* Posts by Crazy Operations Guy

2289 posts • joined 29 Jun 2009

Microsoft vows to destroy Office, er, offices: Campus to be demolished and rebuilt

Crazy Operations Guy

Re: RIP Building 2

I was on the first floor, it was a nice building (2/1092). Close to Cafe 4, I spent many a summer day hanging out at Lake Bill watching to Koi eating my lunch. Ah, those were the days. I was on the BPOS testing team, managing all the Unix and Linux systems that had come over form acquisitions and no one could quite build a replacement. Nothing like being a perma-temp assigned to keep a pile of SunFires up and running and in the exact same config (We had piles and piles of spares, since a lot of the already-replaced code ran on them too, so when code got replaced, I scooped up the old stuff and crammed it into my storage closet). It was such a fun gig, but eventually I had to move on.

Amazon's creepy facial recog doorbell, Facebook open sources machine learning code and much more

Crazy Operations Guy

Every time Amazon and Google roll out with new AI...

Every time Amazon and Google roll out with new AI I get a stronger and stronger urge to go live in a cave somewhere in central Australia or somewhere equally remote. Its not like I'm afraid because I don't understand technology, but quite the opposite. I understand it far too well and just how easily things can go horribly wrong when others trust in it more than they should (probably because they don't understand it).

But, also, I'm not afraid in the "AI is going to become self-aware and destroy us all" sense, but more in the "It is going to be so rudimentary it blurts out all your personal information because some frustrated person asking it 'Well, what do you know?' after the AI fails to answer a series of trivial questions" sense of fear.

Super Micro says audit found no trace of Chinese spy chips on its boards

Crazy Operations Guy

Release the schematics?

I'd breathe a lot easier if they were to publicly release the schematics of one or two of the products at the center of this. From my knowledge of electrical engineering, the suspected part wouldn't even have access to the proper buses to even doing anything like what Bloomberg is alleging. From Bloomberg's report, the device looked to be a simple two-conductor component, but was quite difficult to see exactly what the device looked like in the images.

I'd go a long way to dispelling rumors if SuperMicro were to release the schematic and board layout drawings so that independent researches and private individuals could take a look to see if such a device is even possible in the first place. It would also allow researchers to test suspected boards to see if the component behaves as expected and is the intended device.

The security researcher in me also doubts the Bloomberg report in that no one in their right mind would go through the effort of breaking a system by inserting a chip into the assembly logistics in the hopes that one of the tens of thousands of parts actually made it into their target's system and the system is in a location that can be compromised and that particular system actually contains the target data. Especially since if they wanted that much access, the IPMI chip and the Intel Management Engines are already present in the system to begin with, either one could be compromised and would give you ridiculous amounts of control over the system without the risk of compromising a component.

Really, it would be so much easier to just send fake firmware patches to the target and produce a much more direct attack rather than casting a massive net in the slim chance of getting access to that specific target.

Crazy Operations Guy

Re: Err

"Super Micro is an american company that does most of it's manufacturing in China."

So you mean like IBM, Apple, Dell, HPE, Cisco, Oracle; Intel, AMD, Nvidia, Micron, Kingston, Asus, Acer, MSI, Crucial, Texas Instruments, and so on.

I don't think there is a single "American" company that hasn't offshore'd the vast majority of its manufacturing to Pegatron, Foxxconn, TSMC, or some other Chinese-owned manufacturer.

Tumblr resorts to AI in attempt to scrub itself clean from filth

Crazy Operations Guy

Re: Spare A Thought

"may well go the way of Yahoo."

Well, tumblr used to be part of Yahoo until 2017 when it was spun off into its own subsidiary of Verizon.

Estonian ex-foreign sec urges governments: Get cosy with the private sector on cybersecurity

Crazy Operations Guy

POlitician praising the private sector?

Let me guess, she, or someone in her family and close friends, now owns a cyber security consultancy company.

Something I've seen time and time again is politicians being utter incompetents at solving a problem or just tend to ignore a little issue that can be easily solved until it becomes some massive problem that is nearly impossible to fix. Then when they leave office, suddenly they found the big solution to the problem in the form of a private company that seems to know a little too much about specific challenges of solving the problem, and is willing to work with the government for a "reasonable" fee.

The former politician then decides they believe in the company so much that they decided to invest in their radical solution. Sure, it looks like the politician had been leaking information to a private company this whole time, and is now receiving a massive payoff, but that's just what one of those evil "Enemies of the State" would think.

It's 'nyet' again, yet again, for Kaspersky: Appeal against US govt ban snubbed by Washington DC court

Crazy Operations Guy

Re: I wonder how much this is helping their sales...

"you now feel that the U.S. government doesn't have a clue and does not act in their own best interests."

No, I am pretty sure they are operating in their best interests, however their interests and the interests of their people very rarely overlap. I've felt this way since DayGlo was still hip and Disco wasn't dead.

But, my reasoning is mostly due to why the US banned Kaspersky. Some NSA worker took a bunch of classified documents home, including some zero-day code. Said NSA worker then disabled their antivirus so the can run a keygen for Microsoft Office (which, big surprise, infected his machine with all kinds of nasties). He then started his antivirus back up, which noticed the infections from the keygen and also noticed some new code it didn't have a definition for, but it still had all the hallmarks of malware. So, the antivirus then beamed the data back to HQ for further analysis where automated tools can be thrown at it to determine if it is a new piece of malware, new strain of an existing one, or just a false positive. Kaspersky, without knowing exactly what they were dealing with, then produced definition files countering the US's unreleased cyber weapons.

So really, its that a Russian company did something a competent company does, but the US thought it was part of some grand conspiracy / spy operation (The current administration sure loves going to that well...). Because what other explanation is there to some of their cyber weapons being neutralized well before deployment other than someone trying to sabotage the Glorious Leader?

Crazy Operations Guy

I wonder how much this is helping their sales...

With how consistently wrong the US Government is when it comes to network security, there couldn't be any better endorsement for Kaspersky products as getting banned by the Feds.

Hell, its exactly why they are now in possession of $70 of my dollars... (I also use a second anti-malware product on my proxy to scan incoming files. Its been banned in Russia, but not the US. I figure between the two, I'd be safe from both sides. But also figure it'd be interesting to see all the cases where one catches something and the other doesn't, and vice versa...)

Magecart fiends punch card-skimming code in Sotheby's Home website

Crazy Operations Guy

"implemented additional security safeguards"

You mean like actually checking what ode is actually running on your fscking website? It bothers me how massive and bloated websites have become and how they've gotten to the point where it is impossible to actually audit the things due to the massive amounts of 3rd party code that gets loaded so the page can show some sparkly menu or the page has a sliding effect that no one gives a shit about.

I really miss the days when even the most complicated of websites could be audited by a single person with a text editor and basic skills in HTML, CSS, and whatever language the the CGIs were written in (And that language almost always being something ubiquitous like shell scripts or C).

Blockchain study finds 0.00% success rate and vendors don't call back when asked for evidence

Crazy Operations Guy

Re: Blockchains are a wonderful tool .....

Ah, good old fashioned rubber-hose cryptanalysis.

Crazy Operations Guy

Re: Gold rush...

" pResident of the USofA grandfather came to make his money supplying the gold-diggers with stuff. " . Well, he didn't so much sell stuff as he sold sex slaves to loggers and gold miners for a few hours at a time. Then skipped town up to British Columbia once the authorities caught on to what he was doing, then when the Mounties caught on, he fled to Alaska, then got caught again and fled back to Germany where to dodge the draft, at which point he ran back to Queens, New York when the Gendarmes came for him.

Prez Trump to host chinwag with Google, Microsoft, Oracle and Qualcomm – report

Crazy Operations Guy

Knowing this president, it'll just be several hours of him trying to get tech executives to suck up to him; self-aggrandizing lies; and rants about his "enemies". At least until everyone gets bored of his antics and leave (Satya would probably be first since he's already served under loud, obnoxious balding blubbering buffoon for years and probably doesn't want flashbacks)

What a meth: Woman held for 3 months after cops mistake candy floss for hard drugs

Crazy Operations Guy

Re: @eDog - why should the taxpayers be on the hook?

"Good luck recruiting police officers with that hanging over their heads.'

The medical industry seems to do just fine with such a restriction. But if they fear having their premiums go up due to their behavior, maybe they shouldn't be police in the first place...

Crazy Operations Guy

Re: How many constitutional rights were violated ?

"It was probably the last chance to turn back the clock to a time when liberty was the defining characteristic of the country"

But things kinda sucked for everyone in 1491...

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

Crazy Operations Guy

Re: TP-Link

Penny-pinching managers, small businesses with almost no budget, schools ad other public institutions, and so on.

I've had a bunch of clients where the manager went out to BestBuy and bought whatever the sales guy said would work then stuck it in the network, then refused to replace it since "It works well enough".

Nvidia just can't grab a break. Revenues up, profit nearly doubles... and stock down 20%

Crazy Operations Guy

If Moore's Law is ending

Then hopefully we can finally get developers to actually optimize and clean up their code rather rather than just relying on the fact that next year's chips are going to be good enough to run their inefficient crap well enough the user doesn't care.

Video chips are literally millions of times more powerful than they were in the 1980s, but graphics performance as really only increased by a factor of a thousand since.

Irony meters explode as WordPress GDPR tool hacked, cell network hack shenanigans, crypto-backdoors, etc...

Crazy Operations Guy

The downside to unregulated currency

That is the downside to having an unregulated currency like BitCoin, if it gets stolen or taken as part of a scam, there are no mechanisms in place to get it back. Whether or not that risk is worth the upsides of bitcoin is something that needs to be considered.

In news that will shock absolutely no one, America's cellphone networks throttle vids, strangle rival Skype

Crazy Operations Guy

"What over-the-air data rate is the cellular network using for voice calls these days?"

Depends on what codecs the handset and network support. Can be anywhere from 2400 bps on an old network and handset, up to 96,000 bps on a new phone attached to a new network that has been set up for the clearest voice possible (Extremely rare outside of a lab environment). It'll also depend on congestion since the tower is going to downgrade a step at a time until there is sufficiently large block of free bandwidth for handsets entering the cell. The other end of the call would also affect the voice channel (no point in giving someone 32,000 bps when the other end is only sending at 4800 bps)

Crazy Operations Guy

Re: Spectrum grows on trees

Voice streams are handled on different blocks of frequency than data streams. There will never be a time when someone's data streaming prevents you from making a phone call. Voice channels are also much smaller than data (What with voice only requiring a few Kbps for a reasonable quality voice call). If the tower runs out of channels to give voice service to newly arriving users, it will take a data channel away from the heaviest user and split it into voice channels. If it runs out of data channels to take away, it will renegotiate with connected handsets for lower quality voice codecs. And even if all phones connected are using the lowest-quality voice possible and the tower still needs more frequency, it will put voice channels into an emergency-only mode allowing only calls to emergency services. But the possibility of that happen would be almost non-existent (you'd have to move the entire population of an entire metro area into a small area for that to happen).

Some networks are set up so that if a cell gets overwhelmed, it will reduce its power and adjacent, less used towers will increase their power levels so their channels can be used to handle the additional load.

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more

Crazy Operations Guy

Re: Gmail alternatives

Or, you know, you can spin up a VPS and throw some simple IMAP / SMTP software on it. I've been doing this for a while, I built an IMAP server running OpenBSD with Dovecot installed on top. Cost me a whole $8 a month of a pair of machines running on opposite ends of the earth (Oslo and Auckland and using two different providers) syncing their mail with each other. Certificates are provided via Let's Encrypt (There is a client included into OpenBSD's base along with an SMTP daemon that supports encryption and authentication).

For the $60 a year it costs me for the machines and the domain name, I get peace of mind that at my mail is safely hidden from advertisers. Plus I get as many email addresses as I want and use whatever the hell protocols I feel like using.

Worldwide Web wizard Tim Berners-Lee sticks wellington boot into Worldwide Web's giants: Time to break 'em up?

Crazy Operations Guy

Re: Timing

The only people the tech companies are in the pockets of is those of the investors and the executives of these companies. They only care about inflating their bottom lines. They'll let you post anything from ISIS propaganda, entire copies or Mein Kampf, The Communist Manifesto, whatever so long as they are making a profit off it. Hell, you could probably show graphic depictions of Zuckerberg's grandma being brutally tortured all over Facebook and Mark would nod in approval as the advertising dollars keep coming in.

Tiny Twitter thumbnail tweaked to transport different file types

Crazy Operations Guy

"ICC profiles contain no executable code"

So, they clearly have no clue how malware works. Although I assume they meant that the ICC specification doesn't allow for execution itself, but grossly ignores how trivial a buffer overflow is when handling variable-length data like images in a loose specification like JPEG. All it takes is a manipulated JMP to make that ICC data executable.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Crazy Operations Guy

Never should be remotely controllable in the first place

Heavy machinery, especially something that if mishandled can kill hundreds, is not something that should be fully-controlled by software. Especially since everyday I am constantly reminded that no matter how well made the software is, it will still screw up in new and interesting ways. And the fact that something like this, which require real-time communication and numerous fail safes, which TCP/IP over a 802.11 is entirely unsuitable for. Like what actions would the crane take if the network gets flooded and commands are being delayed or dropped? Like what if the crane was last commanded to rotate but the command to stop is lost? What if there is a delay and the operator repeats a command, does the crane do it twice or should it assume the operator only sent two under the assumption the first never made it?

I wouldn't have a problem if it had a human manually operating the controls but guided by software, at least then there is human doing the actual control work and can refuse to do dangerous operations. Like I can understand having a remote control unit that would allow someone o the ground direct the crane's actions, but that should really be instructions sent to a human operator. Like you'd have an assistant to the operator on the ground with a device that sends a video feed and to the operator and allows them to send preset commands that show up on the operator's control panel (Like green arrows of varying lengths for move a little to the right, move a lot to the left, lift the load a meter, lower a few centimeters, stop, etc.

Euro eggheads call it: Facebook political ads do change voters' minds – and they worked rather well for Trump in 2016

Crazy Operations Guy

Re: With help from the press right here

Also, I assume you are educated in the US since only an American can manage to forget that San Fransisco is by far from the furthest West, what with the existence of two entire states being firmly to the west of the Bay Area. And even if you disregard both Alaska and Hawaii; Portland, OR and Seattle, WA are both a full degree west of San Francisco.

In the two years since Dyn went dark, what have we learned? Not much, it appears

Crazy Operations Guy

Re: Bind/Named

Don't even need a VPS, I'm using a pair of desktops I rescued from the dumpster almost 15 years ago (I grabbed a bunch and stockpiled spare parts and upgraded the machines as much as possible). I found a pair of Pentium-3 boxes with 512 megs of RAM and a pair of 20 GB disks is enough to server a hundred or so users comfortably. They sure knew how to make computers back then, very few failures in the 15 years since I first powered them up (and after the 3-4 years they survived under users' desks)


Crazy Operations Guy

I just built my own root dns server.

I went with a simple OpenBSD box running nsd and a daily cron job that goes out and grabs "https://www.internic.net/domain/*.zone" and the *.arpa files, stuffs those files into /var/nsd/zones/, and restarts nsd. I have a pair of servers that are just recovered 1 Ghz P3 / 512m / 20g desktops with some extra NICs shoved in them. The two of them seem to handle around hundred users at a time (those are the only boxes on the network that allow port 53 traffic out to the internet and only machines that can listen on 53.

I've dumped www.internic.net into my /etc/hosts file since its IP address hasn't changed from since it went live back in the 1980s (the damn thing is older than the internet, what with it being the root of the internet / World Wide Web and all...). If the IP changes, then something is definitely going wrong.

Between the IP being static and probably the most permanent thing on the internet, and the fact that they have their sig files posted and those too are static, I am very confident in the integrity of its data and then let DNSSEC take care of the rest. No need to trust any third parties, especially the likes of Google.

Facebook monetizes 2FA, Singapore monetizes hacker, and ransomware creeps monetize US Democrats

Crazy Operations Guy

" login credentials for the hotel's telnet"

Telnet? Seriously? The hotel really should get a fine too, using telnet nowadays is a crime against technology...

Sunny Cali goes ballistic, this ransomware is atrocious. Even our IT bill will be something quite ferocious

Crazy Operations Guy

Re: @oldtaku - Actually it's not Windows XP

I've been seeing more and more attacks against XP nowadays that I used to it. Mostly because while overall use of XP is down, the stuff that is still running it tends to be of a much higher value. Pretty much the only things on XP nowadays are going to be machines where there is a damn good reason it is still needed. Like those niche machines where the company would lose buckets of money if the machine no longer functioned, but would cost even more money to migrate.

The most common systems I've seen are those niche manufacturing systems (which would have very valuable designs and schematics on them), control systems for really expensive equipment (that tends to also produce very valuable medical records), embedded management OS for old EMC SANs (which are likely supporting some old, but mission-critical software), there are still a lot of ATMs / voting machines / kiosk systems that use it too.

Crazy Operations Guy

Re: So many systems

Yeah, a lot of cities will either consolidate into a central "Information Services" group that handles IT for everyone. A lot of times this is run by an outside Manged Services Provider or something. I've also seen some municipalities where one group will get a massive grant, build out a bunch of IT equipment with the money, then rent out excess capacity to other agencies.

This is almost always done for cost-savings rather than the benefits of consolidation. Usually one of the first things to go it backups and monitoring software. This results in all eggs/one flimsy basket scenario which is ripe for RansomWare.

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Crazy Operations Guy

Re: So let's look at this again (again).

His computer was infected as well. Apparently at some point, he disabled the antivirus on his computer so he can install a key-gen for Microsoft Office, then when he turn his AV back on, it rightfully reported that he was infected with several bits of malware and some stuff that looked a lot like malware it hadn't seen before (The NSA exploit code). Since it hadn't seen it, the data was uploaded to Kaspersky's servers for further analysis (So it can be determined if it really is malware and so a definition can be made to detect it in the future and for other users).

So, more of:

Man takes classified spyware home

Disables antivirus because it was preventing him form running virus-riddled code

Run code, machine gets infected

Man turns Antivirus back on, it detects the infection and suspicious code as well

AV attempts to clean the malware it knows about

AV uploads suspicious code it never encountered before for analysis

Really, the only thing Kaspersky is guilty of is trying to protect other users from some unknown bit of malware.

WLinux brings a custom Windows Subsystem for Linux experience to the Microsoft Store

Crazy Operations Guy

The only use I can think of:

The only use for this that I can think of would be to start tinkering around with Linux equivalents of Windows-only software until ether the code or the user are good enough to just use straight Linux (Or at least Linux + Wine).

So really, pretty much a reverse Wine (LINE?). So pretty much use the subsystem as the first step to transition, then when more than 50% of time is spent with applications running under emulated Linux, then its time to go to a Linux base with Wine to run the remaining Windows-only crud, then slowly go to a pure Linux.

How an over-zealous yank took down the trading floor of a US bank

Crazy Operations Guy

Ah, the early Sun days

I remember those days where there desktop machines were really just mainframes / mini-computers that were trimmed down with the standard TTY and printer were replaced with a video controller and a keyboard. They'd go all weird weird when one of those wasn't working because the system never expected those things to not be available (what with them supposed to be soldered on...).

I also remember some of the models that tried to be smart and if a keyboard and/or monitor was missing at boot, the system assumed you are wanting to use Serial 0 as the console. So if you accidentally knocked out the keyboard at boot, the system would work just fine (OS would boot, daemons would start and begin doing their thing, etc), but nothing would be displayed on the console, nor would keyboard input do anything (Since the keyboard input is now routed to TTY1, but TTY0 is attached to the kernel).

A lot of it was just really teething issues and programmers needing to unlearn a bunch of assumptions from before the beginning of the transition from computers having their own rooms to them being out in the office.

The curious sudden rise of free US election 'net security guardians

Crazy Operations Guy

Re: So

The two-factor authentication scam had victims register with the scam's website (Purporting to be the IRS / FBI / ICE / etc). As part of registration, it used a legitimate two-factor authentication system and asked to 'help secure your account' to lend the scam credence. The scams were fairly similar, tey'd start with "You are being investigated by <agency>, log into <website> and register with case <number> to respond to the accusations and view your case file" then when they register, they are asked to add enable two-factor-authentication 'for their protection'. The scam would then keep going on and on asking for more and more money for 'processing fees' and 'filing fees' and 'fines'. Pretty much a standard 419 scam except rather than a Nigerian Prince, it is a Federal Agent and instead of money they promise, its either not being arrested or deported.

For the Israeli certificate on a fake Saudi Arabian bank website it was a matter of a fake website that used all the logos of the real one, but the URL was slightly wrong (in this case used an 'n' instead of an 'r' in the url). The website even had an EV certificate that used the correct name of the bank i the verified owner, and for all intents and purposes looked like the real bank's website. The thing even functioned just like the real bank (Every action was 'passed through' to the real bank's website). The thing that really tipped me off was that the EV certificate was signed by a certificate authority based out of Israel and has a history of working with Mossad, western intelligence agencies and malware mercenaries like the Equation Group.

Crazy Operations Guy

Re: Not digging deeply myself, I wonder how much of your supposed privacy you need to give up

Call me paranoid, but I am so very worried about the amount of data that social media services are collecting especially when no one has really done anything to get rid of the whole FISC and their unconstitutional National Security Letters. I mean, at this point Facebook and their ilk have compiled a nice juicy database that contains our real names, locations, friends, religious beliefs, sexual orientations, nationalities, citizenship status, political position, etc (A lot of this isn't directly asked, but can be gleaned simply from the things people post). I am afraid of the day that the administration decides to just issue an NSL for that data, then use it to build their lists of 'undesirables'.

Due to the nature of NSLs, they may already have such a list and there is no way for us to know about it. And that frightens me more than anything ever could.

Crazy Operations Guy

Re: So

Yup, like I've been seeing quite a few phishing websites with Extended Verification Certificates, but are otherwise amateurish copies of the real things. But people trust them anyway because the bar at the top of the browser is green.

I've noticed that a couple of these phishing sites are using certificates issued by CAs that are either government-run or are suspiciously friendly to governments. Like the other day I noticed a phishing website purporting to be a fairly large Saudi bank held a certificate issued by an Israeli CA. Or an Indian bank that was using a Pakistani-issued certificate.

I've also seen password stealing pages that use captchas, scams that require two-factor authentication, and many other nasties that take advantage of security mechanism to appear legitimate.

You're alone in a room with the Windows 10 out-of-the-box apps. What do you do?

Crazy Operations Guy

Re: Wordpad

Except Wordpad is a piece of shit when you want to work with files that have lines longer than however many would fit into about 7 inches of printed space.

Intentionally reading a log file in wordpad should be considered a cry for help...

Crazy Operations Guy

Re: If you found yourself in charge of the in-box Windows 10 apps, what would you do with them?

" Or check myself into Bellevue for a long stretch..."

I should point out that Bellevue is also the name of a city in Washington State that is host to several Microsoft offices...

Crazy Operations Guy

Re: Blockpad as a service

Can't forget the requisite shoehorning of Cortana into it.

Crazy Operations Guy

"When in the history of computing hasn't a system come with a basic text editor ?"

RHEL 7 when you install using the 'minimal' option. Comes with a web server, but doesn't have nano, emacs, vim, vi, and even lacks ed. Fortunately it does have grep, sed, cat, and echo. RHEL has abandoned the command line and now expects you use the GUI for everything (Seriously, fuck you NetworkManager)

No, that Sunspot Solar Observatory didn't see aliens. It's far more grim

Crazy Operations Guy

Porbably not just down due to the FBI

I'm thinking that they shut everything down not to arrest the guy, but to clean up the network and verify that everything is clean. He was on their network, and child porn tends to come paired with more than a few malware nasties (or at least in my experience of cleaning up networks that had been used by pedos to share their materials).

Two weeks does sound about right for how long it would take for the Feds to take what they need, and for an IT team to come in to quarantine the network, re-image everything that can be re-imaged, and do thorough scans on things that can't, and then replace any equipment that the feds took for their investigation.

Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once

Crazy Operations Guy

Stop using passwords

Passwords are useful for authenticating user-computer interactions, but suck otherwise. But what machines are good at is certificates. With IoT devices, I figure the much easier way of doing things would be to have each device posses its own certificate signed by the controlling entity and authenticate by requiring a certificate signed by the same entity to communicate with it. To get the whole thing going in the first place, it could just have a USB port on it for initial configuration and only after configuring it does it turn on its network interfaces.

Big Cable tells US government: Now's not the time to talk about internet speeds – just give us the money

Crazy Operations Guy

" the most technologically advanced nation on the planet"

I'm confused, isn't this article about the United States?

Patch for EE's 4G Wi-Fi mini modem nails local privilege escalation flaw

Crazy Operations Guy

You don't need to leave it in a public place, this flaw could be exploited by someone that is normally allowed to use the machine, but not trusted with anything more than guest access rights. Like, say a work laptop. The dongle doesn't even have to be installed, just the driver software, so not out of the realm of possibility for the software to be installed as part of a corporate-standard image, in which case all of them would be exploitable.

The problem is that they set the driver's directory to give full permissions to the 'everyone' group, this even applies to the service executable, which runs at a security level that not even an enterprise admin has when logged in. (Essentially they set it to 777 and configured the daemon to run as root).

Really, the only thing you need to do is run cp <Malicious executable> C:\Program Files (x86)\Web Connecton\BackgroundService.exe as anyone who can access the system, and now you have unfettered access to the entire system at next boot. Hell, this could even be embedded into a simple autorun script.

Crazy Operations Guy

"a minor security issue"

If a trivial flaw that allows anyone to run code with kernel-level permissions is a 'minor issue', I have to wonder what they'd consider 'major'. Like, what, does it have to somehow spawn arms and stab the user to death before burning down their house?

Who ate all the PII? Not the blockchain, thankfully

Crazy Operations Guy

Except now, you'll be able to browse a 100 TB file 30 years from now and still see that a 3rd party had signed a message from some rando to some other rando.

Crazy Operations Guy

Re: Blockchain ? Oh yeah, that thing that keeps growing and growing and ...

See, with the block chain now everyone can waste their disk space on undeletable data rather than just one entity that has the capability of pruning it over time.

The concept of verifying the veracity of the information recorded in a block chain is only possible if we know what generates that data in the first place and can trust it to write the correct data. The blockchain can really only provide proof that a certain piece of data had been written to it, not that the data itself is correct in any way.

'Men only' job ad posts land Facebook in boiling hot water with ACLU

Crazy Operations Guy

Re: Lookalike Targeting

"On the other hand, a cohesive group will not get into shouting matches/get torn apart about divisive subjects."

I've found that the more homogeneous a group is, the more they are going to fight about trivial bullshit and fright more intensely. Like when you bring up bracket styles in development chat rooms / mailing lists and they'll be an inch away from stabbing someone over whether the function closing bracket gets its own line or not.

Crazy Operations Guy

Re: Companies probably aren't doing this to discriminate

They are suing Facebook in addition to the organizations posting the job ads specifically for that reason. Facebook's pricing model for posting job opportunities is incentivizing posted to discriminate. The ACLU's goal here is to get Facebook to either A) eliminate the option of targeting jobs ads specifically to people based on their immutable characteristics or B) remove any cost difference between selecting one option versus two or more options.

Biz! Formerly! Known! As! Yahoo! Settles! Data! Breach! Cases! To! The! Tune! Of! $47m!

Crazy Operations Guy

Re: 47 mil? not enough

I've worked with many clients that will just pay the fine each time rather than actually fixing anything.

One insurance client was particularly egregious about it. They split the company into 3 pieces: The top organization the name, equipment, liabilities for underwriting policies, etc. A middle, regional layer that held the actual customer data. Then the bottom layer was the 'independent clubs' that actually interacted with the customer and handled the day-to-day stuff. The local 'clubs' would license logos and trademarked items from the upper company then contract through the middle layer for IT services and resell the middle company's insurance policies (underwritten by the top org).

It was designed this way so that the middle organization could be run as cheaply as possible and just pay fines for not complying with SOx, PCI/DSS, etc until they got shut down by the Feds. At that point they company would be liquidated, and assets (insurance polices, customer data) sold to a new organization that has just started up the day before and be staffed by all the former workers of the old company using the same equipment and same buildings as before. So essentially, they just change the logos and slightly change the name of the middle organization, and since the clubs are using the upper company's name and logos, no one outside the scheme even notice this change. So they get to keep on making massive profits while not doing a damned thing to actually protect customer data.

Biting the hand that feeds IT © 1998–2019