A winter doldrums public service post

Over at Flares Into Darkness, there is a bunch of beach paintings.  Yeah, it looks exactly like that here right now.  Here's an example:

Go check them out.  This is a daily read for me.

Interesting Security News

Item the first: follow the money:

Trend Micro's Zero Day Initiative (ZDI) held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.

Researchers from French security outfit Synacktiv took home $450,000 after demonstrating six successful exploits, one of which saw the company’s crew gain root access to a Tesla Modem. Another effort found a sandbox escape in the Musk-mobiles’ infotainment system.

Other popular targets at the three day event included after-market infotainment systems and, more troublingly, a whole host of successful hacks on EV chargers.

This is a good strategy - show me the hack, I'll show you the money.  More, please.  Plus, good on them picking automotive computing as the target.  Long time readers will recall that this is something I've been harping on for quite some time.

Item the second: SEC gets pwned (same link as above): 

We had our suspicions when Twitter/X blamed the US Securities and Exchange Commission for the account takeover that led to the premature release of news the regulator would allow Bitcoin exchange-traded funds– and those suspicions have been confirmed.

"The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," the Commission admitted last week.

For those unfamiliar with this form of attack, SIM swaps involve convincing a telecom carrier to transfer a phone number to a new SIM card (a shift for which there are a variety of legitimate reasons), giving an attacker control over communications going to and from that number – like a second authentication factor.

That didn't matter, of course, because the SEC also admitted it disabled multi-factor authentication with Twitter support in July last year "due to issues accessing the account," but no one bothered to turn it back on.

"It made security too hard and then we forgot all about it" is an excuse that I suspect that SEC investigators wouldn't accept.  Top. Men.

Notre Dame de Paris on track for complete restoration later this year

This video is somewhat light on details but it's impressive just how many people are involved in the project.

This video is more in depth on what has happened over the last 90 days or so.

The dangerous side of IT security

Security researcher fined for revealing insecure system:

After discovering and reporting a vulnerability in an e-commerce database that was putting customers and their personal information at risk, a security researcher in Germany was fined €3,000 for doing so.

In 2021, a contractor, known as Hendrik H., said he was troubleshooting software for Modern Solution GmbH when he realized that password access to the remote server was stored in plain text in MSConnext.exe. This easy access would make the password simple for many to find, and a threat actor could access data to everything stored on the database server, including customer information.

There is a lot of back and forth on this between the company and the researcher, with court appeals (and more planned).  But this seems odd to me.  If the researcher was working for the company (as stated) then why did he not have a "get out of jail free" card from company management for what he was doing?  This is basically a letter (typically from the Chief Information Security Officer) saying the researcher is authorized to poke around and that the company will hold him harmless.  It also will have non-disclosure and other restrictions so that the researcher won't up and publish embarrassing info.

 It doesn't seem that any of this was in place, so I'm wondering what sort of "research" this guy was up to.

Dad Joke CCCVI

Singing in the shower is great until you get shampoo in your mouth.  The it becomes a soap opera.

Constitutional Crisis

The bustard's a fortunate fowl
with almost no reason to growl.
Saved from what would be
illegitimacy
by the grace of a fortunate vowel

Via Aesop comes news that the Republic is now in a full fledged constitutional crisis.  The short version: Texas put up razor wire along the border, the Federales cut it down, Texas sued to stop the Fed interference, and the Supreme Court sided with the Feds.  Now Texas has told SCOTUS to pound sand and the Texas National Guard is putting up more razor wire.

It is unreported whether Texas Gov Abbot echoed Andy Jackson's famous words that the SCOTUS has issued its ruling, now let them enforce it.

This is an enormous blow to the prestige and legitimacy of the Supreme Court, and demonstrates just how fragile that sense of legitimacy is.  Good grief, what an unholy mess.

May God save this honorable Republic.

Dad Joke CCCV

It's been a month since my last Dad Joke, where I promised to do better (after a month long joke hiatus).  The Spirit is willing, but the Flesh is weak ...

But Tuna left a comment to that post with a new Dad Joke!  Reproduced here in full:

Good God, it's been a month since this month late dad joke!

Here's one: Do you want a brief explanation of an acorn?
In a nutshell, it's an Oak tree.

Thanks, Tuna!

R.I.P. Peter Schickele

"Professor"* Peter Schickele has passed away at the fine old age of 88.  Dwight has the obit.  I ran across his music back at State U, and have enjoyed its very clever music inside baseball ever since.

I hadn't known that he orchestrated Joan Baez's Noel album.  I also hadn't known that he won four Grammys.

Schickele, of course, created the P.D.Q. Bach character.  One of my favorites is here, "The Art Of The Ground Round".  I had this album, Back In The Day.

Rest in peace.

* It seems that he taught at Julliard, so the term isn't clearly wrong.

Big 2A gun decision

Lawrence has a good post up about the recent win (for the Good Guys) striking down firearms prohibitions in Post Offices.  This bit is they key:

The big difference here is that previous anti-gun laws overturned in the wake of Bruen have been state laws, but this one is a federal law. Perhaps one slipped by while I wasn’t looking, but I believe that this is the first federal law overturned in the wake of Bruen.

Decision by decision, the Second Amendment is slowly being restored to its proper place in American jurisprudence.

Sure looks that way.

 

Schadenfreude

 

 The cold weather in the midwest is stranding some Tesla drivers. This article is from Chicago, but reports are coming from other cities affected by the current cold snap. The issues include not having enough charge to properly preheat the battery so it will take a charge, not being able to charge at all, and getting only a partial charge that limits the available range. 

"Tesla owners in Chicago were left in dire straits as they were unable to charge their cars because of freezing weather temperatures.

Fox Chicago reported that charging stations have become "car graveyards" as temperatures drop into negative double digits. It comes as drivers also discovered the Tesla Cybertruck has less than 80% of its advertised range in cold weather.

Tyler Bears, who had tried to charge his Tesla at a charging station in Oak Brook, Illinois, was stuck for hours. He said: "Nothing. No juice. Still on zero percent. And this is like three hours being out here after being out here three hours yesterday.""

 Tesla has some helpful information under their Cold Weather Best Practices. Among the tips is the suggestion to not use the cabin heater while driving to save battery power. 

10 War movie actors who served in combat

This is pretty cool:

Lots that's predictable, but a lot that's new.  Christopher Lee makes the list, but as we all know he was a badass.  I hadn't known that Clark Gable flew combat missions.  Oh, and Jimmy Stewart wasn't on the list but should have been.

But interesting.

Bavid Bowe - Space Oddity

(See what I did there?)

 

It's a little out of place to tag something Modern Monday when it was recorded over half a century ago, but this still sounds like nothing on the radio today*.

* Unless you listen to "Classic Rock" ...

Information Security is hiring

The World Economic Forum (I know, I know) released a report of the fastest growing and fastest declining job fields.  Information Security is their 4th fastest growing job field. 

And it's cheap to get into the field.

Introducing The Queen Of The World

Michael left a comment to last night's post where I was off to sack Rome and TQOTW was a mermaid:

Show us your ugly mug but keep the mermaid for yourself?

Sigh, so uncivilized. LOL

Touche, Michael.  So with her permission, here she is as the Queen of the World:

And here is the mermaid:

Man, this web site has made us waste a lot of time on a Sunday morning.

Excuse me, I'm off to sack Rome

OldAFSarge finds a fun site.  It clearly has an AI back end because there's no way I'm this good looking.

Oh, and how do we get to the bottom of who sacked Rome?  Better get a 1930s Gumshoe:

Yeah, I did The Queen Of The World as the Queen of the World.  And as a mermaid.  It's awesome.

Highly recommended.

Why, oh why?

People like to (as The Queen Of The World likes to say) complicate a cornflake.  Case in point: dimmer switches.  I've been swapping dimmer switches for simple on/off ones for literally (mumble mumble) decades.  It's dead simple.

Except now it's not.  Most new light bulbs are LED type, because Congressional Lobbyists for General Electric wanted all of us to pay $5/bulb instead of 50 cents.  Thanks ever so much, Congress.  But the Twilight Lone experience doesn't end just at sticker shock.  Consider the failure points:

1. Your LED bulbs must be "Dimable".  They won't dim if they're not, and you'll pay a premium for this.
2. Your dimmer switch must be for LED bulbs.  It won't work with normal incandescent ones (assuming you can even get these anymore).  You will (wait for it) pay a premium for this.
   
3. The new dimmer switches are bigger than the old ones.  This isn't a problem if you have only one switch in the electrical box; this is a big, big problem (see what I did there?) if you have multiple switches in the same box, covered with a multi switch face plate.

That last one means that there are lights that I simply cannot dim, because I can't swap out an existing on/off switch for  one of the new, high-falutin' (and expensive) LED dimmer switches because it simply won't fit. 

Gee, thanks for jacking everything up, Congress.  Nobody's life, liberty, property, or sanity are safe when you're in session.  Jerks.

New exploits being released same day as the patch

This isn't great:

Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.

97 high-risk vulnerabilities, likely to be exploited, were not part of the CISA Known Exploited Vulnerabilities (KEV) catalog.

25 percent of these security vulnerabilities were immediately targeted for exploitation, with the exploit being published on the same day as the vulnerability itself was publicly disclosed.

Bold emphasis is mine.  This is really not great at all.

 

 

Nikalaus Wirth, R.I.P

Computer scientist Nikalaus Wirth passed away on New Year's Day.  Wirth is known for creating the Pascal computer language - full disclosure: I wrote a fair amount of code in Turbo Pascal way back in the day. 

Pascal passed out of fashion (if indeed it was ever fashionable) a long while back.  What I remember of Wirth was his wit.  Asked at a conference what the proper pronunciation of his name was.  He answered that you could call him by name, in which case it was pronounced "Weert".  Or you could call him by value in which case it was pronounced "Worth".  Funny, in a really geeky way.

So which stores use facial recognition technology to track you when you shop there?

Interesting.   There are a lot of surprises on this list, both stores I expected to use this tech who say they won't, and stores I expected not to who do.

(via)

More on the Herculaneum Scrolls

This is an excellent layman's introduction to what the big deal is about the Herculaneum Scrolls.  Short answer: it's a very big deal indeed.

This video gives background on why Herculaneum is such a unique site, and why the scrolls discovered there could only have been found there.  Highly, highly recommended.

The (Blog) year in review

Goodbye 2023, and good riddance.  Hello 2024 - may it be better than the last year.

2023 saw 1.5M page views which was pretty good.  Strangely, a lot of this was traffic spikes (mostly from Google) to more or less random old posts.  The steady-state traffic seems to be around 2500 page views a day.  Still pretty good especially considering how infrequently I post these days.

2023 saw all of you leave over 1600 comments, which is great.  I don't do a great job replying to comments but read (and appreciate) them all.

Top posts from 2023:

Picking a strong password
I am TJIC (from 2011)
Unplug your Ring cameras
For Sale, NASA Security Van
Breaking the Youtube ad/spy algorithm
New Jersey Supremes to cops: get a wiretap order
S.S. Minnow still going strong after 60 years
Finally some better medical device cyber security
Be careful with Ring doorbell video cameras
The Renaissance is being blogged (from 2010)

Unsurprisingly, these are all security related (well, the ones from 2023).  That makes sense.

Thanks to the top referring sites: Knuckeldraggin My Life Away, The Ferrel Irishman, Raconteur Report, Normal American, The Silicon Graybeard, Gun Blog Blacklist, Busted Knuckles, Captain Capitalism, and Old NFO.