* Posts by Cronus

88 posts • joined 4 May 2010

Page:

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

Cronus
Happy

and this is why I've switched to Firefox (actually I switched when they announced they were gimping the network APIs for addons and removing the https indicator from URLs, this is just yet another nail in the coffin.

LibreOffice handlers defend suite's security after 'unfortunately partial' patch

Cronus

It just occurred to me that the point you were making is that it can't be "exactly as this is done for a company like Microsoft." because then there'd be hundreds of vulns. In which case, you are indeed correct.

Cronus

Just because you have a group that handles security doesn't mean you'll never have security issues in live code. Bugs happen, no matter how careful you are.

Also I just checked and first statement is also true -- https://blog.documentfoundation.org/blog/2018/07/25/how-libreoffices-quality-has-improved-thanks-to-automated-tools-and-the-volunteer-contribution-of-security-specialists/

Relevant excerpt:

“The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.

Can't dance? That's no excuse. Let a robot do it for you at this 'forced exoskeleton rave'

Cronus

When I saw this all I could think of was that scene in Iron Man where the military tries to create their own version and Tony shows the footage of that robot spinning 180 degrees with a guy inside it...

Can't quite cram a working AI onto a $1 2KB microcontroller? Just get a PC to do it

Cronus

Training is a much more computationally expensive operation than inference. Once you have a trained model, getting output given some input is trivially cheap and fast in comparison.

Legacy app whitelist can be abused to bypass latest macOS security defenses, expert warns

Cronus

It's certainly a hole but I'm not sure how you'd work around this without breaking legacy apps. Presumably not breaking legacy apps includes not breaking popular plugins that might have legitimate reasons to access restricted resources.

DRAM, that's cold: Overclockers squeeze out extra Micron DDR4 performance with liquid nitrogen system

This post has been deleted by a moderator

Guess who's addicted to GitHub, busy on Slack, stuck in 2015? No, not another hipster: It's the Slub backdoor malware

Cronus
Facepalm

It's interesting that such a professional and targeted attack would use such old exploits to infect its victims. That it was successful at all is yet another sad reminder of how piss-poor non-technical user's patching processes are.

I hate the way Windows 10 forcibly updates itself but in the grand scheme of things it's probably doing more good than harm if attacks like these can succeed due to lack of patching.

Microsoft flings the Windows Calculator source at GitHub

Cronus

Windows 10 only, eh, I'll pass.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints

Cronus

Avoiding writing malware to disk is not a new idea. An approach (admittedly for Unix/Linux systems) is in fact described in this Phrack article from 2004 — http://phrack.org/issues/62/8.html

Bun fight breaks out after devs, techie jump ship: Bakery biz Panera sues its former IT crowd

Cronus

I don't get the dig about McDonald's digital ordering system. I've certainly never had a problem with it and it beats waiting in a queue.

RIP, RDP... nearly: Security house Check Point punches holes in remote desktop tools

Cronus

I saw mention of a number of vulns in the Microsoft client but none of them seemed to be remote execution. Which is almost a shame really, think of all the fun you could have with remote 'Microsoft' support people who are calling to remove a virus from your PC.

Cronus

Re: Remote Desktop Protocol you say ?

You disable the client? because that is what the article is about, not the server.

Cronus

So the Microsoft client doesn't have any serious (RCE and the like) vulnerabilities but the Linux clients do?

Court orders moribund ZX Spectrum reboot firm's directors to stump up £38k legal costs bill

Cronus

Re: Two words for you ...

More like, "Never again"

Western Digital deploys heatsink on remodelled M.2 to tempt gamers

Cronus

I'd have thought this would be of more interest to people working with video editing where disk operations are quite intensive over long periods of time. I would hope that video games are better optimised than to need to constantly access the disk.

Poland may consider Huawei ban amid 'spy' arrests – reports

Cronus
Joke

About time. Polish manufactured devices for spying on the Polish people, not Chinese devices!

Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe

Cronus

Re: Technical Details

As per the article the blackmailer doesn't appear to have been using a randomised MAC address.

Also everybody suggesting that they should just destroy/dispose of the device with said MAC address is probably missing a trick also. The police aren't just looking for someone whose device has that MAC address they want logs indicating when and where the device with that MAC address has been.

With both date and location they can then look through existing CCTV footage in those areas and apply a process of elimination to whittle down the list of people who are present in all/most of the CCTV footage. The blackmailer is likely to be in most if not all of them but random people who happened to be in the area at the time are less likely to appear in all the footage.

This is the final straw, evil Microsoft. Making private GitHub repos free? You've gone too far

Cronus

As ever

If you're not paying for the product, you are the product.

Pork pulled: Plug jerked out of beacon of bacon delight

Cronus

Just looks like a normal vending machine to me, albeit one with packets of bacon-based products inside.

Scumbags cram Make-A-Wish website with coin-mining malware

Cronus

There's a lot of moralising going on in this article as though the attacker in question specifically singled this site out knowing full-well it was a charity for seriously ill children when in reality it's likely the entire thing was largely automated. The only thing they'd really care about is that it's vulnerable and it has high traffic.

This is quite literally one of those 'think of the children' type articles you normally make fun of. Quite disappointing really.

Micron's Chinese DRAM antagonist hit with US export boycott

Cronus

Is there anything these guys won't play the national security card for?

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

Cronus

...but does it suffer from Spectre et al?

SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported

Cronus

Seems to be available again https://www.youtube.com/watch?v=BYEbhDXgElQ

US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old

Cronus

The real news of course is the stuff the adults did. The 11-year-olds hacking websites set up as replicas really doesn't show anything beyond kids can hack poorly secured web servers. It's not actually got anything to do with the voting results because they're just replicas no doubt with intentional not very hard to exploit bugs.

Hacked serverless functions are a crypto-gold mine for miscreants

Cronus

I don't get how a SQL injection flaw could open the door to Crypto mining. What am I missing here?

Developers dread Visual Basic 6, IBM Db2, SharePoint - survey

Cronus

If you're part of majority already why would you care about diversity? It doesn't really affect you. I always find aggregate stats like these a bit pointless anyway.

BBC Telly Tax heavies got pat on the head from snoopers' overseers

Cronus

Paying for a license is optional

The only TV I own is an old fashioned CRT monitor that can't receive live TV without at least a freeview box that I use to play retro console games (bought it mainly so I could use the old light guns)

I don't watch live TV of any kind and especially not the BBC and I never will. Those who find the content worth watching can of course pay the license whilst grumbling about it. I chose to vote with my wallet.

User dialled his PC into a permanent state of 'Brown Alert'

Cronus

At the last place I worked a colleague and I used to play pranks on each other. One night after everyone had gone home I unplugged his keyboard and mouse from the back of his Mac (dirty front-end developer) and the same to his nearest co-worker, then plugged his into his co-workers Mac and his co-workers into his Mac. I wasn't in the next day but apparently it took them about half an hour before they figured out what had happened.

Healthcare insurance cheat-bot bros Zenefits cough up $1m to make SEC probe go away

Cronus
Facepalm

If only I were that rich, I could break the law and get away with it too...

What is the probability of being drunk at work and also being tested? Let's find out! Correctly

Cronus
FAIL

Re: Precision

I'm confused by your comment.

Firstly, your calculation looks wrong to me it should be (248/260) * (247/259) which comes out to 0.909652 which rounded to two decimal places is indeed 0.91

Lastly, when I read the author saying it was 0.91 with greater precision I naturally assumed he meant with all calculations up to that point using greater precision. I don't know how else you could read it since he obviously isn't adding extra precision to the result of 0.95 * 0.95.

Latest Linux kernel release candidate was a sticky mess

Cronus

You're right but we standardize when we do for good reason so there's definitely a limit to the value of diversity.

Compsci degrees aren't returning on investment for coders – research

Cronus

Re: More!

All well and good if you can get a job without the degree but when I went to uni to get my degree it was because no bugger would even invite me to interview without one.

.UK domains left at risk of theft in Enom blunder

Cronus
FAIL

No doubt they'll claim that there's no evidence that this has been exploited in the wild. Which of course will be true as they weren't bloody logging anything!

Ex-Harrods IT worker pleads guilty to PC repair shop trip

Cronus

Guess I'm naive but I wouldn't have expected removing a computer from a domain to constitute a crime.

How does Apple chief Tim Cook's package look now? Like $89m

Cronus

Re: The continuing myth of trickle down

I'm no fan of the mega-rich greedy corporate types but I have to wonder, in the trickle up system, what exactly do you do once it's all trickled up to the corporate types again? Do you just keep giving it away? That doesn't seem very workable.

If there's a hole in your S3 bucket, data thieves will be sprayed by Macie

Cronus

Mixed opinion

Sounds interesting, I can definitely see a use for this to track rogue employees and the like. Though on the downside, I suppose, it could make life difficult for whistle blowers too.

In terms of unsecured S3 buckets being breached though, I'm not so sure. Putting aside the fact that companies that tend to have S3 leaks aren't the kind of companies that would make use of this, it does kinda feel like an automated tool for closing the stable door after the horse has bolted.

Got that syncing feeling? Cloud's client-side email problem

Cronus

Why the hate?

Star Trek: TNG was great; Microsoft could only dream of having something so good.

Uber, Twitter's legal eagles gather to wring claws about bro culture

Cronus

Re: where we can’t operate with integrity

and here I was thinking it was Twitter's users that spread fake news.

UK regulator set to ban ads depicting bumbling manchildren

Cronus

About bloody time. That is all.

Western Digital wins California court skirmish against Toshiba

Cronus

Re: Call me petty but...

Your analogy falls down in a few places:

1) Toshiba aren't trying to kick WDC out of the JV. They'd just have new 'house-mates'

2) Toshiba would probably have been fairly happy to sell to WDC if WDC could afford to pay a fair price but as has been reported on a few occasions now, they're too leveraged to make a decent bid

3) Not related to WDC/Toshiba but I have a friend whose dad is forcing their mother to sell the house so apparently that's perfectly legal.

Cronus

Call me petty but...

I won't be buying any WDC products in future given how they're acting at present.

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'

Cronus

Re: Bah!

They didn't know the second factor, as per the article:

"This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that"

The bloke behind Star Fox is building a blockchain based casino. No, really

Cronus

I fail to see how this stops the anecdote mentioned in the article. How can using blockchain stop admins from looking at player's cards etc?

Snoop Dogg swerves Glasto, plays Pure Storage gig #keepitreal

Cronus
FAIL

Snoop needs a better agent.

Labour says it will vote against DUP's proposed TV Licence reforms

Cronus

I never thought I'd support one of the DUP's policies but hey, waddya know.

Kali Linux can now use cloud GPUs for password-cracking

Cronus

The bar has been raised again

It's cool that they've added decent support for taking advantage of the GPU oriented instances in AWS. That said AWS have just announced that they're going to provide instances with dedicated Xilinx FPGAs connected to them (https://aws.amazon.com/about-aws/whats-new/2017/04/amazon-ec2-f1-instances-customizable-fpgas-for-hardware-acceleration-are-now-generally-available/).

I know before it went to ASICs people used to mine bitcoin using FPGAs so I'd say it's a fair bet you could get some pretty serious hashes/sec out of that for password cracking. Not sure it'd work well against things like bcrypt but would probably be great against SHA-X.

Have we got a new, hip compound IT phrase for you! Enter... UserDev

Cronus

Whilst listening to the customer and especially letting them loose on the system to find faults and inefficiencies is a good idea. I'm not sure letting them seriously influence the design is a good idea. You might end up with this https://i.ytimg.com/vi/Pw9gaEiQAxY/hqdefault.jpg

Hackers cook god-mode remote exploits against Edge, VMware in world-first

Cronus
Meh

A bit harsh

It's a bit harsh that they released security patches just before the event? Is that a common thing?

Freeze ...SCADA! Flaw lets hackers peel away Human Machine Interface

Cronus

Nitpicking but..

Is it really a DDoS? It doesn't sound like it requires a distributed attack since the vulnerability is about creating a high-resource-usage scenario which can likely be accomplished by just the one remote attacker.

Page:

Biting the hand that feeds IT © 1998–2019