups, msn messenger and an RSS feed, which lets people have the geocities lets share with the world warm and fuzzies with even less of a technical on ramp, with hit counters now called likes, and guestbooks are now called walls.

[I have been having fun explaining things in terms of '90s web things to the work experience kid given he is well under 20 and likes tales of the "stoneage", and now understands having been made to work through it on graph paper and not just use the calculator]

Are you surprised? If a high turnover min wage call centre operative can perform a remote reset/reconfig then yeah the maintenance network will be wide open.

Just about all firmware sucks at security, and I'm pretty sure there was a bot net arround the time of stuxnet hitting the news that mainly comprised set top boxes and modems and spread by sftp (might have been ftp or samba) ...

It's the main reason I will always provide my own terminating hardware and not do anything but recycle what ever crap the isp sends out. That and you can leap frog to 2nd line support when they can't follow any of the script, failing that you need to get them to try and guess which layer of the osi model we are talking about then inform them they are not qualified to accept your answer and to escalate it...

Re: Wonder if there's a software developer somewhere...........

Probably a wix template...

Re: hijacked dialog box

Yup it's pretty low risk on its own, as a reinfection vector it's pretty nasty.

This sort of thing is exactly the sort of flaw that would let malware back in. I. E. Bot net c2 sends out a disinfect command and so appears to be off the machine, leaves behind any number of methods to fart about with dns, winrar nag screen exploited to call home to c2 or new package dropper and your reinfected. So wouldn't be surprised if similar flaws are actively used to resurrect botnets

Makes quite a bit of sense conceptually to me. Especially when using containers, a k8 aware switch would be very handy, and common management would totally work, all dpus I've looked at run Linux so what's not to like about say allowing a switch to operate as a load balancer on a couple of ports, or to run smoke tests on a given connection without needing to be an expert in the intricacies or each vendor and model ranges cli deployed in your network.

Devil will be in the implementation and using it for the right sort of workloads though. Wouldn't be an early adoptor but for a lot of hybrid cloud scenarios I could see these sorts of things becoming super useful. Hell just being able to run tcpdump at switch level per port and dumped to a San while still being a switch could be super useful

Re: New? Bwahaha!

Next headline, "using a cheap clamp multimeter energy consumption can be sniffed from a smart meter (lets ignore thats how smart meters monitor the supply but hey...)"

Or

"Security researcher reads and understands a Primer on RF Principles"

I wonder if his head would literally explode when standing waves and back emf are introduced in a few chapters time, "ZOMG, with 6" of tin foil strategically placed you can blow up a transceiver, think of the power lines!!!!!111!!!!111!!!!!!!"

In all seriousness so what, there is no reason at all to ever send anything over a digital network of any description without good enough* encryption

Also i bet the kit is much fiddlier to install than to strip an inch or so of outer sheathing and just IDC a tap onto the cable, if your good, reckon you could install in under a min, and be able to super glue the sheathing back together again to make it pass a glance test, when you remove the tap...

*Even the weakest SSL1 ciphers would frustrate casual observers enough to make the decryption much more onerous than the capture, and for say a stream of data for a hobby weather station would be sufficient as the data is pretty low value

Not really both are "move fast and break things" companies

In other words meet kpis and hope for best, then when it blows up and new managers come in, test until quarterly bonus is threatened, get sloppy, break it again and jump ship to do same shit elsewhere

Re: Teams and call forwarding

Your sbc isn't handling refer messages properly, once tweaked just so call fed just works

Re: How about Android?

Id argue apart from the valid observations of iphones being status symbols and additional telemetry db's on apple devices, that an android device is much easier to scrub clean and is much more widely understood OS vs iOS due to it being an inherently more open system.

As for combating this sort of thing, given the suspicions of rouge cell towers (or just compromised cell towers its not like security is much better than on a street light) seems tricky without reinventing how urls work, only thing i can think of that might be effective is to effectivly ddos and destroy the signal to noise ratio of the gathered intel through mass infection of devices, but i dont know if an "im sparticus" retaliation would be effective or if it would just cause a lot of collateral damage...

Re: Compete on function, not whinging

if your not afraid of typing just append "/search?q=thing im looking for" to your google or bing tld of choice

Re: Waiting...

im waiting for it to be revealed that even amazon cant secure s3....

Whats reckoning it will be a line of business server that was compromised that happened to backup to a leaky bucket?

Regardless of location the difference in wire guage and the fact that a socket was coming off of a switch live is a dead giveaway you read the wiring chart backwards.

Dont get me started on the US's earth optional wiring, running light and socket spurs off of a single circuit is the least of their problems.

Yes could be a switched faceplate, but that would be really really REALLY out of place in an industrial control room, which circles back to USUALLY sparkys who work or do work in factories are at the "less lethal to selves and others" end of the spectrum, usually....

Re: "fixing deadly OMIGOD flaws on Azure your job"

I assumed everyone unistalled the omi shite from a vm on first boot, mainly as it seems to kill nginx performance and regularly consumes 50% cpu and spawns lots of processes

Tbh (maybe I'm "experienced" enough now) I don't know any self respecting Linux admin who would let anything run they didn't explicitly put there.

Then again I first discovered omi because it was breaking apt, so not surprised Ms are not pushing the fix as it will probably brick more than it secures, still yet to see what it offers over snmp

Re: No MS account

Bad news that happened with the win 10 creators update 2 years ago, have to jump through quite a few hoops on a fresh win 10 install to create a "limited" local account and not use one linked to azure ad...

I would suggest transplant or couple are better synonyms than rebase to describe its functionality

Think tedious codebase is any enterprise or automation software, or pretty much anything which ships

Far more likely a combination of crap pay, AWS hoovering up any cloud engineer daft enough to work for them, rotten manglement of the terraform product team, and not being ansible or what ever the flavour of the month is on medium

Its a "solution" in the same vein as azure cosmos db, yes you can write less code/config to get the benefits of a cached front end on a db, but my god you will pay hand over fist if you actually use it on any meaningful project.

Do a cost analysis and it will be a lot cheaper to cluster a bunch of mid level VM's into a redis service than it is to use any of the cloud providers managed redis offerings, with the added advantage that you can house it in its own segregated vnet to over come the insanely permissive default security settings (redis's security sucks, you know its bad when access did it better and you wish for the "maturity and sensibleness" of mysql </sarcasm>), unlike the managed offerings which expose standard ports and act as a beacon for miscreants scanning with shodan. All it would take is for a s3 style "forgot to secure it" snafu, half dozen lines of python and a few hundred kb's of data to be written to enumerated keys and your looking at being liable for unlimited data charges, would make 4g roaming data charges look cheap

Nevermind that all this new service offers is what is already possible using redis modules as the article states, the fact its redis "compatible" fills me with dread as it makes me think proprietary data structures will come, which means your going to be stuck with it, until they mothball it and then what?...

Given the number of off the shelf redis kubernetes cluster solutions available, and if your data project is truly needing of distributed transaction logging you would be better off in my opinion in investing in the skills to run a cluster, maintain (sorta)portability between cloud vendors and build out your own bespoke solution. It will be cheaper (both in service and data costs) and a less compromised jack of all trades solution.

Same reason as cisco, ms, oracle etc does, money printing through software licensing

And reducing the support burden when bumblefuck the unlearned fiddles with things they don't understand burns the house down and still bitches on the forum that they couldn't get the hello world cube to print