* Posts by Joe Dietz

66 publicly visible posts • joined 2 Dec 2016

Page:

Uncle Sam, 15 US states launch antitrust war on Apple

Joe Dietz

My kids disagree

Crypto scams more costly to the US than ransomware, Feds say

Joe Dietz

Re: Not reporting ransomware attacks?

The SEC has reporting rules now. They are being used by attackers as leverage to get people to pay ransom now.... pay or we'll turn you in. Even dumber though is that recently a health care provider was issued a fine after reporting an attack... for exposing patient records (to the attacker). As with most regulation, reporting largely doesn't accomplish what was intended and has some really perverse incentives built into it. Blaming the victim is probably not the solution.

Joe Dietz

Yeah, that is some bad ransomware data.... and sort of calls into question the rest of the report. Ransomware from chain analysis was at least $1.1_BILLION last year. (https://www.chainalysis.com/blog/ransomware-2024/) 2X from 2022. That does NOT include the MASSIVE costs of incident response with or without paying a ransom. I think you could find single incidents that might have costs more than $52m last year.

IT suppliers hacked off with Uncle Sam's demands in aftermath of cyberattacks

Joe Dietz

Well yes... This is EXACTLY why anything the government is involved with is so ridiculously expensive. You literally have to charge them 3-4x what you would charge anybody else as a paperwork tax... and since so few vendors can even get certified, its not like 'open bids' have competition a great deal of the time, you the vendor having achieved the activation energy to deal with the government can in fact name your price and they have to pay it. Not that they care, not like its the governments money anyways...

Travel app Kayak offers Boeing 737 Max 9 filter after that door plug drama

Joe Dietz

Its not just the door plugs...

It's obvious Boeing is culturally bankrupt. It's not just the MAX fiasco. And the door plug was one week after a previous 'ground them all' inspection where there where loose bolts on a safety critical system in the tail assembly. This shit should be checked and rechecked... probably IS being checked and rechecked and it's still wrong.

The Starliner program has also had some serious issues. And not just the ones on flight hardware where it didn't quite make it to orbit. They managed to also take _checkout photos_ to document the state of the parachutes on a drop test that clearly showed one of the parachutes was NOT connected to the airframe... and somebody then proceeded to pack the parachutes in that state. I'm sure they are ISO compliant in more ways that I could even imagine... but compliant isn't the same thing as giving a damn about quality. I mean good news! 2 out of the 3 parachutes opened, good thing for redundancy... but wow, they had _photos_.

Why we update... Data-thief malware exploits SmartScreen on unpatched Windows PCs

Joe Dietz

Re: I know that data has to be stored somewhere...

Exactly this. Cloud applications depend on your client application being able to keep tokens secret. Android and iOS were designed with this in mind and generally a client app can store its tokens with reasonable assurance that other apps (aka malware) can't read them. Windows, Linux, Unix, OSX where all designed long before 'the web' was really a thing. Client apps store data as _you_. As such any application you are running (aka malware) can read any data you can read... including your tokens. Running Linux doesn't make you safe here, it just makes you less likely to be a target in the first place... but that is only the market share of "Linux on the desktop" being essentially a rounding error and thus irrelevant to a malware business.

Joe Dietz

Re: Geolocation data ? On a PC ?

Nobody cares where you live, they care to know where google or whoever thinks you are living. This is so when they use the tokens they just harvested, they can spoof the correct geolocation and not set off any alarms in the cloud services from a token performing 'time travel'. Time travel detection (aka you are suddenly in SE Asia, despite logging in from Redmond Washington not 5 minutes ago) is bread and butter of cloud identity security.

https://upsight.ai/blog/beyond-passwords-decoding-the-vulnerability-of-identity-tokens

Be honest. Would you pay off a ransomware crew?

Joe Dietz

A one time payment is nice, but what we need is a recurring revenue stream...

Ransomware is a business, not a tactic. The trend in this business is towards 'Surprise backups' of victim data. Ransome isn't quite the right word; blackmail is more like it.

Imagine you have gained control over a law firm, it has many people's secrets in their files and a professional obligation to protect those secrets. You could 'sell' a onetime license to the law firm so they can avoid using their backup.... Or you could sell an _annual_ subscription service of not telling others about all of their secrets. Any MBA will tell you that the recurring revenue is better... and so much harder to defend against.

Electric vehicles earn shocking report card for reliability

Joe Dietz

As an EV fan... still rings true

I've had I think 6 EVs now:

- 1 Chevy Spark EV died due to a minor crash that caused the insurance to total it due to the cost of electronics.

- 1 Chevy Bolt EV was sold on the used market at a loss - it was basically a Chevy malibu and had tons of software glitches and piss poor design possibly due to the retro fit.

- 1 Tesla Model X died 30 minutes after delivery upon arriving home. Some sort of central computer had stopped working. This was a COVID build, so Elon himself may have fitted the QA failed part from the scrap bin in it himself. Twas returned to Tesla.

- 1 Chevy Spark EV died after 2 years due to the charge controller failing. GM was unable to find a replacement board after 9 months of it sitting at the dealer... I got a buy out check from them.

... Kia rental EV was 'fine'.. but it was a rental so who knows what happened after I returned it 9 months of me driving it around....

- current Nissan Leaf - still going strong. Very boring car... but I've high hopes of it having a natural end as a result.

The Chevy Spark EV is still my favorite... But I suspect the fundamental problem is that people expect more from EVs due to the price, so the normal build quality issues stand out more and when it does go wrong, its very wrong. What you might accept in a $25k malibu, you are going to be pissed about in a $37k bolt.

Your password hygiene remains atrocious, says NordPass

Joe Dietz

Passwords are all vanity if you leave the post auth token laying about.

The real action is in getting post authentication tokens. All I need to do is read your tokens out of your profile directory and I _am_ you to whatever you happened to be logged into. I don't need your username or your password, and I don't care if your MFA is legit or SMS. I'm still _you_.

3CX thought supply chain attack was a false positive

Joe Dietz

VT is just a static check...

Malware and the AV engines that VT is aggregating across are so 1990s. Attackers don't send you malware. They sent you _links_ to malware, or better yet they Macgyver it from bits you already have on disk using duct tape and zip-ties. In this case a fairly pedestrian dll abuse to download malware as part of an update.

As such, checking your binaries against VT isn't going to flag anything, and a goodly amount of the time neither is your AV scanner. This was a multi-stage attack - the malware part that VT would be able to flag is downloaded much later in the attack.

Watchdog: Broadcom buy of VMware may be bad for competition

Joe Dietz

NSS: "Broadcom buy of VMware may be bad for competition"

Duh, but hardware as to why it would be bad? Seriously? Hardware is just going to keep on working with vmware, it's nearly impossible for it to not. You should be far, far more concerned about the _virtual hardware_ being inaccessible. The choice is VMW or "the cloud". AWS, Google and Azure look forward to this acquisition no doubt, THAT is the bad you should be worried about.

South Korea moves to resolve WWII dispute with Japan that troubles tech supply chains

Joe Dietz

Fear the future? Change the past.

I'm pretty sure my Irish and Scotts ancestors didn't come to the USA because they woke up one morning and decided to emigrate. There were reasons; possibly including judicial murder, starvation and general religious suppression. Those same ancestors went on to homestead in the west, in some cases literally over the graves of the previous inhabitants. Apologies are owed all around... but this is an accounting that simply can't be settled. Learn and live for the future.

Russian charged with smuggling US counterintel tech to Motherland

Joe Dietz

Is linking to the Kaspersky report that you quoted at length under sanction? Cite your sources please.

For password protection, dump LastPass for open source Bitwarden

Joe Dietz

Re: Someone else's computer

That's the problem though. Your control over the system is the weak point of using your local system to store passwords! You have access to all of your data all of the time, ergo so does any attacker that you happen to let in though a momentary lapse of humanity. And beyond that, the password itself isn't really that interesting, the hot new trend is local token theft. I don't need your password if you already authenticated for me, I have something better - a token! Again, if you are NOT asked for a password on each and every API call that your browser/application might be making, and if you are in control of your system, the same attacker can just read your keystrokes too.

It's all a shell game. The only "secure" device I might trust is inherently entirely out of my control because it won't let me control my own data.

Joe Dietz

Re: Someone else's computer

Unless you are prompted for a password each and every time you need to access your secrets... They really aren't any safer locally than in the cloud. https://www.upsightsecurity.com/post/data-protection-api-or-now-you-have-two-problems

Malicious Microsoft-signed Windows drivers wielded in cyberattacks

Joe Dietz

Re: Bu-but...

Having gone through this process... The vetting is done by a 3rd party CA issuing an EV certificate to the company. That certificate is used to sign submissions to the Microsoft signing process. (before Microsoft did the signing directly, the CA cert was used to sign the drivers since the CA had a Microsoft issued cross-cert). The 'Extended Validation' in an EV cert is... 1) can you pay $400? 2) Do you have an attorney that will attest that you are you and answer a phone call to repeat the same?

I suspect the latter is the weak link since it is not clear how the attorney is vetted as actually being a member of their respective bar association, nor would I trust in professional ethics in all places equally. (see also: the Panama papers). Some number of years back Microsoft was talking about doing the vetting directly and cutting out the 3rd party CAs entirely. Probably a good move, but I've not heard much about it since.

Joe Dietz

Re: Bu-but...

Signing does provide security value in several ways - there is an audit chain to some extent - somebody somewhere does in fact have to swear they are up to no good and sign contracts to that effect. Not everything has to be a technical solution. The second way is actually fairly important - it's very difficult to create a polymorphic driver because of the signing requirement - while there are lots of 'bad' drivers and many more abusable drivers out there... the number is not infinite, and you can in fact build effective rulesets around them.

The dystopian part here is that as a driver developer... quite a lot of process to get through to ship some code. Annoying, I don't like it, but I'm not arguing against it either.

Joe Dietz

Meh. This has been going on forever, the key statement is ""In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,". The only thing different here is that there is at least _some_ audit trail due to the signing about who wrote the code.... the fact that Microsoft signed it is less relevant than it sounds (prior to Microsoft signing, this was effectively done by a cross-cert from Microsoft to particular 3rd party CAs... net - same thing).

However, there are _plenty_ of drivers out there that export functions to just about any process to read/write kernel memory, modify/terminate processes etc. For instance, Process Hacker was used to attack Sony Pictures years and years back. Microsoft's own SysInternals procexep.sys can _also_ terminate protected processes via a driver as well (indirectly at least - it can close handles - close the right handle and you can cause a process to exit).

The thing to actually watch out for are drivers that are not actual _device_ (as in hardware) drivers. Software drivers have their uses and there is nothing wrong with them per se... but you should audit them more closely. If you are running a driver from, say a major AV vendor, but you don't use their software... you are probably looking at a problem. Or you have procexp.sys but aren't using procmon. And so on.

Broadcom looks for EU approval of VMware takeover

Joe Dietz

Re: Less than pleased customers...

VMWare isn't like twitter, a fool can buy and destroy twitter - no big deal, people can spout stuff lots of other places... such as right here. Nothing much actually depends on twitter's existence. VMWare is unique and things that you most certainly DO rely on, depend on it, there are no viable alternatives.

It's a stretch to call it anti-trust... but there is clearly a public interest in keeping Broadcom from doing what Broadcom is going to do to VMWware.

Broadcom to spin VMware takeover as creating 'more competition' in cloud

Joe Dietz

VMWare _is_ the cloud competition... but not as a cloud

The EU and really any government that has the public interest in mind should look _very_ skeptically at this... Not only from a competition standpoint, but a national security one as well. VMWare is the only technically viable and operationally mature alternative to 'the cloud'... A Broadcom acquisition would very likely shift things to a 'big 3 cloud or nothing' set of alternatives.

I see zero reason to think Broadcom would handle vmware any differently than CA or Symantec... VMW _is_ legacy tech and sort of 'missed that whole cloud thing' despite some frankly confused efforts in the past few years to 'also run' on the cloud. Unlike CA of SYM, VMW also happens to be very, very, important legacy tech and should not be meddled with.

VMware CEO bats away Broadcom concerns – it’s just ‘the next transition’

Joe Dietz

Re: Will Broadcom bail on the deal??

I think the only thing holding it up is the EUC quite rightly asking wtf is going to happen if Broadcom destroys all of the non-cloud infrastructure by acquiring its sole viable vendor. (yes there are alternatives... if you have time and inclination.. but ESX stands alone).

One can only hope Broadcom is going to Musk this... though too late since the trust damage was already done to customers, employees and shareholders by the VMW board in even agreeing to the offer.

Discord details how it dodged latency with a super-disk made in the cloud

Joe Dietz

Not particularly relevant to the tech stack in question, but remapping around bad sectors is a very old problem and an SSD is no different. NTFS for instance has had a feature since NT 3.5 era where if there is a write error, it will mark the sector as bad in its internal tables, remap the LBA to another free block and perform the write again. Doesn't help for read errors obviously.. .but its one of those little things that if you start to see this happening in the event log... you got a disk on borrowed time. Then came SMART which basically does the same thing at the hardware level, again if you notice these events, your disk is on borrowed time. These behaviors are great... right until they aren't since its easy to ignore/never see the events that tell you of the pending failure.

Businesses should dump Windows for the Linux desktop

Joe Dietz

Re: Lot of outright wrong claims in the article

Repeat after me: "Linux does not mean you are 'secure' "

... you either aren't worth attacking or you've owned and just don't know it yet.

Security on linux is in far, far far more difficult than windows. And no, I'm not talking about anti-malware, that doesn't work even on windows and is laughable on linux. If you consider a modern approach to security such as EDR - the number of 'potentially interesting security events' is 10x than on windows - fork()/exec() and the unix tool philosophy means there are many, many, more objects to keep track of... AND the BIGGEST threat to windows is powershell and the various other sorts of built-in script interpreters such as office macros. Well... Linux is nothing BUT a huge interpreter, no malware need apply, just live off the land. And finally, when you consider the intersection of licensing politics and kernel code, the interfaces to build useful security controls are there if you don't mind doing everything yourself, but if you just want to buy a security service like in the windows world... said service provider can't really give you a first-class experience due to GPL complications.

Why the end of Optane is bad news for all IT

Joe Dietz

Solution seeking problem

Like many cool things... if the first step is 'change everything': you've failed.

Successful technology improves upon the previous generations or layers in a way that acknowledges the technical history and keeps the old stuff working. See also: Windows backwards compatibility (yes, yes - they seem to have lost their way here a bit... but it built an empire for sure). Unsuccessful technology asks you to first change everything and do something a new way. See also: IPV6.

The later _can_ work... but it has to be pretty damn compelling.

Intel tried selling software before. Will it succeed this time?

Joe Dietz

As a software engineer, never work for a hardware company (and vs. versa no doubt)

I was at McAfee during the Intel era... It was always a complete mystery to everybody wtf it meant to put 200+ MB of MD5 hashes 'into the silicon'. Though it was apparently on several executive bonus plans that we needed to increase sales of 'sockets', not that anybody in McAfee mgmt chain had a clue how to make that happen. I'm pretty sure the confusion on the Intel side was pretty much the same.

See 'security'... as Intel understood it meant door locks, 'security' as McAfee understood it meant 'background checks'. I could see a sort of world where those two notions worked together... but customers where not that interested in paying _more_ for the privilege and given how Intel slices up their CPU features in pretty arbitrary ways... you end up with the 'why does this brand-new computer not run windows 11' problem all over, or in this case 'why does my door-lock fail open'. Thus ended any actual engineering attempts to bring those ideas together.

I'm not sure much has changed, but the main thing is software businesses should be software businesses.

Microsoft accidentally turned off hardware requirements for Windows 11

Joe Dietz

Win11 may like _new_ CPUs but that doesn't mean what you want it too....

I spent a fair amount of time yesterday learning about the 'Bitmask Manipulation Instructionset 2' (BMI2) and in particular why a library I'm using was causing a #UD fault on a brand-new Windows 11 laptop from Asus. The reason is that it's an 'Intel Inside' (aka 'Celeron') and... despite meeting the weighty requirements for windows 11 lacks some Haswell era instruction sets. (Answer is to recompile the library with some defines that do things the hard way). Mind you, I know this is a cheap laptop, that is why I purchased it since I'm developing software and want to know the worst-case performance scenario. Naively I was hoping that win11 at least meant we could count on some sort of baseline of cpu features from say 2013. Nope.

VMware customers fear Broadcom acquisition will stall innovation, increase cost

Joe Dietz

Re: Really?

Already did.... 6 months back ;)

46 years after the UN proclaimed the right to join a union, Microsoft sort of agrees

Joe Dietz

I can't see the value to me ...

I can't see myself ever joining a union, nor could I really see myself staying at a business that had one form. Stagnation follows.

Broadcom buying VMware could create an edge infrastructure and IoT empire

Joe Dietz

Utter bollocks. Cars? That is just loony.

The only party this deal is good for is Mr. Dell. VMware, its customers and employees will suffer, Broadcom is buying an empty bag of air because it plain does not culturally match VMware even a little bit, it literally can't help but kill VMware. What promise VMware held out for customers... some sort of neutral cloud layer... Well they will find they can run on AWS and Azure just fine without it not long after this goes through.

Twitter preps poison pill to preclude Elon Musk's purchase plan

Joe Dietz

This reminds me of when Yahoo rejected a takeover offer from Msft. Msft's offer was way more than they eventually fire sailed it off for. It almost seemed like Musk woke up one morning bought 9% of twitter on robinhood and _then_ discovered that despite all of the noise... twitter isn't really that central to that many people's lives. Take the money and run fools.

How to polish the bottom line? Microsoft makes it really hard to claim expenses, say staffers

Joe Dietz

As I've progressed in my carrier and get paid more... I've often thought about the _expense_ of filing expenses. The time it took to document an $8 breakfast at the airport ... costs a bit more than $8 on its own.

Nextcloud boss: You gotta fight … for your right … to 'plug into Windows and offer the exact same service'

Joe Dietz

Silly

Microsft may bundle one drive, and be super pushy about using it... But the apis ARE open and have been for years now. You have to provide your own sync engine and cloud... But the OS apis are there and not welded to onedrive. Microst knows exactly where the line is at. IOS on the other hand....

Alleged Brit SIM-swapper will kill himself if extradited to US for trial, London court told

Joe Dietz

Re: Criminal prosecution is the civilized thing

Kangaroo is what happens when you are just taken out back after trial and shot. I think you need to readjust your rhetorical scale a bit.

Point still stands - prosecution is a civilized way of dealing with crime. The alternative is you rob the wrong guy and just end up dead someplace. We don't want that.

Joe Dietz

Criminal prosecution is the civilized thing

The point of prosecution is that the government has to prove that you did a crime in a manner that requires particular rules to be followed. People are acquitted all the time (some news to that effect over here in fact). The US justice system may not be perfect, but it is no kangaroo court either. Ducking prosecution just leaves you 'beyond the law'... which is where vigilantism comes in. I think we would all really rather we keep with the civilized path to punishment.

Of course we've tried turning it off and on again: Yeah, Hubble telescope still not working

Joe Dietz

Re: Dragon?

Not at all... You might have noticed it takes a LOT of time/money to build a telescope.... Way easier to just fix the one we have. JWST is going to be cool, but its not really a replacement for Hubble, Hubble is what we got for the visible spectrum.

Joe Dietz

Dragon?

A crew dragon with a small arm/platform in the trunk might be viable. Not sure how much space would exist for replacement parts after that... but SpaceX sort of proved they could do the orbit and duration on the inspiration 4 mission. Lacking an airlock it would be back to classic 'vent the cabin' sort of EVAs from the 60s of course.

Latest Loongson chip is another step in China's long road to semiconductor freedom

Joe Dietz

It doesn't quite add up that they would be able to run x86 windows unless they have some sort of firmware-level hypervisor as well that manages the emulation.

It took 'over 80 different developers' to review and fix 'mess' made by students who sneaked bad code into Linux

Joe Dietz

Stop ragging on the students... they obviously hit a nerve

The proposition was 'is Linux based entirely on reputational trust or... some set of security oriented objective review criteria'. Turns out it was the former and nobody likes being called out... But they did us all a big favor in pointing out the disconnect between the actual culture and the actual thing that should be happening. This is an obvious weakness with the open source model and the Linux kernel is by no means the ONLY thing that can be subverted here.

Origami... in spaaaaace: Inflatable folded objects discovery brings new meaning to blowing up buildings

Joe Dietz

Re: Cover story of Popular Science material for sure....

In my part of the world, the type of emergencies we expect involve all of the bridges falling down. Even if you could fly stuff in... still need bridges. There won't be any red cross showing up for a very very long time. Local authorities are being fairly honest - you will be on your own. Be cool with your neighbors and work together, don't expect help.

Joe Dietz

Cover story of Popular Science material for sure....

Various proposed applications almost 100% of the time mean... its a really cool thing, but utterly useless.

My list:

1) Emergency <*>... if its an emergency you probably don't have one of <whatever> and are just going to cobble something together with what you have...

2) Useful in space! Um, sure, soon as we actually get there, let me know and I'll send you one of <whatever>

3) Third-world medicine. Great! Yup, poor people deserve substandard stuff right?

Adiós Arecibo Observatory: America's largest radio telescope faces explosive end after over 50 years of service

Joe Dietz

Might as well carry on with the bond theme: moonraker

Build a replacement for sure.... on the far side of the moon.

Boeing Starliner commander Christopher Ferguson bows out of first crewed mission due to family commitments

Joe Dietz

Apple takes another swing at Epic, says Unreal Engine could be a 'trojan horse' threatening security

Joe Dietz

Re: "Apple would face incalculable harm"

Appl makes it astonishingly obnoxious to even download free things without a credit card number on file. Seems a bit discriminatory given the number of folks that don't have banking... but pretty obvious where their head is at - show me the money rube!

Sure is wild that Apple, Google app store monopolies are way worse than what Windows got up to, sniffs Microsoft prez

Joe Dietz

Re: Damage the hard drive?

Complete and utter bullshit that doesn't even pass a brief sniff test.

1) no need to uninstall IE, you just installed netscape and clicked on its icon instead. If you wanted to use netscape as your default, you just needed to change the MIME type association to make it the invoked application.

2) if you really insisted on removing IE you needed to be careful to not delete some dlls that dealt with HTTP networking protocols that other bits of the operating system also used. It wasn't so much that they where part of IE, just that they where mis-packaged in the directory hierarchy along side IE because the IE team happened to be responsible for their development and it never occurred to anybody that it was apparently going to be illegal in the view of the courts to provide a web browser as part of the operating system simply because netscape wanted to charge for one separately.

3) IE was not a great product but it certainly wasn't the cause of hard drive damage - that would be the general state of storage in the mid-90s.

And fun historical bit for all of you IE haters out there, until IExplorer 2.0 and later, it was actually just a derivative of Mosaic. Hate Active X if you like, but its success is hard to argue against since it enabled a lot of things that just didn't exist in the standards of the day.

We're in a timeline where Dettol maker has to beg folks not to inject cleaning fluid into their veins. Thanks, Trump

Joe Dietz

Ahem, _we_ didn't vote him in. He _lost_ the election by 3.5 millionish votes. The Electoral College voted him in.

Whoa, whoa... Tesla slams brakes on allegations of 'unintended acceleration' bug: 'Completely false and was brought by a short-seller'

Joe Dietz

First thing I thought when I first saw the headline about 'unintended acceleration' was 'market manipulation'.

Boeing, Boeing, gone! CEO Muilenburg quits 'effective immediately'

Joe Dietz

The problem is one of culture. The CFO taking over even temporarily speaks volumes that the Boeing board has zero clue how they found themselves in this mess. The CEO as the buck-stops-there sort of figure should have been dismissed months ago, but its a step. The actual change has to come from Boeing deciding they are going to design and build airplanes again instead of being supply chain and financial managers.

HP printer small print says kit phones home data on whatever you print – and then some

Joe Dietz

If you take your tin-foil hats off for a bit, this is all standard fare for any sort of tech support call. Its pretty routine for any software vendor to gather such data in order to figure out if you need to fix something if such-and-such an OS/bios patch appears that breaks your software without having to resort to polling incoming tech support calls from you lot (read your EULAs). Obviously they do want to sell you ink, but on the other hand, they might also want to make sure the printers are actually working in a large scale sense.

Blockchain is a lot like teen sex: Everybody talks about it, no one has a clue how to do it

Joe Dietz

The real problem is that the value of transaction fraud has to _significantly_ exceed the transaction cost of blockchain technology to combat that fraud. We have lots of systems to combat transaction fraud that are working just fine - credit card transactions, title insurance etc. Otherwise at best its just another marginally better way of doing something we already have. If a measurable percentage of global electricity consumption becomes part of the solution - you clearly aren't considering things rationally.

Page: