* Posts by GnuTzu

176 posts • joined 1 Feb 2015

Page:

Baddies of the internet: It's all about dodgy mobile apps, they're so hot right now

GnuTzu
Bronze badge

Re: Really ?

"They even offered me money"

Really? Gotta wonder what all they get out of it: an expectation of an increase in transaction fees--or do they just want a peak into your online world?

2
0

Crims hacked accounts, got phones, resold them – and the Feds reckon they've nabbed 'em

GnuTzu
Bronze badge
WTF?

Question about Impersonation/Spoofing

In brief: Is it possible to intercept calls to a particular number? If not, would it be possible to enforce caller ID in the central office (or whatever the modern equivalent is)?

I was thinking about this this morning. I have some knowledge of old-school telephony and SS7 and have been arguing for some manner of SS7 proxy. But, now I realize that such a proxy would need some way to enforce the association between phone and phone number (which I think would involve some manner of phone identifiers that are cryptographically signed). If there isn't some protected registry of what phone is assigned which number, then don't the CO's just trust whatever the phone claims to be--and doesn't that mean I could start taking your calls? If true, that's a serious fundamental problem of hideously stupid proportions--i.e. I more dumbfounded than ever.

Does anyone have any insight on this or possibly a link to relevant details?

1
0

How evil JavaScript helps attackers tag possible victims – and gives away their intent

GnuTzu
Bronze badge

Re: Comma Operator

To clarify; it's a question requesting clarification.

The article's description and the initial example seem to pin the definition on some manner of conditional so that the exploit is only invoked for apparent weak users, e.g. those using older browsers, which frankly, is more than just obfuscation.

Yet, the table provided further on includes things that I'm not convinced fit the definition; and if I'm missing something, which is quite possible, then did I miss something about the delineation, or does that table need clarification.

0
0
GnuTzu
Bronze badge

Comma Operator

One thing I've seen in obfuscated code is excessive use of the comma operator. But, does that count as evasion or just obfuscation?

0
0

Funnily enough, no, infosec bods aren't mad keen on W. Virginia's vote-by-phone-app plan

GnuTzu
Bronze badge
Alert

How We Vote

I don't know about other states, but I don't ever remember hearing of citizens getting to vote on how we vote: http://www.fairvote.org/

2
1

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

GnuTzu
Bronze badge

Re: Web-based for what reason??

There are respectable enterprise data analytic products that are web-based. E.G. Splunk. PHP is the bigger worry, as is a lack of interface and web server hardening. The common alternatives that I find myself stuck with on a day-to-day basis include Java and Citrix, the latter being the most unsupportable and horrible to work with.

0
1

Profit-strapped Symantec pulls employee share scheme

GnuTzu
Bronze badge

Re: Past time to leave

Yeah, there's no accounting for the Pareto Principal--at least from a bean-counter perspective. Do they really think they're going to thrive with only the least productive workers remaining? This is a surely a sign of a company in decline; time to short sell.

3
0

Web doc iCliniq plugs leaky S3 bucket stuffed full of medical records

GnuTzu
Bronze badge

"far from rare"

I'll spend the rest of the day chuckling over this little understatement. The better way to say it is: "ridiculously common".

0
0

Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions

GnuTzu
Bronze badge
Trollface

How Anti-social

Just had to say it.

4
0

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages

GnuTzu
Bronze badge

Re: Visa -- Mandate SS7 Proxies

There's got to be a way to prevent spoofing, and it will have to be built into the infrastructure.

4
0

How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

GnuTzu
Bronze badge

Re: Lawyering up

"legal representation of Messrs. N. O'script, P. Badger and U. Block."

Personally, I like using P. Badger and Ghostery in tandem (along with the script blockers), I think they make a great team.

1
0
GnuTzu
Bronze badge

Blocked for an Entire Organization

For the most part, nobody in the organization complains about this. Go figure. But, there was one news site, Forbes, that refused content when detecting blocked ads, and some people actually asked that it be allowed--which we didn't do. Last I checked, Forbes works a little differently now.

How to Fix It:

If you want to use ads to monetize content, it's either going to take an ad network or other vehicle that'll take responsibility for any infections. And, that might take being able to sue those who infect people by using tainted ad providers. But, I'm not holding out for this.

12
0

Another German state plans switch back from Linux to Windows

GnuTzu
Bronze badge
Unhappy

Microsoft Salespeople are like the Priors of the Ori

And, I've seen the damage they can do, tricking acquisitions to buy before doing any feasibility studies or security reviews, thereby disrupting established infrastructure and imposing hidden costs. No band of Linux zealots will ever be able to carry this kind of persuasive force, as found in the professional sales teams of a massive monopolistic tyrant. {Sigh}

14
2

Oh no, what a rough blow: Cosco at a lossco over ransomware tossco

GnuTzu
Bronze badge
Trollface

Nothing Capsized

I wonder if they have security controls for hypothetical hacks appearing in movies.

2
0

Hey you smart, well-paid devs. Stop clicking on those phishing links and bringing in malware muck on your shoes

GnuTzu
Bronze badge
Happy

"Marketers were the most gullible"

Schadenfreude :D

0
0

Want a $200k TIP? ZDI sticks bounties on bugs in big-name server code

GnuTzu
Bronze badge

Re: No hypotheticals

The patent office once started requiring working models to award a patent, if I remember correctly. Of course, that requirement is gone, and you can pretty much patent any concept. Yeah, there needs to be an incentive to overcome lame, and you have to define what constitutes better than lame. Maybe hypotheticals should have a fractional payoff--if you can justify what counts as a worthy hypothetical. These things are never easy.

1
0

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

GnuTzu
Bronze badge
Mushroom

No Lockouts? Really???

Hey, I understand that 2FA has a cost, but aren't lockouts free? Oh, you have to have a mechanism or help desk to get unlocked. Gee, if your company is too poor for that, then a breach will surely bankrupt you.

11
2

Robo-drop: Factory bot biz 'leaks' automakers' secrets onto the web

GnuTzu
Bronze badge
Boffin

rsync port???

Does that mean that the well-known port for the rsync daemon was open--the one that doesn't use encryption? Isn't the usual way to run rsync under ssh, which would require logins, AFAIK?

3
0

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

GnuTzu
Bronze badge
Headmaster

Re: Fearmongering, Uncertainty and Doubt

"governments can just MITM secure sessions"

It requires getting control of trusted CA certs. I suppose they could try and get one of their own listed as trusted, but I think someone would notice.

2
0

Big bad Bluetooth blunder bug battered – check for security fixes

GnuTzu
Bronze badge
FAIL

Re: So who pays for the fix?

"...since before the dinosaurs and nobody found it?"

Too complicated and convoluted is this standard. It's almost as if it was designed to obfuscate bugs and vulns.

3
1

Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

GnuTzu
Bronze badge
Trollface

Voyeur Cam, Self Propelled, Buy One For The Object of Your Affection

Wouldn't that be some marketing campaign, to the delight of stalkers everywhere.

0
0

Why Google won't break a sweat about EU ruling

GnuTzu
Bronze badge
Flame

"Two choices"

Like dumb and dumber. I hate having only two choices.

I would have voted against this whole two-faced system, but then centrists have no direct representation in a political duocracy--and they seem determined to justify their illegitimate control by paring all our choices down to duopolies.

6
0

Brit tech forges alliance to improve cyber security as MPs moan over 'acute scarcity' of experts

GnuTzu
Bronze badge
Trollface

Job Security and Increasing Market Rates -- For All That Weak Technology

Yummy, yummy -- but, the work load might do us in.

Now how do we feel about companies that sold us weak operating systems and such?

There it is; they bought cheap technology and can't even find the people to secure it--let alone be able to afford them.

7
0

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

GnuTzu
Bronze badge

Tools, E.G. Office

My organization already uses a tool that warn us when we're addressing those outside our organization, but I think the tools could even be better--as I've said on similar posts--like suggesting BCC for large number of addresses--instead of hiding the BCC field by default.

5
0

Scumbag confesses in court: LuminosityLink creepware was my baby

GnuTzu
Bronze badge
Coat

A Few Thoughts

How much was this a plea deal?

What kind of EULA would you have if you were the author of such a product?

What kind of enforcement of that EULA would I have to be able to prove if they came knocking at my door?

Is this going to become an implied kind of regulation of remote access products, or will there come to be explicit regulation?

Are the big companies that make stuff that allows desktop sharing going to be as vulnerable to legal action as the little guys?

What keeps the crims from using the stuff made by the big guys, perhaps some kind of logging--and is that logging that violates privacy policies?

The slippery slopes are are getting steeper, and rabbit holes are getting deeper.

4
0

Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

GnuTzu
Bronze badge

Habits

Um, when your product and repo shows up in the news as a hacker victim more than once a year, maybe it's time to check the habits of your community.

As a gatekeeper, I'm supposed to decide which repos our devs have access to and which don't--and this one is beginning to worry me. And, having tinkered with this one myself, I don't want to have to shut it out completely, but... Oh, this is seriously giving me the willies.

2
0

Google's ghost busters: We can scare off Spectre haunting Chrome tabs

GnuTzu
Bronze badge

Re: I hate to be the one who pees in the coffee

Well, I've lost track of all the variants--not that I'm trying very hard. So, maybe it's time for a round-up on this.

3
0

'It's legacy stuff brute-forced in': Not everyone is happy with Citrix's cloud

GnuTzu
Bronze badge
Flame

"sometimes"

I sympathize. Every support/security situation I've been in with Citrix solutions has been a nightmare. "Painful" is an understatement.

0
0

What can $10 stretch to these days? Lunch... or access to international airport security systems

GnuTzu
Bronze badge

Re: No love for RDP Defender?

There are also some enterprise solutions that log all remote access activity--so that if anything bad happens, you who did exactly what. And, that makes allowing plain vanilla RDP look seriously stoopid.

0
0
GnuTzu
Bronze badge

No Remote Access Here

I'm glad that I work in a place where desktop sharing, web meetings, and other manners of remote access from the outside world are utterly verboten.

6
3

FBI for the Apple guy: Bloke accused of stealing robo-car tech

GnuTzu
Bronze badge
Big Brother

Behavioral Analysis

I wonder how many workers these days realize that their companies now do behavioral analysis on every computer activity in which they engage. This is an insider threat strategy that uses big-data analytics, and if you significantly change any of your digital behaviors, an analyst is going to review your activities.

What do you think? Should employees be officially advised of this kind of monitoring? Can legal cases subpoena this stuff? How should we feel about this? And, when people become conditioned to accept this kind of monitoring, how easy will it be for governments to just go ahead and make this a global law-enforcement and political-obedience practice? Dark enough for you?

1
0

Timehop admits to more data leakage, details GDPR danger

GnuTzu
Bronze badge
Big Brother

Re: TimeHop is used in Facebook

Imagine if Cambridge Analytica's data slurp included entire Facebook histories--even stuff long deleted or hidden. (Mind you, I'm not sure I've accurately stated this for the way that Facebook really works, as I've never had an account.)

0
0

Tim? Larry? We need to talk about smartphones and privacy

GnuTzu
Bronze badge
Angel

Re: Beating up some foam ...

"please ask NSA, CIA and their kins, They should know..."

Oh, they think that the less information they provide the longer they'll get to go on playing innocent.

2
0

Arch Linux PDF reader package poisoned

GnuTzu
Bronze badge

Linux is the Kernal

I don't remember hearing about the kernel ever being infected. I still worry about the repos--given how automatically an entire system can be updated.

1
0
GnuTzu
Bronze badge
Alert

Thank Goodness it's Not One of the "Major" Distributions

I don't know how many Arch servers there are out there; and thankfully, this was not a server package.

We have seriously got to protect the repos!!! PERIOD!!!

I'll leave it up to others to elaborate.

1
2

Dudes. Blockchain. In a phone. It's gonna smash the 'commoditization of humanity' or something

GnuTzu
Bronze badge

IP

Are they intending to patent and monopolize this so-called liberation of humanity?

4
0

AAAAAAAAAA! You'll scream when you see how easy it is to pwn unpatched HPE servers

GnuTzu
Bronze badge

Re: BTW you don't need to send As

Yet, the A's make it so much funnier.

8
0

Thomas Cook website spills personal info – and it's fine with that

GnuTzu
Bronze badge
Unhappy

Re: stop telling us how serious you are!

Yeah, that's canned incident response template number 1.

Yeah, I'm sick of hearing it too, and sadly it'll never stop.

0
0

AT&T abducts AlienVault to bolster business end of its security probing

GnuTzu
Bronze badge
Flame

Re: I suspect this is like their last promise

Yeah, as if mergers and acquisitions never ruined a useful product.

0
0

China-based hackers take an interest in Cambodia's elections

GnuTzu
Bronze badge

"then it can only be for practice"

Maybe, but practice it is--as you have indicated. The trend is set. Is this how the global cyber war starts? Or is the the question: how will it ramp up to world-destroying proportions?

0
0

Infosec defenders' supply chain is inferior to black hats, says Carbon Black CEO

GnuTzu
Bronze badge
Flame

Consider the Payoffs

When the defenders are paid as well as the top crims...

And, those funding white hats can't see the destruction that's coming.

0
0

Insurers hurl sueball at Trustwave over 2008 Heartland megabreach

GnuTzu
Bronze badge

PCI DSS -- Court Worthiness

It's going to be real interesting to see how the courts regard the legal strength of PCI certificate.

One thing that's always bothered me about PCI is that a businesses certification only has to be reported to the banks. We consumers have to sit and wonder about the businesses we entrust with our payment card info.

4
1

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

GnuTzu
Bronze badge

Re: "copies of code-signing certificates"

Well, seems a rhetorical question, but getting private keys either means they were hacked into or they spilled them--unless you want to believe someone managed to factor the primes.

Either way, I have to wonder what the black-market value for these things is.

1
0

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all

GnuTzu
Bronze badge

"we are all up in the air aboard the internet"

Nice analogy. To further it, a company is not a single air plane; it's more like an air line. It's not a matter of whether there will be loss of data assets; it's a matter of when.

4
0
GnuTzu
Bronze badge

Re: Pen testers are not risk assessors

I like the point about "Chicken Little". Insider threat programs, risk evaluation, pen testing, and vulnerability management all need to be coordinated. And, I've been too many places where there isn't even proper identification and classification of data assets, and that's a key step in evaluating risk--because you can't evaluate risk without knowing what is at risk.

7
0

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

GnuTzu
Bronze badge

"walled garden" == "needs no internet connection"

@DropBear, you're obviously getting it (voted up), but I thought I'd clarify my intended meaning for others. Air gapping is one of those things that has been done as an excuse, err..., a mitigation for garbbage technology (i.e. "low hanging fruit"), but now that's just not enough.

0
0

GitHub given Windows 9x's awesome and so very modern look

GnuTzu
Bronze badge
Stop

Re: Now, if only Git could work under Windows...

"...our generation will pass the torch to the millennials, who will say the same crap about us GenZ'ers."

As one of the last of the baby boomers, I remember the irony well--when I first realized this would be our fate. It seems genetic; no new generation can escape this. Just accept that you'll eventually have it thrown back in your face, and try to mitigate it as soon as you can, as that's the only way to minimize the em--bare--ass--ment of youthful ignorance and lack of foresight.

4
0
GnuTzu
Bronze badge

Re: UI elements that make it obvious what they do?

"Flicking the scroll wheel repeatedly..."

Am I the only one who gets a sore finger using the scroll wheel too much?

5
0
GnuTzu
Bronze badge
Trollface

Re: UI elements that make it obvious what they do?

O.K. I can see where this is going. Let's run out and patent the totally blank screen before MS/Apple/Google does. That way we can sell expensive monitors with billions of pixels that wont even need to be powered or connect to anything.

6
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018