hate these ads?, log in or register to hide them
Page 34 of 37 FirstFirst ... 2431323334353637 LastLast
Results 661 to 680 of 737

Thread: Antivirus is shit, everything is compromised, etc etc (Cybersecurity thread)

  1. #661
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,570
    October surprise electioneering, perhaps? Maybe to influence peoples' views on China policy?
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  2. #662
    vDJ's Avatar
    Join Date
    July 31, 2012
    Location
    �� out there
    Posts
    1,411
    Quote Originally Posted by Nordstern View Post
    October surprise electioneering, perhaps? Maybe to influence peoples' views on China policy?
    That's a pretty cool one.
    Also imagine the financial consequences of Apple and Amazon coming out and saying "ye china fucked us" at the same time. Apple has been spinning the "we care about your privacy" line vs both windows and android for some time now so that'd look especially bad for the average Joe, whereas pros would be more concerned about Amazon.

  3. #663

    Join Date
    May 31, 2011
    Posts
    4,213
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by Hel OWeen View Post
    It'll be fun to see which side is right here, as both sides quite heavily "invested" in their side of the story.

    Meanwhile elsewhere people also have a look at it and come to different conclusions. This one caught my attention.
    “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company’s cloud-computing unit.

    [...]

    Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc (SMCI.PK), a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

    “I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

    Baker and the FBI declined to comment Friday.
    Source: https://in.reuters.com/article/china...-idINKCN1MF1CU

    I'm not familiar enough with "business speak" as to be able to tell what type of position "general counsel" is and if it's therefore worth noting these statements. But there's two actual names attached to it.
    General Counsel is just "the biggest lawyer we have" as well as being a first contact for general legal issues
    I see. Many thanks for the explanation.

    So that's some actual beef attached to it, not some "Here's your fancy but worthless title, Now go out there and just make us look good."

    I really can't figure out who to believe more here. On one hand, I doubt that Bloomberg will put out such a quite impacting piece without any real evidence for it. And OTOH, it seems quite suicidal aka "billion dollar civil lawsuits coming in in ...." for both Amazon and Apple to put out such quite detailed denials.

    I do think that something really happened, but Bloomberg - or better yet: their informants, somewhat got the details/timeline wrong*). Which would make both sides wrong and both sides right somehow.

    But whatever the outcome may be, we bystanders have a couple of days ahead of us, while the involved parties play it out.

    *) similar to what Apple stated with that 2015 incident

  4. #664

    Join Date
    May 31, 2011
    Posts
    4,213
    ... sooo (regarding the above) ... all quiet on the western front? Internet, are you still there?

    Given the implications of it and how outspoken both sides have been of their side of the story, it has been an unusual quiet news Monday in regards to this thus far.

  5. #665
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,442
    Quote Originally Posted by Hel OWeen View Post
    ... sooo (regarding the above) ... all quiet on the western front? Internet, are you still there?

    Given the implications of it and how outspoken both sides have been of their side of the story, it has been an unusual quiet news Monday in regards to this thus far.
    Apple and Amazon said "no, nothing happened" and were backed up by various cybersecurity groups including the UK and the US

    So, until more news comes to light, it's a flat "well nothing I guess" issue

  6. #666
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    12,415
    Something this scale would easily be covered by National Security Letters. Which you can't talk about even being gagged by. Need some canary mechanisms prepared ahead of time.
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  7. #667

    Join Date
    April 14, 2011
    Posts
    6,720
    I dunno right now i'm about 85% sure it's complete bullshit. The denials are too strong, the detail too thin and it doesn't entirely make sense as an attack vector anyway.

  8. #668
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    12,415
    The ethernet card of a datacentre server doesn't seem a good place to put a sniffer chip?
    Bloomberg put out a new and then updated article today.
    Haven't actually read either yet.
    And
    According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.
    Though details seem to revolve around a compromised firmware download server. Same diff tbh, and could have been intentional/forced via Chinese gov.
    Last edited by Daneel Trevize; October 9 2018 at 09:36:18 PM.
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  9. #669

    Join Date
    April 14, 2011
    Posts
    6,720
    It's not in the ethernet card. The story was thin on exactly where it was placed, one of many areas it fell short. Based on the photography it seems to be plugged into the BMC. This would make sense.

    ed: Lol, all the graphics and images were only "illustrative"

    And I'm not saying that's a bad place to put a sniffer chip, I'm saying carrying out "highly targeted" attacks by compromising the entire supply chain of one of the biggest electronics manufacturers on earth is not the smartest attack vector. It's too large scale, too easily found and far harder than other alternatives that exist when you operate at that scale.

    The apple/supermicro issue is down to SM repeatedly shipping cards with old firmware. It was well documented at the time.
    Last edited by elmicker; October 9 2018 at 09:54:15 PM.

  10. #670

    Join Date
    May 31, 2011
    Posts
    4,213
    Yeah, the ethernet card thing is a new story from Bloomberg.

    Currently, I'd say the original Bloomberg story is BS. It seems that even one of their sources warned them before they published the story:

  11. #671
    Shaftoes's Avatar
    Join Date
    April 9, 2011
    Location
    Ships
    Posts
    1,728
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.

  12. #672
    Joe Appleby's Avatar
    Join Date
    April 9, 2011
    Location
    in front of the class
    Posts
    14,401
    Quote Originally Posted by Shaftoes View Post
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.
    Am on part 2. Don't understand everything as much as I'd like to, but damn it's good.

    Tapapapatalk
    nevar forget

  13. #673
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,570
    Just read all five parts. InfoSec Jesus warns of the apocalypse, gets crucified, nbs. Complete with 30 pieces of Russian silver.
    Last edited by Nordstern; October 16 2018 at 10:43:29 PM.
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  14. #674

    Join Date
    November 5, 2011
    Posts
    11,626
    Spectacularly good read even if i dont understand the techy details.

  15. #675
    Movember '11 Best Facial Hair, Best 'Tache Movember 2011Movember 2012Donor helgur's Avatar
    Join Date
    April 24, 2011
    Location
    Putting owls in your Moss
    Posts
    9,056
    Quote Originally Posted by Shaftoes View Post
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.
    Came over this now, and holy shit what a ride! Plusrepp this man to hell and back pls

  16. #676
    Winged Nazgul's Avatar
    Join Date
    April 10, 2011
    Location
    USA
    Posts
    3,154
    Quote Originally Posted by Shaftoes View Post
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.
    Wow, epic read. Dunno why he calls himself a Black Hat. Seems very White Hat to me.

  17. #677
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,635
    I simply cant believe any story that involves a vendor not being able reset a password for 2 weeks.

    That entity wouldn't be a vendor for long.
    meh

  18. #678

    Join Date
    April 14, 2011
    Posts
    6,720
    A story in which he:
    - Calls himself a black hat
    - Strums himself silly about using linux and being able to use wireshark
    - Goes to extreme and incredibly insecure lengths to avoid his organisation's internal security policies
    - Gleefully details having no disaster recovery procedures
    - Runs a business critical system dependent on a single user's single password with no 2fa or break-glass procedures
    - Runs same business critical system wide open to MITM attacks
    - Probably breaks the law by crafting an MITM attack to break into said system
    - Runs a business critical system that apparently passes passwords around in the clear, rather than hashing them
    - Runs a system where the vendor has, as part of normal business practice, more privileged access than the customer
    - Hasn't updated said business critical system in three years

    Don't be like this guy. This guy is a fucking amateur.

  19. #679
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,570
    Quote Originally Posted by erichkknaar View Post
    I simply cant believe any story that involves a vendor not being able reset a password for 2 weeks.

    That entity wouldn't be a vendor for long.
    (the following is a true story)

    Us: Hey [MAJOR semiconductor equipment vendor], a critical assembly in one of our tools is bad. We can limp along for now, but we need a new part ASAP.
    Vendor: Well, it looks like we don't have any spares, so we'll have to fabricate it.
    Us: How long will that take?
    Vendor: Dunno. Two months, maybe?
    Us: What.
    Vendor: Well, we have to rehire the person who makes them (because we laid them off, because we didn't have enough work for them to do), talk to our subcontractors, and requalify the process, etc etc.
    Us: Could you please hurry?!
    (three months go by)
    Vendor: We need to push out the delivery date by another two weeks.
    Us: But you have started making the part, right?
    Vendor: Uh, sure...
    (another two months of "we need to push out the delivery date 2 weeks")
    Vendor: Okay, we have the part. (goes to install) Hmm, it doesn't work.

    They made another assembly and got it working a week later. This same vendor, and others in the industry, no longer makes control boards for our tools. When those boards die, sometimes the only option is to scour ebay and warehouses looking for spare parts.

    And we pay them almost a million dollars a year, so we can be treated like this.


    Quote Originally Posted by elmicker View Post
    A story in which he:
    - Calls himself a black hat
    - Strums himself silly about using linux and being able to use wireshark
    - Goes to extreme and incredibly insecure lengths to avoid his organisation's internal security policies
    - Gleefully details having no disaster recovery procedures
    - Runs a business critical system dependent on a single user's single password with no 2fa or break-glass procedures
    - Runs same business critical system wide open to MITM attacks
    - Probably breaks the law by crafting an MITM attack to break into said system
    - Runs a business critical system that apparently passes passwords around in the clear, rather than hashing them
    - Runs a system where the vendor has, as part of normal business practice, more privileged access than the customer
    - Hasn't updated said business critical system in three years

    Don't be like this guy. This guy is a fucking amateur.
    TIL that IT personnel can override suits in every area that matters.
    Last edited by Nordstern; October 20 2018 at 06:46:37 PM.
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  20. #680
    Lana Torrin's Avatar
    Join Date
    April 13, 2011
    Location
    Bonding around
    Posts
    19,136
    Quote Originally Posted by Nordstern View Post
    Quote Originally Posted by erichkknaar View Post
    I simply cant believe any story that involves a vendor not being able reset a password for 2 weeks.

    That entity wouldn't be a vendor for long.
    (the following is a true story)

    Us: Hey [MAJOR semiconductor equipment vendor], a critical assembly in one of our tools is bad. We can limp along for now, but we need a new part ASAP.
    Vendor: Well, it looks like we don't have any spares, so we'll have to fabricate it.
    Us: How long will that take?
    Vendor: Dunno. Two months, maybe?
    Us: What.
    Vendor: Well, we have to rehire the person who makes them (because we laid them off, because we didn't have enough work for them to do), talk to our subcontractors, and requalify the process, etc etc.
    Us: Could you please hurry?!
    (three months go by)
    Vendor: We need to push out the delivery date by another two weeks.
    Us: But you have started making the part, right?
    Vendor: Uh, sure...
    (another two months of "we need to push out the delivery date 2 weeks")
    Vendor: Okay, we have the part. (goes to install) Hmm, it doesn't work.

    They made another assembly and got it working a week later. This same vendor, and others in the industry, no longer makes control boards for our tools. When those boards die, sometimes the only option is to scour ebay and warehouses looking for spare parts.

    And we pay them almost a million dollars a year, so we can be treated like this.
    This sounds shockingly similar to a place I used to work at, except you had actual support. Our first and only line of defence was to go to ebay. We almost got in to a situation where primary operations was halted, which would have cost the company millions of dollars a week in income let alone any fines for missing deadlines, because we couldn't find a printer ribbon... I mean fuck whos puts a proprietary printer interface on multi million dollar equipment and then stops supporting it completely 5 years later.
    Quote Originally Posted by lubica
    And her name was Limul Azgoden, a lowly peasant girl.

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •