Computers & Technology 4

Message boards : Politics : Computers & Technology 4
Message board moderation

To post messages, you must log in.

Previous · 1 . . . 30 · 31 · 32 · 33 · 34 · 35 · Next

AuthorMessage
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20989
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2135884 - Posted: 16 May 2024, 12:31:23 UTC - in response to Message 2135877.  
Last modified: 16 May 2024, 12:36:48 UTC

Millions of blinded eyeballs. Kernel.org hacked

Thanks for that...

But why now? That is all from very many years ago! ... A slow news week and clickbait?...

Regarding that some of the kernel.org servers were some of the victims, the kernel code that was being served was unaffected. There are separate cryptographic hash checks securing that. Any tampering there would immediately get noticed.


Further detail is given in these comments:

Needleroozer
wrote:
As a clarifying point, this is not a supply-chain attack that modified the OpenSSH source code in the style of the recent attack on xz but rather a modification of OpenSSH config files and libraries to provide ongoing remote access once the attackers had gotten code execution via some other means.

The SSH-based propagation is more that once you have a foothold on one server, you can probably use its stored SSH credentials to log into and infect other servers to which it has connected previously.

It is very interesting that we have widespread Linux malware running around oblivious to the context of the servers it’s installed on - you could do a lot of damage by messing with the Linux source code surreptitiously, but this malware was just being used for traditional malfeasance like spam email and bitcoin transactions…

Rombobjörn
wrote:
... This is the warning the victims "overlooked":

Code:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:CXsJG5G21cStna7LKXWnf4Az/Civr+sXuIMoX9Wyp2R.
Please contact your system administrator.


To protect yourself, make sure you have your servers' host keys – or a cert-authority key – on your workstations and laptops so SSH can do its job for you. When you see the warning above, be very suspicious! Do not just ignore it!

SeanJW
wrote:
SSH rarely uses MFA? MFA is the most common form of authentication with SSH. It's just done with private keys and passwords attached to them, not with the password prompt. MFA is having the private key file (something you have) and the password that unlocks it (something you know). And they can be managed via hardware keys like Yubikeys (something they can do that basic FIDO2 keys don't do, so they're worth the cost there)

Edit: And that's also why modern setups just don't have anything in /etc/shadow. It's all via SSH keys which are managed via an auth framework. Of course, in 2009, different world.


Indeed, we've moved on since those older naive days...

A good reminder, but that article is very old click bait for a quiet week.


More of a question is how much people care (or not), and how much time people feel they have the time, to not to take insecure "short cuts"...


IT is very much what we make it!
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2135884 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2135905 - Posted: 16 May 2024, 16:03:51 UTC - in response to Message 2135884.  

Indeed, we've moved on since those older naive days...
The proof we have not moved on, dismissiveness. Just because one attacker wasn't interested in inserting an APT doesn't mean another won't. Just because there is a tool to detect something doesn't mean the tool is being used correctly, if at all, and means nothing if the tool can be compromised. The fact it went on for so long and it was hoisting red flags sending spam ... SMH.

If I were a nation state I would have expended some significant resources on developing a tool that if deployed would become supervisory bare metal on whatever system it is deployed to and let the victim believe his OS is bare metal but it is actually a VM of the nation state's O/S. This is the ideal as you can read everything including all the cryptographic keys and generally prevent the victim from being able to discover they are a victim. After all any tool he runs in your VM will only report the VM's activity.

By now I would expect more that one nation state has the signing keys for most every widely used O/S.

If you work in a sandwich shop, you may not be interesting to a nation state. If you work at a utility or a manufacturing plant you are interesting. Any and everything they discover can be used in the traditional methods of spies to compromise you. Hence those wide scale attacks by nation states to exfiltrate databases of PII.

Paranoia isn't enough.

Security is what we allow.
ID: 2135905 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20989
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2135913 - Posted: 16 May 2024, 17:52:45 UTC - in response to Message 2135905.  
Last modified: 16 May 2024, 17:58:26 UTC

... Paranoia isn't enough.

Security is what we allow.

Agreed, there isn't enough healthy paranoia for good security. From my experiences, the lack of any useful security is all too often from "penny pinching" and outright ignorance of the Management. There is also the all-too-often used excuse of "nothing of interest here to be a target" or that of hopeful/dismissive "only ever happens to others"... And other lame excuses, and anything to avoid any immediate 'inconvenience'.

I'm reminded of one workplace where the senior management didn't want to use passwords and were aghast at my insistence that passwords must be actually 'pass-phrases' of more than 16 mixed characters... Part of that problem was they had a complete lack of imagination and couldn't type anyhow! But also, they didn't want to pay the meager costs for using physical security keys (USB encryption keys)!! And that example is all too common in various ways.

I've had the silly example of the head of a big department thinking that no one would ever guess that his password was indeed the word "password". The one occasion I passed off as silly. But then I hit the same silliness for a Director!!...

Hey-ho...

I've come to realize that lay-people find the mere thought of passwords, pass phrases, and PINs, all very high stress and scary, with a great fear from them that it is 'all too complicated'...

Hence the present game that there is the assumption that everyone has a personal smartphone and that can be used as a personal MFA device... Even though that game is still all too insecure.


Can we persuade everyone to adopt physical cryptographic security keys?

Have such devices implanted under the skin just like an elaborate RFID tag??...


IT security is very much how we make it...
Martin


MFA: Multi-Factor Authentication

RFID: Radio Frequency [device} Identification
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2135913 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20989
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2135914 - Posted: 16 May 2024, 17:53:46 UTC - in response to Message 2135905.  

... Virtual Machines...

VMs and the Cloud...

That is a whole expanded insecure 'game' to be commented upon later!


IT is what we make it...
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2135914 · Report as offensive     Reply Quote
Scrooge McDuck
Avatar

Send message
Joined: 26 Nov 99
Posts: 1068
Credit: 1,674,173
RAC: 54
Germany
Message 2135922 - Posted: 16 May 2024, 21:19:48 UTC - in response to Message 2135914.  

VMs and the Cloud...

That is a whole expanded insecure 'game' to be commented upon later!
Combine VMs and Cloud with "Meltdown" and "Spectre", the widespread CPU vulnerabilities (Intel and others) that enabled unauthorized memory access caused by speculative code execution.
ID: 2135922 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2135934 - Posted: 17 May 2024, 5:33:13 UTC - in response to Message 2135913.  

Have such devices implanted under the skin just like an elaborate RFID tag??...
An ordinary RFID is just a number, utterly no different than a password, but far less secure as readers are readily available. A hash function RFID could be secure, but every RFID chip would have to hash differently or it would be trivia to clone and of course there is a big juicy table of hash functions sitting on storage just waiting to be exfiltrated. A hash function RFID that also needed a PIN might work but the PIN would have to be random, humans are too predictable in picking numbers, this of course in addition to a pass phrase.

Perhaps the left hand has a RFID that is the user ID, nice 8192 bit long random, the right hand has the hash RFID that needs the random 8 digit PIN to decode and the user needs to enter a human username and passphrase. That might be enough to at least make it less than trivia.

Security is what we Allow.
ID: 2135934 · Report as offensive     Reply Quote
Profile Wiggo
Avatar

Send message
Joined: 24 Jan 00
Posts: 36360
Credit: 261,360,520
RAC: 489
Australia
Message 2136221 - Posted: 24 May 2024, 7:55:41 UTC

Elon's X has just found out that the usual excuse is no longer valid with Meta next in the firing line.

Musk's X can be liable for hate speech published on platform in landmark QCAT ruling.

Social media company X, formerly Twitter, has lost a key fight over whether it's legally responsible for its activities in Australia.

The Queensland Civil and Administrative Tribunal (QCAT) has made a landmark ruling that the company can be held liable for hate speech published on its platform.

The decision is a win for the Australian Muslim Advocacy Network (AMAN), which lodged a complaint in July 2022 accusing X of being responsible for publishing denigrating and hateful comments from a far-right conspiracy group, about Muslims being "an existential threat" to the world.

Social media companies such as X have often relied on the legal argument that they're not responsible for what happens on foreign soil because they don't do business there.

But that principle has now been challenged.....
If they want a presence in other countries then they must adhere to those countries' laws.
ID: 2136221 · Report as offensive     Reply Quote
Scrooge McDuck
Avatar

Send message
Joined: 26 Nov 99
Posts: 1068
Credit: 1,674,173
RAC: 54
Germany
Message 2136228 - Posted: 24 May 2024, 8:41:54 UTC - in response to Message 2136221.  

If they want a presence in other countries then they must adhere to those countries' laws.
This means censoring free speech in China, for example on Tibet and Xinjiang.
ID: 2136228 · Report as offensive     Reply Quote
Profile Wiggo
Avatar

Send message
Joined: 24 Jan 00
Posts: 36360
Credit: 261,360,520
RAC: 489
Australia
Message 2136230 - Posted: 24 May 2024, 8:54:15 UTC - in response to Message 2136228.  

If they want a presence in other countries then they must adhere to those countries' laws.
This means censoring free speech in China, for example on Tibet and Xinjiang.
There's a huge difference between free speech and hate speech.
ID: 2136230 · Report as offensive     Reply Quote
Scrooge McDuck
Avatar

Send message
Joined: 26 Nov 99
Posts: 1068
Credit: 1,674,173
RAC: 54
Germany
Message 2136234 - Posted: 24 May 2024, 9:33:43 UTC - in response to Message 2136230.  

That's right. But in China they make no difference. There is only 'state-approved speech'. How should western companies handle this? Abandon your own principles in order to increase reach and revenue? Most of them do that. But Elon probably didn't buy Twitter to make money.
ID: 2136234 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2136249 - Posted: 24 May 2024, 16:26:23 UTC

If you own ink and a press you are a terrorist.
ID: 2136249 · Report as offensive     Reply Quote
Dr Who Fan
Volunteer tester
Avatar

Send message
Joined: 8 Jan 01
Posts: 3315
Credit: 715,342
RAC: 4
United States
Message 2136282 - Posted: 25 May 2024, 19:43:26 UTC

So, that's how you (don't) make a pizza!
Google’s ‘AI Overviews’ advises adding glue to pizza sauce, lists ‘health benefits’ of tobacco for tweens
Dubbed “AI Overviews,” the feature rolled out to all US users beginning last week and is expected to reach more than 1 billion users by the end of the year — despite continued flubs that have dinged the chatbot’s credibility.

One widely circulated screenshot showed Google’s AI-generated response to a search for the query “cheese not sticking to pizza.”

... Google responded by listing “some things you can try” to prevent the issue.

“Mixing cheese into the sauce helps add moisture to the cheese and dry out the sauce,” Google’s AI Overview said. “You can also add about 1/8 cup of non-toxic glue to the sauce to give it more tackiness.”
ID: 2136282 · Report as offensive     Reply Quote
Sirius B Project Donor
Volunteer tester
Avatar

Send message
Joined: 26 Dec 00
Posts: 24905
Credit: 3,081,182
RAC: 7
Ireland
Message 2136347 - Posted: 27 May 2024, 7:49:59 UTC - in response to Message 2136282.  

...and some sad muppet will be dumb enough to actually try it.
ID: 2136347 · Report as offensive     Reply Quote
Dr Who Fan
Volunteer tester
Avatar

Send message
Joined: 8 Jan 01
Posts: 3315
Credit: 715,342
RAC: 4
United States
Message 2136475 - Posted: 30 May 2024, 0:55:31 UTC

"The cat is out of the Ethernet bag!"
Google won’t comment on a potentially massive leak of its search algorithm
A purported leak of 2,500 pages of internal documentation from Google sheds light on how Search, the most powerful arbiter of the internet, operates.
ID: 2136475 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2136599 - Posted: 2 Jun 2024, 1:04:37 UTC

How did the millions of eyeballs miss this? https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/
The vulnerability, which affects Linux kernel versions 5.14 through 6.6

ID: 2136599 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20989
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2136648 - Posted: 3 Jun 2024, 20:03:34 UTC - in response to Message 2136599.  

Wow! That's an old one!!

Those kernel versions have had a very long series of updates or have long been discontinued since those days.

So... The eyeballs long ago saw that one and long ago put in the fixes.

As for why systems are left to languish for years with no updates?...


IT is what we make it!
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2136648 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2136692 - Posted: 4 Jun 2024, 14:50:25 UTC - in response to Message 2136648.  

As for why systems are left to languish for years with no updates?...
because updates break things
ID: 2136692 · Report as offensive     Reply Quote
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30929
Credit: 53,134,872
RAC: 32
United States
Message 2136877 - Posted: 8 Jun 2024, 16:30:52 UTC

ID: 2136877 · Report as offensive     Reply Quote
Profile Wiggo
Avatar

Send message
Joined: 24 Jan 00
Posts: 36360
Credit: 261,360,520
RAC: 489
Australia
Message 2137285 - Posted: 18 Jun 2024, 19:48:55 UTC

US sues Photoshop maker Adobe for hiding fees, making it difficult to cancel.

The US government is suing Adobe, accusing the design software giant of "trapping" customers into year-long subscriptions through concealing hefty termination fees and making it difficult for members to cancel.

The Federal Trade Commission (FTC) has alleged that the Photoshop and Acrobat maker buries fees—which sometimes reach hundreds of dollars—and important terms in its 'annual paid monthly' subscription in fine print or behind hyperlinks and text boxes.

The lawsuit alleges that Adobe calculates early termination fees as 50 per cent of the remaining payments when consumers cancel in their first year, in the complaint filed on Monday, local time.

Adobe said they will refute the FTC's claims in court......
ID: 2137285 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20989
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2137333 - Posted: 20 Jun 2024, 0:33:48 UTC

Great positive fun!


Apple's Macintosh 128K on a Pi Pico gets thumbs-up from Upton
wrote:
Just because you could definitely means you should

The Raspberry Pi has long been popular with retrocomputing enthusiasts, and its microcontroller – the RP2040 – can also be used for various emulation purposes, now including the original Apple Macintosh 128K.

Compared to the $2.5k Apple wanted for the Mac in 1984 – around $7.5k in today's money – a Pi Pico with the RP2040 costs around $4...



And:

Build your own handheld ZX Spectrum with Raspberry Pi Pico
wrote:
... Reason number one ... better than the original ZX Spectrum: it exists in the now. Reason number two: it’s cuter because it’s smaller, meaning you can also use it as a handheld device and carry it around in your pocket. Reason number three: it’s built on Raspberry Pi Pico...



Fantastic fun!

Just because it can be done!!


IT is very much what we make it!
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2137333 · Report as offensive     Reply Quote
Previous · 1 . . . 30 · 31 · 32 · 33 · 34 · 35 · Next

Message boards : Politics : Computers & Technology 4


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.