Friday, June 30, 2023

Dad Joke CCLXVIII

What did one Math Book say to the other? 

Man, I sure have a lot of problems.

Thursday, June 29, 2023

Military personnel receiving smart watches in the mail

Of course, there's malware involved:

Service members across the military have reported receiving smartwatches unsolicited in the mail. These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.

These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords.

Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.
 
These products may also be used for Brushing. This is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver's name allowing them to compete with established products.


What to do if you receive one of these devices:

  • DO NOT turn the device on.
  • Report it to your local counterintelligence, security manager, or through our Submit a Tip - Report a Crime reporting portal.

 Freebies like this are the equivalent of "open your mouth and close your eyes."  Let's be careful out there.

Tuesday, June 27, 2023

15th Blogiversary

Actually it was a couple days ago.  Seems like kind of a long time.

Thanks to co-blogger and Brother-From-Another-Mother ASM826 who also started his blog around the same time but who has been writing here for years and years.

Also, I'm trying to convince The Queen Of The World to write here sometimes.  Leave a comment on what you think of that idea.

Monday, June 26, 2023

Dad Joke CCLXVII

Have you heard of the band 1023MB? 

They haven't got a gig yet.

If you have an Apple device, you need to update it right away

Security patches for vulnerabilities being exploited in the wild:

The list of affected devices is quite extensive, as the zero-day affects older and newer models, and it includes:

  • iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
  • iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
  • Macs running macOS Big Sur, Monterey, and Ventura
  • Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE

It is an interesting article there - the Russian security services (FSB) claim that NSA has been using this against Russian targets for the last four years.

Friday, June 23, 2023

Aesop, about the Internets that you just won ...

... you can pick them up in the usual place.

There are only two things I have to add to the discussion of the Titan/Titanic disaster:

1. OceanGate seems not to have considered that their target customer had enough cash to sue them into oblivion if things went Tango Uniform.

2. OceanGate's investors did not consider what their liability would be if things went Tango Uniform.

The legal proceedings promise to be epic.  And yeah, I don't care that the release that their customers signed mentioned the word "death" three times.  Doesn't release them from liability for reckless endangerment and misrepresentation. 

UPDATE 23 JUNE 2023 19:42:  Big Country gets an honorable mention with this one:


He has more, so get over there.  He's of a similar mind of the legal predicament that OceanGate is in.

UPDATE 23 JUNE2024 20:04:  Miguel has an important pro-tip.

Thursday, June 22, 2023

Something New In 'Full Metal Jacket"

 I've seen Full Metal Jacket several times over the years. I don't know about the combat in the second half, I have no personal experience to use to form an opinion, but the boot camp scenes are as realistic as anything I ever seen. Lee Ermey as GySgt Hartmann is what every Drill Instructor on the field in 1977 wanted to be. 

Here a classic scene, where Hartmann is doing a hygiene inspection, and finds his problem child, known only as Gomer Pyle, with an unlocked footlocker and some contraband.

I was on a forum discussing the movie recently and I pointed out that the doughnut was unrealistic. Primarily because, in three months on Parris Island, I never had dessert of any type. No cake, pie, cookies, and definitely no jelly doughnuts. Secondarily, the doughnut is pristine. It's not squished, it has a good shape, and it still is covered with powdered sugar. If Pyle had somehow landed the doughnut from who knows where, he still had to get the doughnut to the barracks and into his footlocker. It would not have been carefully carried in a box, it would have been tucked inside his uniform.

I got called out for taking the movie too seriously by one person, supported by others, and in the ensuing discussion I realized what Stanley Kubrick and Lee Ermey had done, right in front of us, and I had never heard it mentioned or thought of it before.

The only explanation for the doughnut in Pyle's footlocker is that Gunny Hartmann put it there. He would have had a list of combinations for all the recruit locks. He bought the doughnut, put it in the locker, and left the lock open so he could "discover" it, and then punish the rest of the platoon while having Pyle eat the doughnut. This leads to the blanket party scene where the platoon extracts revenge on Pyle.

And Pyle knows. He didn't put it there. None of them had seen a doughnut since they got on the bus. The injustice is what fuels his anger. It is the end of his attempts to conform, to grow into a Marine like the rest of the platoon.

Dad Joke CCLXVI

If two vegetarians get into an argument, is it still a beef?

Wednesday, June 21, 2023

A Complete Unsurprise

 In March of 2020, as the world was getting ready to close the doors and everyone was wondering how many people were going to die of the new virus, a friend of mine that works in a research lab told me that every single person that worked in his department believed the virus had originated in the Wuhan lab. That there was ongoing research in Wuhan on gain of function using coronaviruses taken from bats. That political leaning had nothing to do with their opinions, it was just an obvious conclusion.

He never wavered from his opinion on this.  Said everything that made him a scientist pointed to it.

And he was right.

"Ben Hu is essentially the next Shi Zhengli," Alina Chan, a molecular biologist at the Broad Institute of MIT and Harvard, was quoted as saying. Shi is popularly known as "the bat woman of China" and led the gain-of-function research at the WIV.

"Hu was her star pupil. He had been making chimeric SARS-like viruses and testing these in humanised mice. If I had to guess who would be doing this risky virus research and most at risk of getting accidentally infected, it would be him," Chan added.

I suppose you could say, like Hillary Clinton, "What difference at this point does it make?" But I think it matters because this kind of research continues and that makes another outbreak inevitable. 


Monday, June 19, 2023

Dad Joke CCLXV

Why can't your nose be 12 inches long?

Because then it would be a foot.

Friday, June 16, 2023

The day the Titanic's horn spoke again

Eighty-seven years after the Titanic slipped below the waves, the horn blew again.  This is the story of how that happened.

 

The crowd reaction on that day is really something.

Dad Joke CCLXIIII

What kind of lights did Noah have on the Ark?

Flood lights.

Thursday, June 15, 2023

Django Reinhardt - Stardust

This is the kind of music that would be playing when I got home from High School.  You wonder what else Reinhardt would have recorded had he not died so tragically young.

More on the security email gateway hack

I've been posting recently about the Barracuda Networks compromise of their email security gateway.  It seems like it might have been the Chinese:

Chinese spies are behind the data-stealing malware injected into Barracuda's Email Security Gateway (ESG) devices globally as far back as October 2022, according to Mandiant.

Barracuda discovered a critical bug, tracked as CVE-2023-2868, in these appliances on May 19, we're told, and pushed a patch to all affected products the following day. 

...

Meanwhile, Mandiant, who has been working with Barracuda to investigate the exploit used and the malware subsequently deployed, today identified a China-based threat group it tracks as UNC4841, and said the snoops targeted a "subset" of Barracuda ESG appliances across several regions and sectors.

"Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," the Google-owned threat intel team said today.

Why do you rob banks?  Because that's where the money is.   If instead of money, you're after user data then email servers/gateways are a pretty rich target.

 

Tuesday, June 13, 2023

A message to commeter Birdchaser

You will remember the header at the cop of the comment box: Remember your manners when you post.

You didn't.  Boy, howdy.

Your comment didn't make it through moderation because of your very disrespectful and profane attack on me.  This is my place, not yours.  I don't care that you feel really really strongly about Donald Trump.  Cathedra mea, regulae meae.

I've only banned one person in the 15 year run of this blog (my abusive ex-wife).  Congratulations - you're number two.

Go away and don't come back.  All comments from you will be nuked without being read.

Sunday, June 11, 2023

Antonio Salieri - Requiem in C minor

Today would have been my younger brother's 60th birthday, had he not died 100 days ago.  He was a complicated man, endearing and infuriating in equal measures.  You don't expect the younger to die before you.

Rest in peace.

Most people have heard of Antonio Salieri (if they have heard of him at all) as the sort-of villain in the film Mozart.  That sells him somewhat short.  His Requiem was performed for the first time at his funeral.

Saturday, June 10, 2023

Dad Joke CCLXIII

What do you find  shaking at the bottom of the ocean?

A nervous wreck.

Friday, June 9, 2023

Security vendor oops

I recently posted about the security appliance vendor Barracuda's woes, with a critical bug in their email security gateway appliance.  Well the problem is worse than people thought:

Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately.

The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," Barracuda warned its customers in an update. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG."

I'm struggling to think of another example of a security device that had to be junked after an incident.  I imagine that this isn't actually the first such incident, but no others come to mind.

Ouch.

Usually this sort of thing happens when a very old device reaches end-of-support/end-of-life.  At that point you've gotten your investment from the device and it's time to upgrade to something modern - but this cycle is often ten years.

To Barracuda's credit, they are shipping new devices to effected customers.

Thursday, June 8, 2023

10 years after Snowden

Edward Snowden released his bombshell revelations ten years ago.  These showed that there was mass government spying on US citizens by US intelligence agencies; it also showed without a doubt that General Clapper perjured himself before the US Senate when he denied that this was the case.

Ten years later, Snowden is a refugee from the US Government, and Gen. Clapper is free as a bird (and guilty as sin).  This tells you much about how much trust to put in the US Government.

There are two excellent retrospective articles about this: The Register walks us through much of the narrative about the who, what, and when of the last ten years.  Highly recommended.  Here's the TL;DR:

"Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

Bruce Schneier has a fascinating piece from the perspective of someone who was involved with the disclosures.  Also highly, highly recommended.  Schneier is a security big wig, and so there's a fair amount of security industry inside baseball.  For example:

I ended up being something of a public ambassador for the documents. When I got back from Rio, I gave talks …at the IETF meeting in Vancouver in November 2013. (I remember little of this; I am reconstructing it all from my calendar.)

What struck me at the IETF was the indignation in the room, and the calls to action. And there was action, across many fronts. We technologists did a lot to help secure the Internet, for example.

And this prediction from your humble host has stood the test of a decade:

The two highlighted items really get to the heart of why the security industry is so angry about what the NSA has been doing.  They spent years establishing a relationship of trust with the industry and researchers.  Then they exploited that trust for personal gain at the expense of everyone else.

While I don't at all want to minimize the horrific crime of child abuse, that will give you a bit of the flavor of how the security industry looks at Ft. Meade now.  It was a rape, a rape of those who had trusted them as teacher and protector.

This is going to cause enormous problems for NSA.  I simply don't see how anyone will ever want to cooperate with them outside a public forum.  Nobody who values their reputation will be willing to be accused of slipping an NSA mickey into a crypto library.

And nobody on a standards body will ever again listen to NSA recommendations for changes to algorithms.  As a matter of fact, those recommendations will make the hair on the back of people's necks stand up, and lots of people will start to reverse engineer the NSA's math to see what games they're playing.

The last ten years have sure been a wild ride.

An animal that survives in space

This is a Tardigrade, an animal that is about half a milimeter long.  What's interesting is that is can survive in very extreme environments.

They have been found in hot springs.  They've been found in the deep ocean.  They've been found living under ice sheets.  They can go without food or water for 30 years, during which they enter a sort of suspended animation state where their metabolism drops by 99.99%.

They can survive temperatures approaching absolute zero, and in 2007 they were sent into orbit and once returned to Earth were reanimated.  There's currently talk that they could live on Mars if there were anything for them to eat.

Pretty wild.
 

Tuesday, June 6, 2023

D-Day + 79 (years)

There's quite a discussion in the comments over at Peter's place about whether Lindbergh was right (probably) and by implication whether we should have sat WWII out.

Once the Japanese attacked us at Pearl Harbor and then Adolf Hitler declared war on us the following day, that ship had sailed.  These men fought because we had been attacked, and because Hitler had thrown his hat into the ring with Tojo.

As Big Country likes to say, period, dot.

Having stood at the top of that ridge at Omaha beach, and having walked the grounds of that cemetery, remember the men of that day.

Even security vendors get hacked

Barracuda Networks is a long-established security vendor (you've likely seen their billboards in airports).  As it turns out, their email security gateway has a vulnerability that the Bad Guys have been exploiting for months:

A critical remote command injection vulnerability in some Barracuda Network devices that the vendor patched 11 days ago has been exploited by miscreants – for at least the past seven months.

Barracuda said it discovered the bug, tracked as CVE-2023-2868, in its Email Security Gateway (ESG) appliance on May 19 and pushed a patch to all of these products globally the following day.

In a security alert posted on Tuesday, however, the vendor disclosed that the vulnerability was under active exploit long before the patch arrived. The flaw, which affects versions 5.1.3.001 to 9.2.0.006 of the ESG appliance, can and has been abused to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes.

Clearly this is a major embarrassment for the company but it highlights just how hard security is to do correctly, year in and year out.  Consider:

  • Barracuda clearly has the security expertise needed to prevent this.
  • Barracuda clearly has a significant motivation to prevent this - they've taken some pretty major reputational damage here.

But it still happened.  It's happened to other security vendors before, and will happen to security vendors in the future because doing security properly is really, really hard.  The Bad Guys don't have to be perfect every single time - not by a long shot, but anyone playing defense against them sure does.

Monday, June 5, 2023

Pigs Hackers In Space!

This isn't quite the 21st Century I was promised, but this sounds like a very interesting idea:

Assuming the weather and engineering gods cooperate, a US government-funded satellite dubbed Moonlighter will launch at 1212 EDT (1612 UTC) on Sunday, hitching a ride on a SpaceX rocket before being releasing into Earth's orbit.

And in roughly two months, five teams of DEF CON hackers will do their best to successfully remotely infiltrate and hijack the satellite while it's in space. The idea being to try out offensive and defensive techniques and methods on actual in-orbit hardware and software, which we imagine could help improve our space systems.

Each year there is a security conference held in Las Vegas.  The Black Hat Briefings are pretty corporate and button-down, but it's pretty much the high point of the security year.  Black Hat's red headed stepchild is held immediately afterwards: DEFCON is where security folks let down their hair and let their freak flag fly.  In may ways, it's more interesting than Black Hat.

For example, they set up a network where people play "capture the flag", computer security style.  The attendees are also notoriously skeptical of the government, and have a "Spot The Fed" contest each year.

This is a very interesting approach taken by the Fed.Gov in that the visibility and coolness factor of hacking a satellite in orbit will totally overwhelm the natural tendency of the attendees to avoid all things Fed.

Interestingly, Dwight (your go-to guy for obituaries and which coaches have been fired) is also your go-to guy on DEFCON reporting.

Sunday, June 4, 2023

Eric Clapton & Johnny Depp tribute to Jeff Beck

Who knew that Captain Jack Sparrow played the axe?  He's the one in the blue hat.

Full line up:
Eric Clapton
Doyle Bramhall II
Gary Clark Jr
Kirk Hammett (with Greeny)
Susan Tedeschi
Derek Trucks
Ronnie Wood
Johnny Depp
Billy Gibbons
John McLaughlin
Robert Randolph
Olivia Safe
Rod Stewart
Imelda May
Joss Stone

Sergei Rachmaninoff - Rhapsody on a Theme of Paganini

This music has appeared in many, many films from "Somewhere In Time" to "Groundhog Day" to "The Walking Dead".  It should be familiar to most of you.  This is Arthur Rubinstein on the piano.

Friday, June 2, 2023

Joe Bonamassa & Eric Clapton - Further On Up the Road

 Because it's Clapton and Joe B - which means it's awesome.

Thursday, June 1, 2023

Unplug your Ring cameras

And maybe your Alexa as well:

America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.

The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus.

The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”

This report is absolutely damning.  Ring employees accessed thousands of videos - the report goes into detail about one employee looking at "Master Bedroom" camera videos of dozens of "pretty girls".

If you have any hesitation at all about unplugging (especially) internal house cameras, read the whole link.  You'll want to take a shower afterwards.

And Ring cameras in your bedroom?

[blink] [blink] [blink]

The report discusses how Amazon employees listened in on customers' children and retained the recordings in violation of the law.  Good grief.

My recommendation is to ditch all this spyware ASAP.  Ugh.

In which I de-Endorse Donald Trump for President

If it is not right do not do it; if it is not true do not say it.

― Marcus Aurelius, Meditations

I have been at least a luke-warm supporter of Donald Trump for years.  Heck, there are over 200 posts there, mostly talking up  his virtues.  Go, read, if you don't believe me.

But I am no longer comfortable posting about how Donald Trump would make a good President, because I do not any longer think that he would.

The Donald has come out against Ron DeSantis, not that this is surprising - after all, they are opponents for the Republican nomination.  I don't have a problem with that.  What I do have a problem with is the dishonest way that this opposition has come out:

Donald Trump's people attacked Ron DeSantis for (a) not slavishly following The Donald's massively damaging lockdown recommendations and then for (b) being entirely correct in doing so.

Let me be clear: Ron DeSantis saved Florida's economy by ignoring advice from Donald Trump's administrationI was here.  I saw this.  I had just moved here from The Democratic People's Socialist Republic of Maryland and know people whose lives were destroyed by the Covid lockdowns imposed by a Republican Governor there.  So where are the "Trump War Room" objections to the Covid-19 lockdowns from (Republican) Governor Larry Hogan?

[crickets]

Go ahead.  Amaze me.

[I'm waiting]

Yeah, that's what I thought.  Someone who was all up The Donald's butt is a-OK, but someone who did something positive for his State (even though it went against your flunky's advice) is the Worst Thing Ever.  Quite frankly, I'd have more respect for this if (a) their advice was worth a plug nickel and (b) if your flunkies weren't trying to undermine you at ever step and if (c) you had had a damn clue about (b).

You didn't, and still don't seem to.  Quite frankly, this is the biggest knock against you - you brought your enemies into your inner circle, and you won't recognize allies if they don't kiss your butt.

To The Donald (as if he'd pay attention); We thought you were on our side.  We trusted you.  Like Bluto in Annimal House, wef**ked up.  And now we see that someone who actually earned that trust is in your cross-hairs.  

And so while I think you accomplished a lot in your first term, I don't think you are earning a second one.  Your ego is too big to allow someone actually accomplished to join you in the Oval Office.  And so, adieu.  Good luck, because you're going to need it. 

You are in an election.  You are facing adversity.  Remember that Adversity does not build character, it reveals it.  You are revealing more than you should like.  Stop doing that, or keep losing supporters.

Sorry, you've lost a supporter here.  Don't come calling after the nomination.  You're not Presidential material.

Whenever you are about to find fault with someone, ask yourself the following question: What fault of mine most nearly resembles the one I am about to criticize?
― Marcus Aurelius, Meditations