Sumd00d posted to the neighborhood Facebook group, recommending that people prepare their lanai screen for the high winds by cutting them.
[blink] [blink]
That's some righteous hurricane prep, right there [rolls eyes so hard you can hear it over the hurricane]
My thought is why not open all your windows to keep the wind from blowing them out, amirite? Sheesh.
Holy cow, I've been in this industry for decades and can't remember a time when everyone knew that you encrypted the damn passwords*:
Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.
Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.
This is such a rookie mistake that it makes you wonder what those 9 million queries were looking for. Meta has such a horrible reputation for abusing its users privacy that the suspicion is that this was just one more wring on that rag. That's only a suspicion, but Meta has certainly earned that suspicion over the years.
* Yeah, yeah I know - one-way hash. I try not to use too much tech jargon.
Navy finds hidden Starlink dish on ship:
Still, the ambassador had nothing on senior enlisted crew members of the littoral combat ship USS Manchester, who didn't like the Navy's restriction of onboard Internet access. In 2023, they decided that the best way to deal with the problem was to secretly bolt a Starlink terminal to the "O-5 level weatherdeck" of a US warship.
They called the resulting Wi-Fi network "STINKY"—and when officers on the ship heard rumors and began asking questions, the leader of the scheme brazenly lied about it. Then, when exposed, she went so far as to make up fake Starlink usage reports suggesting that the system had only been accessed while in port, where cybersecurity and espionage concerns were lower.
Well, it is a pain in the rear end to get hooked up to SIPRnet ...
Of course, there's been a general helping of Courts Martials to everyone involved.
And the funniest bit? Elon Musk had Starlink change the default WiFi SSID to "Stinky" to encourage customers to change the damn defaults.
SolarWinds issues security patch to eliminate hard coded password:
SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data
The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.
[blink] [blink]
What makes this even more double-plus ungood is that SolarWinds is a security company. They know that hard coded passwords are not just A Very Bad Thing Indeed, but considered harmful*.
I guess the only other possibility is that they don't know this, but I just don't believe that. Heads should roll over this.
* Old computing graybeards will remember the ACM paper "GoTo Considered Harmful" which created such a furor that "considered harmful" is now considered harmful when used descriptively.
Except here, where it is 100% justified.
Cybersecurity Lab didn't use antivirus:
Dr. Emmanouil "Manos" Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects like "Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition."
The government yesterday sued Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway.
It seems that Dr. Antonakakis wasn't much impressed with antivirus products. Fair enough - it's a perpetual game of locking the barn door after the horse got out.
But the contract said that the lab would follow particular standards (in this case, NIST 800-171) which mandates antivirus, and the lab issued compliance statements with the invoices they submitted. This case seems pretty cut and dried.
And not at all impressive for Georgia Tech Cybersecurity Lab.
Disney said it is abandoning its motion to compel arbitration in a case filed by a man who alleges his wife died from anaphylaxis after a restaurant at a Disney complex failed to honor requests for allergen-free food.
Disney's motion to compel arbitration controversially cited the Disney+ streaming service's subscriber agreement, which includes a binding arbitration clause. The plaintiff's lawyer called the argument "absurd."
Disney confirmed this week that it will withdraw the motion, which it filed on May 31.
Good. It was a stupid argument anyway. Man, they generated a lot of ill will with that bone-headed move, though.
Every year in the heat of the Las Vegas desert is the Black Hat Briefings, the premier computer security conference. There's always interesting news from the briefings (and from the much less buttoned down conference, DEFCON, which runs immediately afterwards).
So what's the buzz from Black Hat this year? It seems that Palo Alto Networks had Booth Bunnies at their display booth:
[blink] [blink]
Now I did my share of manning the booths (yes, I was a Booth Bunny, thank you for asking) back in the '90s and the '00s. But even in the '90s we were considerably more buttoned down than this, and for good marketing reasons. Sure, some of the attendees might like the scenery, but some will not - and some of them will very much not like the scenery. This has been known to be bad conference marketing juju for literally decades.
Of course, the Palo Alto Networks' Chief Marketing Officer had to go full frontal groveling* in his apology:
PAN's chief marketing officer Unnikrishnan KP, or Unni as he's often called, issued his apology earlier this week calling it "tone deaf."
"Last week at Black Hat in Las Vegas, an unfortunate decision was made at a Palo Alto Networks event to have hostesses wear branded lampshades on their heads," he said. "It was tone-deaf, in poor taste, and not aligned with our company values or brand campaign.
"I take full responsibility for this misjudgment and have addressed it with my team and am taking steps to prevent such misguided actions in the future.
"Please accept my heartfelt apologies for this regrettable incident."
Nikesh Arora, PAN's chairman and CEO, doubled down on the apologies on Tuesday, echoing the points made by Unni, adding that what happened was "unacceptable."
I expect the headcount at Palo Alto Networks' marketing department has gotten a spin. We apologize again for the fault in the subtitles. Those responsible for sacking the people who have just been sacked have been sacked.
* See what I did there? I crack myself up.
It looks like just about all of their corporate execs (other than CEO Eugene Kaspersky) have been sanctioned by the US Fed.Gov. Oh, yeah, the software is banned in the USA after July 20:
The US Treasury Department's Office of Foreign Assets Control (OFAC) cited national security threats in designating the 12 individuals as under sanction. In making the announcement, it also noted: "OFAC has not designated Kaspersky Lab, its parent or subsidiary companies, or its CEO."
The Treasury did, however, designate just about every other exec who reports directly to the Moscow-based firm's chief exec "for operating in the technology sector of the Russian Federation economy," which under EO 14024 is a no-no.
It follows Thursday's actions by the Commerce Department that prohibit Kaspersky Lab Inc from providing its software and other security services in America from July 20 — plus years of directives and mandates to kick Kaspersky products out of US government networks.
This seems weird - maybe it's just more escalation of Great Power Politics between the US and Russia by the neocons in our government. Kaspersky has made good products, and a scan of the Borepatch archives shows only references to what has been a quality security company.
If you use their antivirus, it looks like you need to go shopping.
Huh:
The world's largest hacking conference, held since 1993 and lately drawing in as many as 30,000 attendees, has been held in venues owned by the Caesars Entertainment for well over a decade. According to conference founder Jeff Moss, AKA Dark Tangent, the hotel and casino operator has unexpectedly canceled the con's booking for 2024 with no warning nor explanation.Weird. But DEFCON will continue, at the Convention Center.
It is said that Engineering is "Science that works", so we have to relegate "Software Engineering" to the same bucket as "Military Intelligence" and "Jumbo Shrimp". Exhibit A for the prosecution is this month's Microsoft Patch Tuesday, which fixes a data leakage vulnerability caused by a divide by zero condition:
CVE-2023-20588 is a “division-by-zero” vulnerability affecting specific AMD processors that can “potentially return speculative data resulting in loss of confidentiality.”
Microsoft addressed the vulnerability in its Patch Tuesday update round, as the latest Windows versions enable mitigation and protection.
[blink] [blink]
Oooooh kaaaaay. Maybe I'm old fashioned but aren't folks taught that divide by zero is no bueno? Like taught that in Coding 101?
All I can think is, well, bless their little hearts. Wow.
Not just stranger than you think, but stranger than you can imagine.
A few years back, The Queen Of The World and I rev'ed up the Harley and road to Morgantown, WV for Mountainfest. We had a blast - it was a great ride through spectacular scenery, the HOG folks were (as always) a hoot in a holler at the 'fest, and the concert was headlined by Alabama, playing "Mountain Music" and "Country Roads".
As you can imagine, it wasn't a concert, it was a sing-along.
Well knock me over with a feather - it seems that "Country Roads" is a mandatory song at Oktoberfest in Germany, and everybody sings along. Don't believe me?
Reminds me a bit of the bikers in Morgantown. Found through a link from here, which includes this suggested rewrite of the lyrics for a German audience:
Almost Heaven
Schleswig-Holstein
Kaiser Wilhelm
Lederhosen fashions!
Life is Old there,
Older than the Zee!
Younger than the mountains
in Southern Germany.
Autobahn
Take me on
To the Place
to Goosestep On.
Western Poland
into Russia
Take me On
Autobahn
I hear his voice, in the morning hour he heils me.
Der radio reminds me of my oath of loy-al-ty
And drivin’ on to Moscow, I get feelin’
Shoulda been retreatin’
yes-ter DAY!
Yes-ter DAY!
Autobahn…
Whatever you do, don't mention the War. I did once, but I think I got away with it.
Even weirder, it seems that the old Tennessee Ernie Ford "Sixteen Tons" is hugely popular in Russia. Here is the Red Army Chorus (or whatever they're called now) doing a credible version of this from a couple decades back:
I like this version. His voice is in a lower register than Ford's was, and that's saying a lot. But Russian music has always had a bigger dynamic range than western music. This just keeps that tradition alive.
Well this isn't something that you see every day.
There are a lot of blogs on the blogroll here that Google won't display. Sure, it let's you add them to the blogroll but it only displays ten. When the heck did they start that?
Apologies to those of you who mysteriously dropped off - it looks like I'm going to have to do major surgery to get everyone back.
Tacitus tilts at the algorithmic windmill and seems to be making some headway getting the oddball suggestions turned off.
Tacitus, a grateful Internet thanks you.
So yesterday my Google pageviews dropped 80%, from over 4000 two days ago to 1000 when I went to bed last night. Today Google tells me that yesterday saw over 3000 views.
Never change, Google.
Not exactly a Security Smorgasbord post, but interesting and important stuff.
Lawrence has an post about a new sort of phishing scam pretending to be a Paypal invoice for a Walmart purchase.
There’s a new phishing scam making the rounds. I’ve received examples of this one twice myself over the last week, and since it’s a lot more sophisticated and polished than the average email phishing scam, I think it’s worth taking a look at.
You should go read - this is important.
Twitter's ex-Chief of security says that the company is entirely uninteresting in knowing just how many bots make up the Twitter user population. What makes this really big security news is that the ex-Chief is none other than Mudge, one of the original L0pht guys. He has big, big stature in the security community. I don't know how this will play out, but this will be enormously damaging to Twitter's share price. But it's hard to see this Justice Department go after the Twitter execs who helped the Democrats so much over the last few years.
The Metaverse sucks, and you cannot have any privacy there. I expect you already know that.
Sumd00d hacks his Hyundai car to change the smart screen software. What uber 31337 'sploit does he use to find Hyundai's secret encryption key? Google. For realz. Angels and Ministers of Graqce defend us.
Derek Ward posts a link that sort of undermines the whole "Florida is the Gunshine State" narrative:
However, when you take into account the total population of both states, this gives Texas 21 gun stores per 100,000 people and only gives Florida 13.4 gun stores per 100,000 people. For comparison, most states on this list have well over 20 gun stores per 100k people.
C'mon, Florida - those are rookie numbers.
On the converse side of things, Kentucky currently ranks the highest in terms of the total number of firearms purchased overall with the Bluegrass State purchasing more guns in the first half of 2022 than any other state in the union (a grand total of 2,094,787 firearms in the first 6 months).
Even ignoring the "Eastern Kentucky vs. Eastern Florida" mismatch, Kentucky is buying three times as many guns as Florida is. Rookie numbers, indeed.
Via Cold Fury, PJ Media writes about Redo Voting's Internet voting system.
tl;dr: Oh Hells No.
Longer discussion: it's QR codes on scratch off lotto style tickets, with a lot of crypto (SHA-2 512!) thrown in. I haven't dug into the details but there are at least two glaring security holes here:
1. Your ballot seems to be stored unencrypted (you get a PDF file of your vote). Sure, there's strong crypto (a SHA-2 hash of your ballot) to prove that it was your ballot, but anyone who gets into the data store will be able to post lists of who voted for whom. If you think about California's Proposition 8 and how Brendan Eich was fired from his leadership role at Mozilla, this is very bad juju.
Now maybe I'm wrong and the data is encrypted, but reading through their web site they don't say this at all. This seems a really important item for a company touting "Unparalleled Security".
2. Their ballot counting software is, well a server. Anyone who can hack the server can fiddle the results. Duh. When you think of Internet Security you have to think in terms of who the attacker might be and what their motivation might be. Given the huge financial benefits of winning a US national election (not to mention the geopolitical implications) you have to assume that the threat isn't script kiddies or hactavists, but rather foreign state actors. Or heck, domestic Three Letter Agency actors.
Do you think you can protect yourself against the NSA or the Russian FSB? I don't think I can defend myself from them, and I don't think that Redo Voting can, either. These attackers could easily justify funding tens of millions of dollars for a single attack - which could be as simple as bribing a system administrator to look the other way.
Game over, man. Never mind that some more thought would almost certainly come up with more problems, this is enough.
So no, this is not a good idea. It's actually a stupendously BAD idea, wrapped in crypto marketing fluff. Maybe I'm being unfair to Redo Voting, but all I have to go on is what they say on their web site. Quite frankly, it's very unconvincing. What we need is not technology that helps centralize the voting process "for convenience"; we need distributed systems that need thousands of people to subvert. Quite frankly, paper ballots are pretty hard to beat at this.
But if you like the fact that perhaps a quarter of the US population has serious questions about the integrity of the 2020 election, and if you would like to get that over 50%, then this is the bee's knees. Otherwise, run away. Keep running. Don't look back.
Richard wasn't a strong monarch, being only a boy at the time, and all of the peasants assembled before the city walls was an impressive sight. The King negotiated with them to try to defuse the situation. After all, the English Army was beating the French in the Hundred Year's War because of the yeoman Longbowmen who made up much of the peasant's armed host.
But it was all a ruse. The King met with Tyler, something went wrong, and Tyler was cut down by the royal bodyguard. The King rode out to address the peasant force who, leaderless, dispersed. This is pretty typical of Peasant Revolts in general - very few of them have been successful.
US Truckers have descended on Washington, D.C., having had enough of an oppressive and out of touch government. But they seem unfocused, with confused goals - the original "End the Covid mandates" having more or less been done before they reached DC. I have no idea what they hope to accomplish.
Good luck to them, but history suggests that they are unlikely to be very successful at whatever they are trying to accomplish.
I wrote this a month ago and don't think any differently:
The ghosts of Stalingrad
Peter doesn't think we have any compelling national interest to get into a war with Russia over Ukraine. I agree, and would amplify it like this:
Why on earth are we talking about getting into a war in Russia in the winter?
I mean, you could ask Napoleon how that turned out, or the German 6th Army. Heck, you could ask the Afghani allies we just left behind how good an idea this is. Since our military has such a good track record this century.
Peter's take is that the Powers That Be are getting desperate as the economy is mired in stagflation, the vaxx mandate is increasingly unpopular, and Biden's approval rating drops lower than any President in my lifetime. A foreign adventure is often the prescription for what ails them - politics ends at the water's edge, right?
Except no - firstly, this is nothing but madness. Bill Clinton at least had the good sense to bomb a Somali aspirin factory rather than Sevastapol. Secondly, we've heard from Democrats for 20 years that politics does NOT end at the water's edge.
Quite frankly, it's time for Congress to step up as the Adult Supervision* and pass a resolution saying that we do not have a compelling national interest in NATO expansion into Ukraine, and we sure as heck don't have a compelling interest in Americans getting killed over that. It sure would be something to see the Democrats filibuster that.
It's been a long time since I've tagged a post "Atomic War" ...
* This just goes to illustrate how weird things are.
UPDATE 22 January 2022 18:17: J.Kb has a must read post about this.
I would expand on this, with several additional arguments:
