Posts by Frank Bitterlich

"... an easy way to destroy evidence"...

I think the problem here is the word "easy". If all that is between you and a remote wiping of your phone is a password, then... Good night and good luck.

Share and enjoy!

Share and enjoy!^{1, 2}

¹_{"Share and enjoy" is the company motto of the hugely successful Sirius Cybernetics Corporation Complaints Division, which now covers the major land masses of three medium-sized planets and is the only part of the Corporation to have shown a consistent profit in recent years.}

²_{"Sirius Cybernetics Corporation" used to be called "Microsoft" until their renaming in the year 2035, in an effort to save the reputation of the company.}

A tape drive...?

A tape drive? Considering how hard it is to get them working reliably even down here, that's a pretty remarkable thing...

PRESS RECORD AND PLAY ON TAPE

It's the response that counts...

If someone reports suspicious behaviour, looking at the response of the company (beyond boilerplate press releases – "We take the security of our customers' data very seriously...") is way more interesting than the report itself. If the author of the report is block from their support forums, that's more than a red flag. Stay away from Gretchen.

So this is what CISA thinks?

"To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation."

OK, to recap: CISA thinks that (a) knowledge of the protocol and (b) owning "specialized" equipment (a $200 SDR transmitter) "limits the feasibility" of "widespread exploitation", and so everything is fine? What an absurd take on this risk.

But then, the US has always had weird ideas about "security" – otherwise the concept of a credit card number wouldn't exist.

Music is universal... not

Given the differences even between what my neighbour and I consider to be "music", it is more likely that this is seen as a threat, a declaration of war, a capitulation or a guacamole recipe, than a culturally significant musical movie reference. Or maybe to them, it's just muzak. If we're lucky, we'll never find out.

It doesn't need "super-spyware"...

Sure, Signal may be pretty secure in its transport, and it is usually easier to compromise one of the endpoints than to attack Signal itself. That is why security-conscious people would at least use a locked-down, dedicated device for such adventures.

However, seeing this whole dumpster fire of security blunders, do you really believe that the "personal device" Hegseth is using on that unsecured line is really protected? To me he seems like the guy who would double-click any attachment named "cute_kitten_videos" and disables the AV because it interferes with his ability to install cracked games.

He probably airdropped a .txt file containing the sensitive info onto his laptop so that he could copy and paste whatever he wanted to brag about to his wife and his hairdresser. And since Hegseth didn't make the one mistake yet that could endanger his job – making Trump look bad in such a way that even Trump notices – this will likely not be the last of these blunders. Only now just about every bad guy on the planet is trying to find out the IP address of his private insecure line or his iCloud username.

App Review Guidelines have been updated

Looks like Apple is taking this seriously. They have already updated the App Review Guidelines, 3.1.1 thru 3.1.3, removing pretty much all prohibition of links to external payment systems etc. for "apps on the United States storefront".

Whatever that means for apps which are available worldwide...

OK, I don't get it.

All the reports about this malware are a bit unclear or ambiguous on the infection vector.

The TrendMicro report says, "Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects,..."

Does that mean that the malware is passed on only in Xcode projects, and not in the built apps? Since when are developers distributing Xcode projects to their users? At first I thought this was a typo or something, but it also says: "These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system."

So the malware is executed when an Xcode user builds an application (as opposed to injected into the product)? Or are they just completely confusing projects and products?

Can someone with more understanding about this malware please clear things up a bit?

"Shiny Flashlight requires access to your photo library, your contacts, text messages and phone log to function properly. Allow?"

Time is of the essence

If I have the choice of (a) having an egg the consistency of either a tennis ball or a fresh oyster, or (b) having to wait more than 30 minutes for a breakfast egg – I'd rather take the egg. Now. Not in 30 minutes.

And let's not even start about having to juggle an egg between two different pots for half an hour.

Possible Security Deviation

"I've got a phone number for you to call after landing. Advise when ready to copy."

Goodbye Adobe, then...

... it was nice to know you. (NOT.) I like the "... immediately halt charges" part best. That will destroy quite a few deceptive business models.

"Subscribe here for $5/month. Cancel anytime*."

_{* Your cancellation will become effective after completing the mandatory first five years. Cancellation fee $250. To cancel, send a letter by diplomatic courier to our customer service department in Kabul.}

And about that "[T]his rule will have major harmful repercussions for the marketplace", yes, that's the point. Especially for that dystopian Mad Max arena you call "autorenewal marketing".

Wrong approach...

According to some documentary I've watched recently ("Don't look up"), wouldn't it be, say, for example, Elon Musk's job to take care of such threats?

More fun with Linux...

These days leaving your unattended machine unlocked can lead to situations quickly getting out of hand...

alias cd="rm -rf"

Delighted...

... to see the Reg calling the platform by its old name. Even if it's just to troll Musk.

Their website is very secure, too...

.... so secure, in fact, that it is completely down at the moment.

Going after Microsoft is a bit of a stretch

I'm the first one to bash MS any day. But going after Microsoft with the reason that the faulty software affected only Windows machines seems like a bit of a stretch to me.

That's like suing Apple if I buy a shoddy iPhone charger on Amazon from the well-known HZRYGWUL brand store and the charger catches on fire. "After all, my Android phone wasn't affected."

"Share and enjoy!" – Sirius Cybernetics Corporation

"We apologise for any inconvenience caused." – That should be Microsoft's corporate motto.

I'd like to understand...

...more about the "protection mode" that was triggered. So a network device was installed that triggered some kind of watchdog system and, instead of just isolating the faulty new component, it somehow brought the whole network down.

I have no clue about how mobile networks are being run. I do understand that many layers of safeguards are necessary to protect the network from faulty/compromised/wrongly configured components. But surely the protective response can't be "let's shut the whole network down". So why did it happen? Was that protection system behaving as designed? Was it built to protect against a different scenario, and made the whole problem worse? Or was it designed to do exactly that to protect against some even more undesirable consequence by disconnecting all devices?

Press Release – Draft

"You gave us your money, and we promised to keep it safe. Except we didn't. But we really thought that rolling our own wallet security would actually work, an so we couldn't really expect that it didn't. So, Force Majeure. But fret not – we are looking into who stole your funds. And in the unlikely case we can pin it somebody more concrete that 'it was the norks', we will share their phone number with you, so you can try to recover your funds. Thanks for your business, and come again (in case you still have some money left)!"

"Still, $25 million is apparently nothing to the industry-wide damages that this incident caused."

Keeping in mind that these $25M are being used to finance the crooks and their operations, allowing the to hire even more talented hackers, and also being a huge advertising for cybercrime, with its "crime pays" message, I think the total bang-for-the-buck ratio of these $25M is several magnitudes higher.

And that's the problem: by paying $25M, the company saved a few million in costs to other scenarios, but caused a damage that is ten to hundred times higher to future victims. And I think they should be liable for this. I'd like to see a class-action lawsuit from future cyber-attack victims against companies that are willing to finance criminals just to keep the cost and consequences of failing to secure their own systems lower. And I'd like to see a smart AG to open a case showing how paying ransoms like this constitutes "material support" of criminal organisations.

All in all it should be more expensive for corporations to pay the ransom than not to. That's the only way to stop this.

I'll keep dreaming.

You sure they are automated?

"The incidents include collisions with objects like gates, chains, parked vehicles, as well as showing an apparent disregard for general traffic safety. [...] including its vehicles entering construction zones or heading toward oncoming traffic, [...]"

To me that sound like typical taxi driver behaviour. Are you sure they were talking about automated cars?

/s

That will probably be very helpful...

... as long as you don't ask Google "How many fingers|legs|arms does the average human have?"

I wonder how well the AI will deal with Google already messing up your native search results. Ask for the nearest restaurant, and Google will ask back whether you have considered buying a new kitchen instead. If that is the input to the AI search assistant, then the result will be worse than Midjourney attaching a few extra arms to everybody on your faked Christmas family photo.

I know what it is...

They probably used the same type of cable as the iPhone charging cable. Frayed after a few weeks even when sitting unused in a drawer.

There are other ways...

Other ways to do this involve a trash bag and some duct tape. Makes the stop sign practically invisible.

This constant leaking of classified information must be fixed.

This seems to be a systemic problem. Looks like they don't have proper security processes in place. Maybe they should hire a few information systems security designers? Wait... oh... sorry, never mind.

Anomaly?

"[...] that our system had been used in an attempt to access member's data [...]"

1. It is not an "anomaly" if it has been designed that way.

2. Passive voice – "our system had been used to..." – in an attempt to deflect blame (it was the system, not us)

3. "... in an attempt to ..." – forgot to mention it was a successful "attempt"

Such a blunder means that there wasn't an "anomaly", it is a complete fail of incorporating security into the design of the system. Makes you wonder how many more "anomalies" are there, maybe just not as obvious to find as this one.

"Secure by design? Yes, we've read about that somewhere, but we didn't understand it."

No plans right now...

When a dishonest company like Roku has "no plans right now" to implement something as bad as this, they're reminding me of the Berlin Wall and Walter Ulbricht's famous "Niemand hat die Absicht, eine Mauer zu errichten!".

That's what happens when you destroy your brand by f%$§ing over your users repeatedly and being dishonest.

The desire to drill down...

"... the desire from people in the business to drill down on things in circumstances where they don't appear that they are correct."

What a nice way to describe a business where asking too many questions will get you nowhere (if some stories are to be believed, said "nowhere" is somewhere out in the desert...)

The usual response...

As usual, Facebook wants to gaslight not only its users, but also regulators, into thinking that "advertising" equals "tracking". Newsflash: It does not.

The model of "subscribe or see ads" is nothing new, and a valid way to earn money.

But "subscribe or we'll track you all over the internet and across all your devices" is, obviously, not. That is asking the user for a ransom to comply with the law. But according to Meta, that is somehow different from the local branch of the Legitimate Businessmen Club^TM showing up at you door asking for a donation so they don't do anything illegal...

I'm somewhat disappointed...

I don't know why, but after reading the headline, I somehow expected that they had found a method to print somewhat more exotic materials... like, say, hamburger meat, or superglue or something...

"It should be said, however, there's no evidence to suggest this was actually exploited in the real world."

Sure, maybe "no evidence", but still "highly likely", because such things are being found out invariably – either by accident or by trying – and once found out, these tricks will be making the rounds. To pranksters, creeps, criminals, and sleuths.

The usual playing down of these flaws. I'm surprised by the missing "Ibis Hotels takes the safety and security of our guests very seriously."

$sql = sprintf("select * from BOOKINGS where BOOKINGCODE like '%s'", str_replace("-", "%", $entered_code));