* Posts by Pier Reviewer

96 posts • joined 15 Feb 2018

Page:

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Pier Reviewer

If you don’t care about security, the bad guys care about you

Internet facing RDP... Jesus. I love it when you find it on jobs. It’s an easy win. It’s insane that people don’t put it behind a VPN (that requires MFA).

Ofc that alone isn’t a fix for ransomware. There is no single fix, which is why companies keep getting reamed. They’d evidently rather risk paying millions than definitely spend money avoiding the risk, even if it basically guarantees they won’t be badly affected. It’s 100% the board’s fault. They could force a change, but costs reduce their dividends. Better to risk it and make secret payments to the criminals if you get hit rather than reduce your take home pay innit?

The fix? Nothing new or exciting. Regular, tested off-site backups, maintain a register of installed software and audit it regularly, patch regularly, MFA for all sensitive services and accounts etc.

I've seen things you people wouldn't believe. Spacecraft with graphene sails powered by starlight and lasers

Pier Reviewer

Re: Calling Isaac Newton...

Re: using the destination star to slow down travel.

The problem is it tends to defeat the purpose of the idea (to get from A to B within a human lifespan). By decelerating from about the halfway point you take about 42% longer to get there (sqrt of 2, on the assumption the target star will decelerate your craft at 1ms-2).

Anyway, I’ve seen Star Wars. And whilst that *is* a moon, I’m not wholly comfortable with an 8GW laser array on it.

Pier Reviewer

Re: Calling Isaac Newton...

The problem is that the closer you get to another star the more pressure it exerts on your sail in the wrong direction. That’s why you need the laser. However you need to focus your laser on a 14m2 area at a distance of ~4 LY. Not exactly a trivial design requirement.

Then there’s the second issue - you arrive in the Alpha Centauri system at ~15% c. You need some way to slow down or you’ll just barrel straight through. If you’re spending that much time, money and effort getting to another star system you probably want to get some data back. You’ll have trouble getting through the submission phase if you’re basically proposing throwing billions of <currency> at a star using a giant **** off laser.

That’s the biggest issue with any kind of fast travel. You need to slow down without turning your payload to jam/dust. Consider the difference between going from 70mph to 0mph in a controlled fashion vs stopping fairly instantaneously through the help of a bridge support.

The point of containers is they aren't VMs, yet Microsoft licenses SQL Server in containers as if they were VMs

Pier Reviewer

Re: What next...?

You’re not buying it... It’s closer to the car PCP model. You rent it. You stop paying rent it goes back to the dealer/MS. You drive the car lots? You pay more to the dealer. You use SQLS lots? You pay more to MS.

I’m not a fan of MS’s licensing model to be fair for various reasons (complexity being high up on the list) but what you describe already exists, and for a physical object, not just software.

Uber, Lyft struck by sue-ball, no, sue-meteorite in California after insisting their apps' drivers aren't employees

Pier Reviewer

Re: Contracting...

The Cali law has some similar features to IR35 in Blighty. The differences in how the two are perceived is a little surprising tbh.

Lords: New IR35 off-payroll tax rules 'riddled with problems, unfairnesses, unintended consequences'

Pier Reviewer

Re: How to make it go away

Easy for MPs to show they’re outside IR35. They spend some (I won’t say most) of their time doing their job as an MP rather than consulting for one firm. They also tend to consult for multiple companies rather than just one.

Keen to go _ExtInt? LLVM Clang compiler adds support for custom width integers

Pier Reviewer

Re: Sounds like a good idea

You’ve basically described how security arise. Make assumption. Assumption is invalidated. Shit happens.

It’s also why we (should) unit test for such things before pushing to prod. But hey, testing is boring so we don’t do it right?

As to using unused bits - plenty of tech still does that. The Deflate also, ASN.1 PER etc. It’s not going away.

Something a bit phishy in your inbox? You can now email suspected frauds straight to Blighty's web takedown cops

Pier Reviewer

If only the NCSC has ppl capable of performing threat modelling and risk assessment before they rolled this out!... Luckily the commentards can pick up the slack, and the NCSC can hopefully fix this terrible oversight -.-

Zoom vows to spend next 90 days thinking hard about its security and privacy after rough week, meeting ID war-dialing tool emerges

Pier Reviewer

Re: Its much worse than that... Complete Infosec fail?

Whilst the encryption isn’t what they claim it’s still pretty decent. According to Bruce it’s AES-128-ECB (not CBC). The key and block sizes make it infeasible to brute force the key or abuse SWEET32.

ECB is commonly considered to be weaker than CBC, but it has a simpler implementation and thus less room for catastrophic error (POODLE says hi, and ECB mode isn’t vulnerable to SWEET32 either, whereas CBC mode is). The thing with crypto is the crypto nerds get hyper excited about theoretical attacks like breaking 3 rounds of cipher X, or having utterly impractical requirements. It’s great to publish those findings as they can be built upon to create more powerful attacks, but the media (social included) tend to run ridiculous headlines as a result.

The Chinese server involvement is certainly worthy of investigation, but would it be any better if that server were hosted in the US/Europe but rented by a shell company operated by Chinese sigint? Geolocation counts for shit.

Amazon says it fired a guy for breaking pandemic rules. Same guy who organized a staff protest over a lack of coronavirus protection

Pier Reviewer

Re: Unions

“ Unions have their place, but the guy leading the charge is being paid to be somewhere else, and he isn't doing what he was being paid to do, then the guy doesn't deserve a job.”

You’ve misunderstood Amazon’s reasoning. It’s cheaper for them to pay one guy to stay home and stop rocking the boat, than to implement effective measures to protect the rest of their employees. They basically wanted to pay him off ( as cheaply as possible). It has similarities to Weinstein. “Shut up and take the money”.

FYI: You can trick image-recog AI into, say, mixing up cats and dogs – by abusing scaling code to poison training data

Pier Reviewer

Re: how they want some attention...

It’s not a bug. It’s intentional. When you’re scaling an image to a smaller size you lose data, as you are only able to represent a fraction of the original data. You need to decide which parts of the data are more important and which can be thrown away.

The side effect of this is that in this very particular use case, the classifier can be tricked into classifying an input incorrectly, and human auditing is less likely to detect it (“hey, who flagged this cat as a traffic light?!”).

Yes, it has limited use at the moment, but when ppl start selling data sets on a larger scale, and for sensitive use cases, it could be a more significant issue.

Austrian foreign ministry: 'State actor' hack on government IT systems is over

Pier Reviewer

Re: Source article interesting, kind of

The good guys (as in competent, not white hat) don’t use random outbound ports. They use 443/tcp to a cloud host along with domain fronting to avoid TLS interception. All the victim sees is a request to a Microsoft.com domain or whatever.

If you think detecting decent, custom, memory resident malware is easy you should go work as a front line SOC analyst and see just how easy it is to detect that kind of thing in amongst the network noise. Generally threat actors will compromise the network (maldoc, cred spraying, 0-day), quickly obtain persistence then lie low for a while. If you don’t manage to detect the initial compromise (often the riskiest phase as it’s noisy/prone to failure) you are flat out stuffed.

I know what you’re thinking - don’t open random email attachments. Competent attackers don’t use random email addresses. They cred spray/phish your organisation then send emails/instant messages using your own infrastructure. Got a spreadsheet from Alice in Accounts? Must be safe to open, right?...

You're always a day Huawei: UK to decide whether to ban Chinese firm's kit from 5G networks tomorrow

Pier Reviewer

Re: Treasury Notes

“ If Huawei is allowed into western teleco networks, the governments will have to cover the purchase of this equipment by issuing treasury notes.”

Wtf are you smoking? The gear will be purchased by EE, O2, Voda etc using their own cash, not the UK government bonds. They are private companies, and the money Huawei receives is kept by Huawei, which is owned by its (Chinese) employees, not the state. Ffs stop reading Breitbart propaganda and get some kind of clue as to how business works.

Boris celebrates taking back control of Brexit Britain's immigration – with unlimited immigration program

Pier Reviewer

Re: Good, good.

“ Well done Boris and Priti for delivering on your promise.”

Can you point to what’s actually been delivered? It’s just talk at the moment. The visa changes cannot apply until 2021 at the earliest, so best hold onto your thanks until then. It might not work out quite as you’d hoped.

Saying you want the best engineers etc to come to the UK is one thing. Convincing them to accept your kind invitation is quite another.

It will be interesting to see how the hostile environment policy pans out with all these foreign engineers on our shores. I rather suspect that more than one poor soul will find that a PhD, full work history, and Nobel Prize will count for nought when the Home Office comes a-knocking :(

This episode of Black Mirror sucks: London cops boast that facial-recog creepycams will be on the streets this year

Pier Reviewer

Numbers game

It’s a numbers game. This guy’s number was 100k - https://www.bbc.co.uk/news/uk-scotland-south-scotland-51255287 :) I hope the Met have deep pockets!

Protestors in Los Angeles force ICANN board out of hiding over .org sale – for a brief moment, at least

Pier Reviewer

Timings

“ The day after it became clear ICANN was going to approve lifting price caps, former ICANN CEO Fadi Chehade registered EthosCapital.com – yes, .com, not .org – and within months Ethos had persuaded ISOC to sell its main asset for a lump sum.”

Rofl. I know the Reg has to be a bit careful about what it prints, but do we honestly think ISOC was persuaded to sell *after* the price caps were lifted? Haha haha!

Whoa, whoa... Tesla slams brakes on allegations of 'unintended acceleration' bug: 'Completely false and was brought by a short-seller'

Pier Reviewer

Re: Sure, deny it and point to the evidence that supports your position...

*Some* short sellers are indeed unethical. However, randomly spaffing lies on Facespace only gets you so far. Look at who holds the majority of Tesla shares. It ain’t mom and pop. It’s institutional investors. They’re in it to make money, and are far less easily swayed by such behaviour.

Musk has very thin skin. I agree with many on here that this issue is far more likely to be “fat feet” rather than software. However the shouts of “short sellers!” are just Musk’s reaction to *any* negative press. If a Tesla’s going to kill you it won’t be random acceleration, it’ll be randomly ignoring large objects in the road (I guess I must be shorting TSLA yo)

And we now go live to Apple v Corellium, where the iTitan is still lobbing copyright fireballs at the virtual iPhone upstart

Pier Reviewer

Two wrongs...

They’re both bad. Apple are upset that it’s easier to find bugs, Corellium are plainly ripping off Apple’s software.

I’m very wary of using their offering tbh. The fact it’s aimed at security researchers and runs in the cloud makes it easy for them to monitor and sell on any vulnerabilities.

EU wouldn't! Uncle Sam brandishes 'up to 100%' tariffs over France's Digital Services Tax

Pier Reviewer

Re: Wrong argument

“> If I give a second house to my son, I am charged CGT as if I sold it at market rate.

No you're not. You can gift him whatever you like completely free of tax provided you survive for 7 years after the gift is given.”

You missed the important word in the OPs example. “Second”. The 7 year period only applies if you have lived in the house for the entire period you owned it. Rented it out for 6 months 25 years ago? You owe CGT. Second home? CGT.

The simple fact is IP transference used by Starbucks et al is tax avoidance. I know what you’re thinking - tax *avoidance* is legit. I’ve got two words for you - “loan charge”. Yet again the smaller guy gets shafted, whilst the big guys are free to avoid tax at will.

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

Pier Reviewer

“ yet again proving that the real hackers go after people - Social Engineering 101”

Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)

Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.

Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Pier Reviewer

Re: Grab the private key?

Many more offenders? You’re not kidding! This is very common behaviour. A large player in the gambling industry does this. I make a point of collecting such domains. Can be useful for exploiting SSRF ;)

Why can't passport biometrics see through my cunning disguise?

Pier Reviewer

The wearing of glasses in your passport photo is permitted. The wearing of glasses when standing in front of the retarded “eGate” *is* forbidden. Makes it pretty hard when you can’t see past the end of your nose sans specs - I’d the machine shows a message not only can I not read it, chances are I don’t even know it’s there :/

Been through far too many of those things this week. The ones on the continent seemed better. The UK one coming back was awful.

Intel! China! Sliding enterprise spending! Dell cuts forecasts by $1.2bn to $2bn for fiscal '20

Pier Reviewer

Yahoo!

I’m confused. What’s it got to do with Yahoo?

Not to Nokia, but someone's seeking a third Huawei: Openreach hunts supplier number 3 for UK's FTTP network

Pier Reviewer

HCSEC was the price of doing business in the UK for Huawei. It was probably worth it for them. Plus it helps them improve their products.

Cisco already well into the UK. They’ll never pony up their code as they don’t need to and can’t be forced to.

Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers

Pier Reviewer

Not exactly rocket science this one. Morrison’s be screwed. Can’t blame them for arguing the case, but they won’t win it. Schedule 1 Data Protection Act 1998 provides :

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Appears the only reason he had the data was to pass it on to the external auditors. Should have been encrypted at rest so he could pass on the data, but couldn’t access it himself. Morrison’s failed to take appropriate measures. Yet another case of security controls being bypassed or not deployed because it makes life a bit more difficult. As a result control of 100k people’s data is lost.

The only good news for Morrison’s is it pre-dates GDPR.

Here we go again: US govt tells Facebook to kill end-to-end encryption for the sake of the children

Pier Reviewer

Re: "Outside the digital world, none of us would accept the proposition that"

“but you'd plenty of time to flush your drugs and reset the phone you use for crime to defaults and restore the innocuous backup”

The coppers got wise to flushing a long whiles back. They already prep contingencies for that :) Your “best” bet is to swallow them with a shit ton* of Imodium and hope the 24 hour detention expires before the Imodium (or you if the bag breaks - lol).

Phone resets aren’t necessarily 100% copper proof. As you say, it depends how high up the pyramid you are. For a big enough target DFIR might be used to pull old data from the phone. For a grunt tho chances are the phone goes into a massive black hole (not the same one the drugs went in).

As for not hearing the armed cops - prolly fine if you’re white. It carries additional risk of things getting loud for other ethnicities...

—-

* pun not entirely intended

Google sounds the alarm over Android flaw being exploited in the wild, possibly by NSO

Pier Reviewer

Re: re: Google Play Store

Sorry, my browser didn’t render your comment properly so I missed the bit where you pointed to the slew of malware on Apple’s App Store...

Oh wait, no, you tries the “well so’s your face” argument. The App Store has many flaws (like needing to buy overpriced Apple gear to write and test apps) but malware is very much a Google problem.

The funny part is that Google couldn’t fix it if they wanted to. Deleting 40% of the crapps on Play Store would look bad, and even with Google image > security.

Pier Reviewer

Re: Years Old Bug...

It’s a regression. The bug was patched. Then they reintroduced it. It can happen, but it’s sloppy.

Also, lol at a 0-day being dropped for Android. Not good for end users sadly, but hopefully it might give PZ some pause for thought re: their politically driven disclosure policy.

IR35 blame game: Barclays to halt off-payroll contractors, goes directly to PAYE

Pier Reviewer

Re: Personal Service Companies

I love how everyone fell into the trap. It’s now a contractors vs permies war, which is what the Government wanted. It keeps people distracted and stops them asking “why not just change the tax rate on dividends?”.

Anyway... Tax is used to incentivise and disincentivise certain behaviour. Think Council tax on empty property. It can increase to 200% because empty property is to be avoided.

If you remove corporation tax you incentivise hoarding. That means less cash in circulation, which holds back growth. That is bad for pretty much everyone except the guys holding a shit ton of cash.

Your idea also raises various questions such as “what does withdrawn from the company mean?”. They pay tax when they pay my salary? When they buy parts? When they service debt? When they invest in something?

If not, do you think there might be some loopholes there? It looks like your idea is focused on personal service companies, but it would also apply to Tesco, JLR, BT etc. It’s not simple to make tax simple whilst still being reasonably effective.

Google security crew sheds light on long-running super-stealthy iOS spyware operation

Pier Reviewer

Re: Entire populations: State sponsored?

So the US isn’t even in contention?...

Hong Kong ISPs beg Chinese govt not to impose Great Firewall on them

Pier Reviewer

Re: As If anything else would happen here...

Sold them out? They leased it. The lease expired. Are you saying the UK Gov could, and should have kept it unlawfully?

Capital One 'hacker' hit with fresh charges: She burgled 30 other AWS-hosted orgs, Feds claim

Pier Reviewer

Default settings

Default security groups (read: firewall rules) allow traffic from other AWS IP addresses. Prolly failed to change that, the web server was bound to all interfaces (so accessible on internal AWS IP addresses and the WAF was prolly just sat on the external interface.

AWS engineer scans for buckets on the internal IP ranges, greps out saucy data, gets nicked.

Defence in depth ppl. Have your WAF on all interfaces, and change those bloody default security groups. Fml the number of ppl that don’t do it...

Cybercrook hands cops £923k in Bitcoin made from selling phished deets on the dark web

Pier Reviewer

Re: 10 years

I’ve said it before, I’ll say it again. Targeting rich/middle class white guys is stupid. The police will investigate that fully and you’ll get the thick end of the sentence.

If you want to get away with crime you need to be targeting the poor/non-whites/women. Much less risk as the state doesn’t seem to care as much.

If you’re rich, white and male it tends to help too. Don’t commit crime if you’re poor.

WeWork filed its IPO homework. So we had a look at its small print and... yowser. What has El Reg got itself into?

Pier Reviewer

Naming dispute

“we have received correspondence from third parties asserting potential claims of trademark infringement with respect to some of our WE names and trademarks. We dispute these assertions”

Surprised nobody commented on that. Looks like Tencent’s lawyers are sniffing about. Given that Tencent are basically an arm of China’s SIGINT I don’t rate WeWork’s chances.

Friends, it's fine. Don't worry about randomers listening to your Skype convos. Microsoft has tweaked an FAQ a bit

Pier Reviewer

Came to post the same thing. And complain - where’s my “what the FAQ?!” headline? Guess that explains it.

Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days

Pier Reviewer

Terrible opsec, great write up

Odd that they’d be willing to burn a zero-day but not bother with a custom payload. The CVEs appear not to be restricted to Mac versions of FF, so I would hazard a guess they assumed MacOS is less likely to run AV/HID...

Spawning a shell from the browser, Word, etc. is lazy-fu. With opsec like that, I would suggest they bought the exploit.

Great investigation and write up though. Good to see some people taking security seriously.

O2: We've found Huawei of not using you-know-who's kit in 5G rollout

Pier Reviewer

O2 aren’t a Huawei shop. Never have been. Makes sense from an ops perspective that they’d stick with their current suppliers. It’s not a political decision. Simply an ops one.

The gear talks to any other vendor’s gear using standard protocols on the user and control planes, but the management plane is all custom services. You can’t manage gear from one vendor using gear from another vendor. They’d have to duplicate a lot of work, or write some middleware. It’s an awful lot of effort/expense compared to buying more kit from the current vendor that can be managed using the existing infrastructure and staff.

Conversely ripping out Huawei kit from EE et al will require new management kit (and training on it) making it very expensive to do.

It's happening, tech contractors: UK.gov is pushing IR35 off-payroll rules to private sector in Finance Bill

Pier Reviewer

Re: Curious reaction

“Work inside ir35, with no holiday, no sickpay, no pension

You haven't got a clue what you are talking about.

We pay more tax, raise vat and pay NIC also“

Playing devil’s advocate - I guess from that you’ll be better off under IR35 then?... ;)

Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support

Pier Reviewer

Re: Dear Police

I’m not familiar with American law. I was speaking of the test of proportionality in English law, as it applies to the Human Rights Act (which includes the right to freedom of expression, but explicitly states it may be limited).

The test is intended to provide a framework for the courts to decide if a restriction on a right is proportional or not. As I’ve said, some limitations on rights are necessary for a functional society. It’s important that those restrictions don’t go any further than necessary to meet their objectives, ergo the proportionality test.

It may be necessary to give up some freedom wrt our DNS privacy, but it’s extremely unlikely the courts would accept the need to give up all of our DNS privacy.

Pier Reviewer

Re: Dear Police

It’s important to understand and accept that rights are not absolute. That’s the point I tried (poorly it seems) to make.

The right to be presumed innocent unless found guilty does not preclude my arrest by the police, or being bailed on restrictive terms, because victims of crime have a right to justice. The police therefore need some investigative powers.

My right to free speech is likewise not absolute. If I were to claim you to be a kiddy fiddler you would understandably find take umbridge with that, and the courts provide relief in the form of slander and libel.

A classic example is going into a theatre and shouting “fire” when there is none resulting in panic, stampede and injury. I can not successfully claim the right to free speech as a defence as that right is fettered by other people’s rights not to be injured because I’m an idiot.

Rights lie on a spectrum, and it’s up to society to decide which parts of the spectrum are acceptable and which are deemed an abuse, or an unacceptable impact on another’s rights.

Our right to privacy is not and cannot be absolute. That doesn’t mean it can’t be very close to that end of the spectrum. However society needs to choose which way it leans, and how far. More towards absolute privacy impacts on the rights of victims to receive justice, and more towards a sole focus on criminal justice impacts on everyone’s privacy. Somewhere between those points is an acceptable balance, as there is with all rights, even the right to life (driving a car at armed police is a simple test).

It’s easy to say “I want total privacy” and leave it at that. I don’t necessarily disagree with the sentiment. Just remember that some other rights will be impacted by that choice. Failing to at least consider that and assess the choice in light of it is either pure selfishness, or in most cases a simple case of not realising. Either way, it’s not a great foundation on which to make a decision.

Pier Reviewer

Re: Dear Police

You’re right about getting a warrant. The IP address doesn’t really tell an investigator anything though. For example a ne’er do well may host a proxy website fronted with CloudFlare that grabs illegal content from Tor or whatever and sends it back to the user.

The user is seen connecting to an IP address for CloudFlare. Not really dodgy.

I have a small amount of sympathy with the police etc. They’re stuck between the push for better privacy rights which I agree with, and the pressure for them to nick bad folk, which I also agree with. It’s about striking an appropriate balance (which is what warrants are for). The difficulty they have is that you can’t get a warrant if you don’t know something bad has happened. You need intel. Humint is both expensive and unreliable as a rule.

We as a society just need to have that conversation and decide where we want the balance to be, and what we’re willing to give up to get it (i.e. do we lean more towards privacy > all or more towards criminals being detected and prosecuted?). It’s not happening atm. Governments try to make changes without seeing what the people actually value. Never going to end well...

DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Pier Reviewer

Re: @MacroRodent you really need to open your eyes

“That is nonsense.. I may be showing my age here, but Meatspace as you call it, is always 2 steps behind and playing catchup”

Alternative examples are available. See Russia vs domain fronting for example. Didn’t take long for Amazon et al to fall into line when the ban hammer loomed. Russia 1 - 0 Privacy.

The child abuse angle is a straw man. Surely people don’t just browse such abhorrent content as you’d browse YouTube? They’ve got to be aware that it’s illegal, and don’t fancy getting caught, so they’ll already be bypassing their ISP’s filtering etc. DoH won’t have any impact on that aspect at all.

ISPs want to see *everyone’s* DNS requests. There’s good money in that info. Losing out on that would be an issue for ISPs.

Hello Moto! UK Home Office shoves comms giant another £82m to stay on Emergency Services Network gig

Pier Reviewer

EE use Huawei in their core. EE taking over the ESN gig just got interesting:) Tbh it’s been known about for years, but recent developments have made it a bit trickier. Moto are just well placed to milk it.

US border cops confirm: Maker of America's license-plate, driver recognition tech hacked, camera images swiped

Pier Reviewer

Re: Subcontractor’s network compromised?

“I'm going to go with digital.”

This is the government we’re talking about. Are you really sure, or just taking a punt?

Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

Pier Reviewer

Re: Surely...

Mens rea for CMA s.1 is simply that you knew that you had no authorisation to interact with the computer. It’s an appallingly widely drafted piece of legislation, and is ripe for abuse.

The fact the action taken was apparently for good does not provide a defence. If this was an individual in the UK they would be saying bye-bye to their computing gear.

Git your patches here! GitHub offers to brew automatic pull requests loaded with vuln fixes

Pier Reviewer

It’s a pull request...

Pier Reviewer

This is a useful feature. You don’t have to use it, but frankly as someone disseminating software to people you have a duty of care to ensure the third party libs you deploy are patched.

“Messed up builds for several months for a huge swath of the community.”

If you’re randomly updating packages without testing first you get what you deserve. That’s why this gives you a pull request, rather than stomping all over your repo. You can (and should!) test, then merge.

The problem is testing is less fun than coding, so when everything is voluntary testing can suffer, and you get the problem you described.

Introducing 'freedom gas' – a bit like the 2003 deep-fried potato variety, only even worse for you

Pier Reviewer

Re: Sleep is a Good Thing(TM)

Thanos? Is that you?

Infosec bloke claims: Pornhub owner shafted me after I exposed gaping holes in its cartoon smut platform

Pier Reviewer

Re: Publish!

If you’re in the UK you’d likely find yourself in contravention of s.3A Computer Misuse Act.

Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from'

Pier Reviewer

Bug class

All of SBE’s vulns have been of the same class.

That’s not a dig at SBE. That’s a dig at MS. When you find a vuln, the best thing to do is assume they’ve screwed up in the same way more than once and go looking for the same mistake elsewhere in the code. It’s a very efficient method of finding vulns.

The first bug that was dropped was a fair while ago, and sounded like it could well be endemic. MS, with source code home advantage should have gone to town finding where else the same type of mistake had crept in and fixed it. Instead, we have this...

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020