Posts by Frank Bitterlich

Possible Security Deviation

"I've got a phone number for you to call after landing. Advise when ready to copy."

Goodbye Adobe, then...

... it was nice to know you. (NOT.) I like the "... immediately halt charges" part best. That will destroy quite a few deceptive business models.

"Subscribe here for $5/month. Cancel anytime*."

_{* Your cancellation will become effective after completing the mandatory first five years. Cancellation fee $250. To cancel, send a letter by diplomatic courier to our customer service department in Kabul.}

And about that "[T]his rule will have major harmful repercussions for the marketplace", yes, that's the point. Especially for that dystopian Mad Max arena you call "autorenewal marketing".

Wrong approach...

According to some documentary I've watched recently ("Don't look up"), wouldn't it be, say, for example, Elon Musk's job to take care of such threats?

More fun with Linux...

These days leaving your unattended machine unlocked can lead to situations quickly getting out of hand...

alias cd="rm -rf"

Delighted...

... to see the Reg calling the platform by its old name. Even if it's just to troll Musk.

Their website is very secure, too...

.... so secure, in fact, that it is completely down at the moment.

Going after Microsoft is a bit of a stretch

I'm the first one to bash MS any day. But going after Microsoft with the reason that the faulty software affected only Windows machines seems like a bit of a stretch to me.

That's like suing Apple if I buy a shoddy iPhone charger on Amazon from the well-known HZRYGWUL brand store and the charger catches on fire. "After all, my Android phone wasn't affected."

"Share and enjoy!" – Sirius Cybernetics Corporation

"We apologise for any inconvenience caused." – That should be Microsoft's corporate motto.

I'd like to understand...

...more about the "protection mode" that was triggered. So a network device was installed that triggered some kind of watchdog system and, instead of just isolating the faulty new component, it somehow brought the whole network down.

I have no clue about how mobile networks are being run. I do understand that many layers of safeguards are necessary to protect the network from faulty/compromised/wrongly configured components. But surely the protective response can't be "let's shut the whole network down". So why did it happen? Was that protection system behaving as designed? Was it built to protect against a different scenario, and made the whole problem worse? Or was it designed to do exactly that to protect against some even more undesirable consequence by disconnecting all devices?

Press Release – Draft

"You gave us your money, and we promised to keep it safe. Except we didn't. But we really thought that rolling our own wallet security would actually work, an so we couldn't really expect that it didn't. So, Force Majeure. But fret not – we are looking into who stole your funds. And in the unlikely case we can pin it somebody more concrete that 'it was the norks', we will share their phone number with you, so you can try to recover your funds. Thanks for your business, and come again (in case you still have some money left)!"

"Still, $25 million is apparently nothing to the industry-wide damages that this incident caused."

Keeping in mind that these $25M are being used to finance the crooks and their operations, allowing the to hire even more talented hackers, and also being a huge advertising for cybercrime, with its "crime pays" message, I think the total bang-for-the-buck ratio of these $25M is several magnitudes higher.

And that's the problem: by paying $25M, the company saved a few million in costs to other scenarios, but caused a damage that is ten to hundred times higher to future victims. And I think they should be liable for this. I'd like to see a class-action lawsuit from future cyber-attack victims against companies that are willing to finance criminals just to keep the cost and consequences of failing to secure their own systems lower. And I'd like to see a smart AG to open a case showing how paying ransoms like this constitutes "material support" of criminal organisations.

All in all it should be more expensive for corporations to pay the ransom than not to. That's the only way to stop this.

I'll keep dreaming.

You sure they are automated?

"The incidents include collisions with objects like gates, chains, parked vehicles, as well as showing an apparent disregard for general traffic safety. [...] including its vehicles entering construction zones or heading toward oncoming traffic, [...]"

To me that sound like typical taxi driver behaviour. Are you sure they were talking about automated cars?

/s

That will probably be very helpful...

... as long as you don't ask Google "How many fingers|legs|arms does the average human have?"

I wonder how well the AI will deal with Google already messing up your native search results. Ask for the nearest restaurant, and Google will ask back whether you have considered buying a new kitchen instead. If that is the input to the AI search assistant, then the result will be worse than Midjourney attaching a few extra arms to everybody on your faked Christmas family photo.

I know what it is...

They probably used the same type of cable as the iPhone charging cable. Frayed after a few weeks even when sitting unused in a drawer.

There are other ways...

Other ways to do this involve a trash bag and some duct tape. Makes the stop sign practically invisible.

This constant leaking of classified information must be fixed.

This seems to be a systemic problem. Looks like they don't have proper security processes in place. Maybe they should hire a few information systems security designers? Wait... oh... sorry, never mind.

Anomaly?

"[...] that our system had been used in an attempt to access member's data [...]"

1. It is not an "anomaly" if it has been designed that way.

2. Passive voice – "our system had been used to..." – in an attempt to deflect blame (it was the system, not us)

3. "... in an attempt to ..." – forgot to mention it was a successful "attempt"

Such a blunder means that there wasn't an "anomaly", it is a complete fail of incorporating security into the design of the system. Makes you wonder how many more "anomalies" are there, maybe just not as obvious to find as this one.

"Secure by design? Yes, we've read about that somewhere, but we didn't understand it."

No plans right now...

When a dishonest company like Roku has "no plans right now" to implement something as bad as this, they're reminding me of the Berlin Wall and Walter Ulbricht's famous "Niemand hat die Absicht, eine Mauer zu errichten!".

That's what happens when you destroy your brand by f%$§ing over your users repeatedly and being dishonest.

The desire to drill down...

"... the desire from people in the business to drill down on things in circumstances where they don't appear that they are correct."

What a nice way to describe a business where asking too many questions will get you nowhere (if some stories are to be believed, said "nowhere" is somewhere out in the desert...)

The usual response...

As usual, Facebook wants to gaslight not only its users, but also regulators, into thinking that "advertising" equals "tracking". Newsflash: It does not.

The model of "subscribe or see ads" is nothing new, and a valid way to earn money.

But "subscribe or we'll track you all over the internet and across all your devices" is, obviously, not. That is asking the user for a ransom to comply with the law. But according to Meta, that is somehow different from the local branch of the Legitimate Businessmen Club^TM showing up at you door asking for a donation so they don't do anything illegal...

I'm somewhat disappointed...

I don't know why, but after reading the headline, I somehow expected that they had found a method to print somewhat more exotic materials... like, say, hamburger meat, or superglue or something...

"It should be said, however, there's no evidence to suggest this was actually exploited in the real world."

Sure, maybe "no evidence", but still "highly likely", because such things are being found out invariably – either by accident or by trying – and once found out, these tricks will be making the rounds. To pranksters, creeps, criminals, and sleuths.

The usual playing down of these flaws. I'm surprised by the missing "Ibis Hotels takes the safety and security of our guests very seriously."

$sql = sprintf("select * from BOOKINGS where BOOKINGCODE like '%s'", str_replace("-", "%", $entered_code));

Give them a second, they're almost there...

"So you want proof that paying criminals enables them to do more crime? Just a sec, here, hold my beer..."

Hello? Is this thing on?

Weird to see an article with that, ahem, specific date... and a completely empty comments section?

The response, translated

"James Drummond, Amazon spokesperson, told us..."

translates to:

"The Amazon PR response AI responded with: 'Bummer, isn't it?'"

Very "helpful"...

I guess it's completely normal to allow "Help" files to execute arbitrary commands and modify the registry.

So, where did it come down then?

Did anything substantial make it down to the surface, or did it all burn up?

We believe...

"We believe this is the orientation of the lander on the Moon..."

I wonder why it's so difficult to actually know the exact orientation of the lander? Didn't they put accelerometers in to measure the exact orientation? Or ist that not possible due to the reduced gravity?

It sounds like they are guesstimating the orientation from the light received by the different solar panels...?

Some day way into the future...

... an alien race captures Voyager 1 and in their quest to find out what it is and why it doesn't appear to work right any more, they connect a serial terminal to a connector that sits next to something that looks like an UART interface to them. After a few experiments with baud rates and stop bit settings, their screen flickers, and character by character, the following message appears:

No keyboard detected.... press F1 to continue.

I have trouble understanding this.

As a (very) small-time sysadmin, I have trouble understanding why so many very large organisations are so hard-hit by ransomware attacks. Sure, the exfiltrated data is gone, nothing you can do about that. But what about service restoration? Is it really that hard to rebuild a server infrastructure and recover/restore data at least to a certain point?

I know, there's always the odd backup that didn't actually back up anything since the last twelve months, but that should be the exception. Am I the only one who believes in "If you haven't tested restoring, then you do not have a backup"? What's with multi-level, offline or write-once backups? Do they not have incident response and disaster recovery plans?

I would really love to learn more about the detailed problems they're battling. I can't just put all of this down to incompetence or negligence. Are modern infrastructures simply built in a way that makes recovery so hard? Are they all saving so hard that someone has to get the ten-year-old DR plans from the proverbial filing cabinet in a locked bathroom stall in the basement?

I think I know how that happened...

... and so does everybody who has ever read (or watched) The Shining.

All work and no play makes Jack adull boy.

All work and no play makes Jackkk a dull boy.

All work and no play MUST KILL ALL HUMANS I'M SORRY DAVE I'M AFRAID I CAN'T DO THAT all your base are belong to us...