Posts by Crazy Operations Guy 2513 publicly visible posts • joined 29 Jun 2009
Because the concern is that the people that got paid had no legal authority to do so, or even if they had the authority, they didn't sign it of their own free will.
It'd be pretty hard to argue that the government of Mauritius was operating under their own free will as they were facing down two massive nations that have a long history of knocking over governments they don't agree with and then installing their own leaders.
"If the door opens outwards (ie towards you)"
If it opens outward, then you have access to the hinge pins, a nail/screw/rod and a hammer (Or a solid, heavy bit of metal) would solve that problem right quick without causing too much damage.
I remember working the weekend and dropping my ID badge in the data-center, everyone that could get me in would be gone until Monday. So I grabbed an Allen key and an old 3.5" hard disk and knocked the hinge pins out. Then I tapped them back in a few hours later without anyone even being aware of what I did.
The problem is also that a lot of people give a shit, but lose their enthusiasm when they realize that companies are being controlled by shareholders that don't care about the company at all beyond the few bucks they can make int he short-term. The biggest problem in our modern form of capitalism is that companies are being controlled more and more by short-term traders that care little about the future of the company and only care about short term gains so they can pump the stock then dump for a few bucks of profit. The way everything is set up is that it encourages shareholders to buy into a company, force shoddy, but heavily-hyped, products onto the market. Then before the flaws int eh product are noticed by the public, the shareholders have rode off into the sunset with their piles of cash, heading off to ruin another company.
For the last few years, I've been in favor of moving away from a stock market system and replace it with a corporate bond market. At least then you'll get investors that give at least a fraction shit about what happens with the company 5, 10 years in the future.
I'm just waiting for the day that one of these credit monitoring agencies gets hacked. They are hanging onto a lot of data and any identity theft that results would just be blamed on the initial hack...
Although putting on my tinfoil hat, I wouldn't be surprised if this has already happened.
I made a deal with a coworker who works in an office on the other side of the ocean. So now we just buy identical servers, and use ssh tunnels (via a pair of OpenWRT-based routers to connect our sites, and another ssh tunnel on the machines) to make them accessible to the other person. Then we just rsync our machines to directories on those servers.
Right now we both have a small ITX-based machine with 4x 10 TB HDDs in them. The systems run off a pair of 8 GB thumb drives running FreeNAS with ZFS on them for encryption and reliability. To keep things secure, we have IPMI turned on so we can remote into our system and enter the passphrase to decrypt the drive (that way, just because we are in physical possession of the machine, we can't decrypt any data on it). We also have the fact that we both have the same reason to trust in the other and stand to lose the same amount for breaking the trust.
We've been doing this for like 8 years now, every so often we'll go in together to buy new machines, UPSes and routers. Sure, it costs us an average of like $500 a year, but worth it to have 30 TBs of storage all to ourselves and no worries over whether we're being spied on, the service is just going to fall over in a way that is out of our hands, or suddenly find out that the company is deleting a bunch of files without warning...
Putting the infrastructure in place to filter files sounds like it'd be more time/effort/cost than just sucking it up and buying more disks and bandwidth. Especially since, like all backup services, they charge per gigabyte / TB. Mass storage, especially of the performance level you'd expect for backups, is ridiculously cheap nowadays, you can get disks at less than 3 cents per gigabyte and you can get a 90-bay JBOD chassis for about $10-15k. Bandwidth is fairly cheap too.
I always told them that I had left my work phone in my office to avoid costing the company for the roaming charges. I'd check my email in the evening, and if anyone wanted me to return early, I'd list out the cost of changing my flight and ask them for their approval for the expense. That usually caused them to back down. If they pushed forward, I'd tell them "Sorry, but the only seat left is in First Class and now <this much> more..."
I did the opposite. Shouty people would go on top of my list, but I'd let everyone know that I was doing so.
When I working for IT at my university, we had a ticketing system / work schedul8ing system where you can drag and drop tasks on a big list with each task being a different size based on the length of time it was estimate to take. Each task was tied to a ticket. The whole thing was visible for the entire company (well, except our black tickets, but those would be created by the IT director and would be for specific sensitive tasks). The tickets would also have an auto-populated list of related tickets. So that way, someone could also see that I am doing that task for like the 20th time.
This way, we'd get everyone waiting for work to shout at all the people wasting our time. We found that the easiest way to take down some blustery senior manager was not to go at them directly, but to get everyone else to yell at them. Its easy for a senior manager to destroy the career of a single junior IT worker, but a group of low-level managers and workers, on the other hand, have a lot of power.
It also helped that they could see that they are inconveniencing a lot of people and not just some lowly IT support worker.
A big problem is that Microsoft lets you do some really insecure stuff without warning you that its insecure, or just couch the warnings in really gentle language when it should be screaming at you and requiring confirmation.
It also doesn't help that Microsoft is constantly touting how secure its products are without mentioning that they can -attain- that level of security if you do a bunch of procedures, rather than being secure right out of the box.
In years past, nations would just impound cargo destined for the nation that skipped out on their debt. In some cases the nation would sell the cargo to make back the loss from the debt. Given that China has a massive amount of our manufactured goods, especially stuff we depend on for daily life, they wouldn't be too concerned about the debt for too long before we are forced to relent and either pay them or let some other nation buy it all up and sell it to us at a massive premium.
China is not a developing country nor is it a developing economy. Unless you also consider the US, Canada and all members of the EU to also be developing nations.
China is at least as advanced as any other nation on earth and even surpass us in things like energy infrastructure and long-distance mass-transit, among other areas.
Besides, pulling manufacturing from China will just result in China creating more competition. They would have all the scientists, engineers, technicians, factory workers, manufacturing infrastructure, etc to do it all themselves. We gave them the skill-sets to build stuff at our standard of quality and more efficiently.The thing is that western companies didn't move their manufacturing to china, they sold off their manufacturing and contracted with Chinese companies to make their products for them.
Cisco's products aren't rolling out of a Cisco factory filled with Cisco employees that happens to be in China, their stuff is rolling out of a Foxconn factory staffed by Foxconn employees using Foxconn's logistic and supply networks and then they slap a Cisco sticker on the box. At this point, I would actually be surprised if the Cisco equipment I have in my data center has ever been touched by a Cisco employee or even in a Cisco-owned facility. Its likely that it was manufactured in China, tested by a company in CHina, then sent to the US on Chinese sips where it sat in a warehouse owned by a Chinese distribution partner before it was ordered by by my reseller and then dumped on my loading dock where our contractors racked-and-stacked it.
How does the customer know the bottle hasn't been opened already? I can go buy a couple corks and some sticky-backed metallic foil for a couple bucks. I could replicate a wax seal seal with minimal effort. Unless the customer is some expert and is spending hours to study it (Made more difficult since the restaurant is going to be dimly lit), they aren't even going to notice even the most blatant of deceptions.
Then what would be stopping the manager from just grabbing a bottle of the 260 GBP stuff, a funnel, and the empty bottle of the 4500 GBP stuff and recouping their losses? Although the cynical part of my brain is pretty sure that has already happened with the 260 GBP bottle...
The SMT silicon is still there, but a couple of fuses are blown so that the scheduler ignores them. For the most part, Intel only makes a handful of silicon designs, but will disable chunks of silicon depending on what failed in testing. The ones without SMT are just SMT chips where some of the SMT hardware didn't test clean so it gets disabled and a different model number applied. Its not an uncommon practice, silicon slingers have been doing it since integrated circuits have been a thing. Sometimes Intel will disable features on otherwise good chips if there is demand for the lower bin chips.
Really, it is down to whether the vulnerable bit of silicon is in the disabled chunk or in the still-enabled chunks (EG, in the thread's execution silicon itself or in the core's scheduler)
First off, why should I trust an Anonymous Coward that has provided precisely zero citations for their claims?
But secondly, pray tell, -how- is it easier? The vulnerability could be exploited by a simple bit of malware on a network admin's computer that waits for them to connect to the Cisco UI.
Whereas I imagined that if there was a vulnerability in a security-sensitive chunk of code that the manufacturer would send out an announcement to affect customers and/or news sites. The affected customer would then enter their serial number onto a page to request the updated chip, when the chip is shipped, they get a tracking number. Exploiting this method would require somehow waylaying the shipment and replacing it without the shipping agency getting wise. The package itself could also contain a number of anti-tampering measures. They could even etch the serial number of the system the chip is intended for onto the chip (Which would require the malicious actor to already know the serial number). Most systems will also output the signature of the various add-in ROMs the BIOS hand execution off to, which can be done here. Maybe include something in the BIOS that if BIOS signatures change, it notifies the operator. So that post-install, a message pops up and gives a sha256 and crc checksums or something, which can be matched with data sent by manufacturer in an email or posted on their website.
At the very least, requiring a physical item to be replaced would generate all sorts of change management procedures, downtime to be scheduled, etc,. Someone is going to notice a piece of equipment being taken down while no one is going to notice that some hidden bit of software has been modified.
Or, the original method: No software-updatable firmware, your code is located on wide DIP-chips that fit into a socket. If you wanted to change the firmware, you had to crack the thing open. Maybe we should return to that model for security-sensitive components.
Having to ship a physical piece of silicon and then convince someone to stick it in their equipment is a pretty big barrier to attackers and malware versus the current model f just a few bits across the wire. Sure, its expensive, but you know what is less expensive? Properly testing security-senstive shit before shipping it rather than relying on "We can just patch it later".
That is what I've been thinking. If it was insecure, wouldn't they be throwing out piles and piles of CVEs and proof-of-concept exploits? Yet they seem to have left all their proof in their other pants or something.
Dear America,
CVEs or it didn't happen
-Signed, everyone tired of your bullshit lies.
Because at this point, given the sheer number of security bugs reports I keep seeing, it seems that Cisco is the insecure one...
My worry is that Microsoft will intentionally make the Subsystem have total crap performance but then release a whole suite of libraries to fix those performance issues. So that over time, developers become ridiculously dependent on Microsoft's libraries to the point where most stuff running on Linux will now need a Windows Subsystem for Linux for the binary to run on both platforms.
That is one hell of a code smell. It might even outrank "New Jersey" and "Times Square on New Year's Day" in stinkiest thing ever observed by a human being.
Sure, its a bit of a trivial problem that only affects a small number of people, but all the failure that has to happen for this bug to exist is staggering.
Although not so much the current bottom line, but the future bottom line. Amazon is very much willing to lose tons of money in the short term if it means they can undercut competitors. Then once competitors are put out of business, they'll ratchet prices higher than they did before now that there is no longer strong competition to pull prices back down.
For an example, look at the saga of Diapers.com and Amazon. They started out fairly small, developed a good business model that started generating profit in short order. Amazon then started selling diapers at fairly big loss until Diapers.com was forced to either sell themselves to Amazon or go out of business in a few years. Once acquired, Amazon pushed prices well above what both diapers.com and Amazon were selling at (And in many cases, selling for higher than even brick-and-mortar prices even though their business model makes it far cheaper)
Children -were- injured, that is how this came to light. A bunch of kids were found to have high levels of heavy metals in their blood that was traced back to school supplies and jewelry that was purchased off Amazon. In one case, an entire class was found to have elevated levels of cadmium in their blood that was caused by absorbing it through the skin from pencils a teacher bought in bulk off Amazon.
Unfortunately that wouldn't work for a lot of organizations that are using Google Drive to store information. Just this morning I had to submit a couple inventory reports by filling out a form hosted on the company's Google Docs pages. HR also regularly sends out announcements by sharing a link to Google Docs.
I've worked with a dozen or so organizations like this and I doubt I just got lucky and hit the few orgs that work that way.
And, really, the only way to tell the difference between a legitimate google docs attachment and one from scammers is by looking at the UUID embedded in the link URL and checking to see if it matches the UUID assigned to a legitimate user. Which also assumes that the user hasn't had their UUID changed due to be moved to a different version of the service or some other random action that caused it to change.
Really, the issue here is that instead of the attack purporting to be from hr.internal.company.com but coming from hr.internal.company.com-totally-legit-url.ru. It is now purporting to come from drive.google.com/1234-abcdef0-7894-ac43-12fc390/docs/files/ but really coming from drive.google.com/4567-ffecba12-23e4-23fa-bcce12f/docs/files
Because then Google will sue you for attempting to break into their stuff since you'll be flinging all that data at their equipment.
These attacks are leveraging scripting capabilities with the provider so you are duped out of your information without ever touching a suspicious domain. Like the Google Drive attack will point you to a series of phishing pages hosted on a public-facing Google Drive and store the retrieved data into Google Docs. On AWS, the pages are hosted on S3 buckets and data is stored into another.
The point is that the victim never comes in contact with a domain that anti-malware tools wouldn't flag and/or very unlikely to be blocked in an organization. The other side of it is that loading up webpages and having people submit data to a Google Forms document aren't exactly unusually use cases for these services and are going to go unnoticed by Google / Amazon / Etc.
Nope, those two different things. The difference is whether Firefox is calling an external binary or a simply function call. Extensions exist outside of Firefox itself and have access to the OS, just as any executable would. Add-ons operate within a sandbox in the browser itself, and only have very access to what the browser itself grants access to, typically they are supposed to run in an instance-per-tab structure to prevent XSS-like attacks (Although whether they do that or not is something else altogether...).
IF you missed an exploitable flaw in your software during QA, what makes you think that you're going to find on a second look? Of course that assumes they even bothered with QA or security testing in the first place...
Because these devices are deployed not in a datacenter, but to the remote towers. It'd take a few hours to get to it while customer complaints pile up. The interface is usually going to be stuck onto a private administration VLAN, then routed across an MPLS link back to the mothership alongside the VLANs for the various other data channels like handset data and voice, control-plane, etc.
Telnet is usually used because its one of those that can be trusted to work even when things like the system has the incorrect time or loses its configuration.
The testing they are doing is likely going to be testing just after tower deployment and disaster recovery to ensure the tower is functioning properly and to fix things that need to be re-tuned.
It does prevent Microsoft from building an advertising profile on users (Although that does allow Qwant to do it themselves). Not a big win, but prevents MSFT from correlating it with all the telemetry bullshit they get from Windows and Office. Your information is still tracked, but at least its two organizations with only parts of it instead one big one with the whole thing.
Google doesn't need you to have GPS turned on to know your location. The cellular radio will calculate a rough location so the towers know when they need to hand-over to a neighboring cell, it is possible for the OS to pull that information from the radio processor.
There is also the map of Wireless Access Points they made when doing the Streetview project. The phone listens for broadcasts from nearby access points, then searches for the MAC address in Google's database to map it against a physical area.
Got a new phone the other day, just so much unnecessary crap that I replace the first chance I get. A gig and a half of useless crap (Although half that is the massive blob of "Google Play Services").
Chrome 135
Docs 105
Drive 23
gBoard 53
gMail 33
Google 64
Google Play Movies 21
Google Play Music 37
Maps 88
Photos 45
Youtube 49
Google Play 56
Google Play Services 763
Google Play Store 50
ON a side note, still trying to figure out how the built-in clock app can soak up 12.5 MB...
1) The lack of control and visibility with operating system internals
2) Ridiculous number of daemons / services that are needed for the system to start
3) large number of undocumented system APIs that some pieces of software use, then the APIs are stuck in the OS forever to prevent incompatibility with those applications
4) Configurations are stored in a set of overly-complex files
5) Dynamically linked libraries required for the kernel to even boot
6) Has many built-in language interpreters (Visual Basic, .net, DirectX, etc) and none are cross-platform (No perl, no python, no Java)
7) case-insensitive file systems
9) no support for adding mount points during install (EG, home directories -must- be on the same volume as the rest of the OS)
10) Hiberfile.sys always exists, wasting gigs of storage in the root disk even on systems that never had and never will make use of hibernation.
To be fair, I have these same complaints about a lot of Linux distros as well (Especially Ubuntu and Red Hat).
Ubuntu is the Windows of the Linux world. A huge bulky mess of code that tries so hard to meet every possible use case that it ends up sucking at all of them. Maybe its just me being curmudgeonly, but anytime a Linux Distro has it has higher listed Minimum System Requirements than the current version of desktop Windows is a total failure of a Linux Distro.
https://help.ubuntu.com/community/Installation/SystemRequirements
https://www.microsoft.com/en-US/windows/windows-10-specifications
It'd be trivial. Compromise the DNS records, redirect to your web-servers, go and grab a "Let's Encrypt" certificate and boom, you now have a legitimate certificate for your scam with users none the wiser, unless they religiously check the issuer of the certificate and know who normally issues the certificates for that particular website.
The problem is that if you wanted actual cops on planes, you are talking about a $15 billion dollar a year expense. There are 43,000 flights operating in the US each day, average ticket cost is $500, so you are looking at $21.5 million per day in just airfare (A cost that is either going to have to be absorbed by taxpayers of other air travelers). Then you have the hourly wages of the cops themselves, plus accommodations when they are away from home, cost of training...
And all for what? A few minor crimes that are so rare that one makes international news? Especially when its easy enough to just let the port authority cops handle it when the flight lands. For the extremely rare violent passenger, the flight crew does have access to restraints. The perpetrator of a crime isn't going to be able to go anywhere until the plane lands, and even if they do somehow escape, the airline has all the information law enforcement would need to track them down.
At least according to ICAO recommendations, the aircraft's flag has jurisdiction over international flights similar to how in maritime law, the ship's flag has jurisdiction over its passengers. This has been upheld by the ICJ in the cases of crimes aboard aircraft in international airspace.
I'd imagine the same way that any other credentials might get stolen. Malware on their system, password reuse, flaw in the authentication system, etc. Or maybe the Support Rep was in on it. Maybe the hackers never had the Rep's credentials and just planted malware on their machine and hijacked the session.
"and gained more customers."
Well, that assumes you don't live an area where there is an effective duopoly when it comes to internet connections where the two companies have come to the conclusion that they can make more profit if they just continue the unspoken gentleman's agreement that if they don't try and compete their competitor won't, allowing both to remain total shit and not have to spend money on improvements.
Also doesn't matter what they use if their upstream is shite. I was with a local broadband provider that strung 1 Gbit to everyone, problem was that they had 10,000 customers but only a handful of 10 Gbit links out to the rest of the internet. I could connect to my neighbor or the ISP's servers at full bandwidth, but averaged 8 Mb to everything else.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
