* Posts by Cronus

88 posts • joined 4 May 2010


Google to bury indicator for Extended Validation certs in Chrome because users barely took notice


and this is why I've switched to Firefox (actually I switched when they announced they were gimping the network APIs for addons and removing the https indicator from URLs, this is just yet another nail in the coffin.

LibreOffice handlers defend suite's security after 'unfortunately partial' patch


It just occurred to me that the point you were making is that it can't be "exactly as this is done for a company like Microsoft." because then there'd be hundreds of vulns. In which case, you are indeed correct.


Just because you have a group that handles security doesn't mean you'll never have security issues in live code. Bugs happen, no matter how careful you are.

Also I just checked and first statement is also true -- https://blog.documentfoundation.org/blog/2018/07/25/how-libreoffices-quality-has-improved-thanks-to-automated-tools-and-the-volunteer-contribution-of-security-specialists/

Relevant excerpt:

“The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.

Can't dance? That's no excuse. Let a robot do it for you at this 'forced exoskeleton rave'


When I saw this all I could think of was that scene in Iron Man where the military tries to create their own version and Tony shows the footage of that robot spinning 180 degrees with a guy inside it...

Can't quite cram a working AI onto a $1 2KB microcontroller? Just get a PC to do it


Training is a much more computationally expensive operation than inference. Once you have a trained model, getting output given some input is trivially cheap and fast in comparison.

Legacy app whitelist can be abused to bypass latest macOS security defenses, expert warns


It's certainly a hole but I'm not sure how you'd work around this without breaking legacy apps. Presumably not breaking legacy apps includes not breaking popular plugins that might have legitimate reasons to access restricted resources.

DRAM, that's cold: Overclockers squeeze out extra Micron DDR4 performance with liquid nitrogen system

This post has been deleted by a moderator

Guess who's addicted to GitHub, busy on Slack, stuck in 2015? No, not another hipster: It's the Slub backdoor malware


It's interesting that such a professional and targeted attack would use such old exploits to infect its victims. That it was successful at all is yet another sad reminder of how piss-poor non-technical user's patching processes are.

I hate the way Windows 10 forcibly updates itself but in the grand scheme of things it's probably doing more good than harm if attacks like these can succeed due to lack of patching.

Microsoft flings the Windows Calculator source at GitHub


Windows 10 only, eh, I'll pass.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints


Avoiding writing malware to disk is not a new idea. An approach (admittedly for Unix/Linux systems) is in fact described in this Phrack article from 2004 — http://phrack.org/issues/62/8.html

Bun fight breaks out after devs, techie jump ship: Bakery biz Panera sues its former IT crowd


I don't get the dig about McDonald's digital ordering system. I've certainly never had a problem with it and it beats waiting in a queue.

RIP, RDP... nearly: Security house Check Point punches holes in remote desktop tools


I saw mention of a number of vulns in the Microsoft client but none of them seemed to be remote execution. Which is almost a shame really, think of all the fun you could have with remote 'Microsoft' support people who are calling to remove a virus from your PC.


Re: Remote Desktop Protocol you say ?

You disable the client? because that is what the article is about, not the server.


So the Microsoft client doesn't have any serious (RCE and the like) vulnerabilities but the Linux clients do?

Court orders moribund ZX Spectrum reboot firm's directors to stump up £38k legal costs bill


Re: Two words for you ...

More like, "Never again"

Western Digital deploys heatsink on remodelled M.2 to tempt gamers


I'd have thought this would be of more interest to people working with video editing where disk operations are quite intensive over long periods of time. I would hope that video games are better optimised than to need to constantly access the disk.

Poland may consider Huawei ban amid 'spy' arrests – reports


About time. Polish manufactured devices for spying on the Polish people, not Chinese devices!

Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe


Re: Technical Details

As per the article the blackmailer doesn't appear to have been using a randomised MAC address.

Also everybody suggesting that they should just destroy/dispose of the device with said MAC address is probably missing a trick also. The police aren't just looking for someone whose device has that MAC address they want logs indicating when and where the device with that MAC address has been.

With both date and location they can then look through existing CCTV footage in those areas and apply a process of elimination to whittle down the list of people who are present in all/most of the CCTV footage. The blackmailer is likely to be in most if not all of them but random people who happened to be in the area at the time are less likely to appear in all the footage.

This is the final straw, evil Microsoft. Making private GitHub repos free? You've gone too far


As ever

If you're not paying for the product, you are the product.

Pork pulled: Plug jerked out of beacon of bacon delight


Just looks like a normal vending machine to me, albeit one with packets of bacon-based products inside.

Scumbags cram Make-A-Wish website with coin-mining malware


There's a lot of moralising going on in this article as though the attacker in question specifically singled this site out knowing full-well it was a charity for seriously ill children when in reality it's likely the entire thing was largely automated. The only thing they'd really care about is that it's vulnerable and it has high traffic.

This is quite literally one of those 'think of the children' type articles you normally make fun of. Quite disappointing really.

Micron's Chinese DRAM antagonist hit with US export boycott


Is there anything these guys won't play the national security card for?

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere


...but does it suffer from Spectre et al?

SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported


Seems to be available again https://www.youtube.com/watch?v=BYEbhDXgElQ

US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old


The real news of course is the stuff the adults did. The 11-year-olds hacking websites set up as replicas really doesn't show anything beyond kids can hack poorly secured web servers. It's not actually got anything to do with the voting results because they're just replicas no doubt with intentional not very hard to exploit bugs.

Hacked serverless functions are a crypto-gold mine for miscreants


I don't get how a SQL injection flaw could open the door to Crypto mining. What am I missing here?

Developers dread Visual Basic 6, IBM Db2, SharePoint - survey


If you're part of majority already why would you care about diversity? It doesn't really affect you. I always find aggregate stats like these a bit pointless anyway.

BBC Telly Tax heavies got pat on the head from snoopers' overseers


Paying for a license is optional

The only TV I own is an old fashioned CRT monitor that can't receive live TV without at least a freeview box that I use to play retro console games (bought it mainly so I could use the old light guns)

I don't watch live TV of any kind and especially not the BBC and I never will. Those who find the content worth watching can of course pay the license whilst grumbling about it. I chose to vote with my wallet.

User dialled his PC into a permanent state of 'Brown Alert'


At the last place I worked a colleague and I used to play pranks on each other. One night after everyone had gone home I unplugged his keyboard and mouse from the back of his Mac (dirty front-end developer) and the same to his nearest co-worker, then plugged his into his co-workers Mac and his co-workers into his Mac. I wasn't in the next day but apparently it took them about half an hour before they figured out what had happened.

Healthcare insurance cheat-bot bros Zenefits cough up $1m to make SEC probe go away


If only I were that rich, I could break the law and get away with it too...

What is the probability of being drunk at work and also being tested? Let's find out! Correctly


Re: Precision

I'm confused by your comment.

Firstly, your calculation looks wrong to me it should be (248/260) * (247/259) which comes out to 0.909652 which rounded to two decimal places is indeed 0.91

Lastly, when I read the author saying it was 0.91 with greater precision I naturally assumed he meant with all calculations up to that point using greater precision. I don't know how else you could read it since he obviously isn't adding extra precision to the result of 0.95 * 0.95.

Latest Linux kernel release candidate was a sticky mess


You're right but we standardize when we do for good reason so there's definitely a limit to the value of diversity.

Compsci degrees aren't returning on investment for coders – research


Re: More!

All well and good if you can get a job without the degree but when I went to uni to get my degree it was because no bugger would even invite me to interview without one.

.UK domains left at risk of theft in Enom blunder


No doubt they'll claim that there's no evidence that this has been exploited in the wild. Which of course will be true as they weren't bloody logging anything!

Ex-Harrods IT worker pleads guilty to PC repair shop trip


Guess I'm naive but I wouldn't have expected removing a computer from a domain to constitute a crime.

How does Apple chief Tim Cook's package look now? Like $89m


Re: The continuing myth of trickle down

I'm no fan of the mega-rich greedy corporate types but I have to wonder, in the trickle up system, what exactly do you do once it's all trickled up to the corporate types again? Do you just keep giving it away? That doesn't seem very workable.

If there's a hole in your S3 bucket, data thieves will be sprayed by Macie


Mixed opinion

Sounds interesting, I can definitely see a use for this to track rogue employees and the like. Though on the downside, I suppose, it could make life difficult for whistle blowers too.

In terms of unsecured S3 buckets being breached though, I'm not so sure. Putting aside the fact that companies that tend to have S3 leaks aren't the kind of companies that would make use of this, it does kinda feel like an automated tool for closing the stable door after the horse has bolted.

Got that syncing feeling? Cloud's client-side email problem


Why the hate?

Star Trek: TNG was great; Microsoft could only dream of having something so good.

Uber, Twitter's legal eagles gather to wring claws about bro culture


Re: where we can’t operate with integrity

and here I was thinking it was Twitter's users that spread fake news.

UK regulator set to ban ads depicting bumbling manchildren


About bloody time. That is all.

Western Digital wins California court skirmish against Toshiba


Re: Call me petty but...

Your analogy falls down in a few places:

1) Toshiba aren't trying to kick WDC out of the JV. They'd just have new 'house-mates'

2) Toshiba would probably have been fairly happy to sell to WDC if WDC could afford to pay a fair price but as has been reported on a few occasions now, they're too leveraged to make a decent bid

3) Not related to WDC/Toshiba but I have a friend whose dad is forcing their mother to sell the house so apparently that's perfectly legal.


Call me petty but...

I won't be buying any WDC products in future given how they're acting at present.

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'


Re: Bah!

They didn't know the second factor, as per the article:

"This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that"

The bloke behind Star Fox is building a blockchain based casino. No, really


I fail to see how this stops the anecdote mentioned in the article. How can using blockchain stop admins from looking at player's cards etc?

Snoop Dogg swerves Glasto, plays Pure Storage gig #keepitreal


Snoop needs a better agent.

Labour says it will vote against DUP's proposed TV Licence reforms


I never thought I'd support one of the DUP's policies but hey, waddya know.

Kali Linux can now use cloud GPUs for password-cracking


The bar has been raised again

It's cool that they've added decent support for taking advantage of the GPU oriented instances in AWS. That said AWS have just announced that they're going to provide instances with dedicated Xilinx FPGAs connected to them (https://aws.amazon.com/about-aws/whats-new/2017/04/amazon-ec2-f1-instances-customizable-fpgas-for-hardware-acceleration-are-now-generally-available/).

I know before it went to ASICs people used to mine bitcoin using FPGAs so I'd say it's a fair bet you could get some pretty serious hashes/sec out of that for password cracking. Not sure it'd work well against things like bcrypt but would probably be great against SHA-X.

Have we got a new, hip compound IT phrase for you! Enter... UserDev


Whilst listening to the customer and especially letting them loose on the system to find faults and inefficiencies is a good idea. I'm not sure letting them seriously influence the design is a good idea. You might end up with this https://i.ytimg.com/vi/Pw9gaEiQAxY/hqdefault.jpg

Hackers cook god-mode remote exploits against Edge, VMware in world-first


A bit harsh

It's a bit harsh that they released security patches just before the event? Is that a common thing?

Freeze ...SCADA! Flaw lets hackers peel away Human Machine Interface


Nitpicking but..

Is it really a DDoS? It doesn't sound like it requires a distributed attack since the vulnerability is about creating a high-resource-usage scenario which can likely be accomplished by just the one remote attacker.


Biting the hand that feeds IT © 1998–2019