Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

2022-11-29

stolen cactus

2022.11.29: proj.apt`garden/stolen cactus:

. there were 3 pots of potatoes,

the pot on the right was half dug up,

in a place where 2 types cactus were located,

but one of the cactuses was thrown to the side.

I dug up the rest of the pot looking for potatoes,

but all I could find were 2 very small ones,

and one of the seed potatoes that seemed chewed,

while the pot seemed dragged out of place,

having me wonder if an animal did this,

but most likely a human was looking for a cactus.

2019-11-25

how to avoid malware on flash drives

19.11.20: cyb/sec/how to avoid malware on flash drives:
co.quora:
. any computer is prone to infections from
visiting malware-infected websites or pdf's;
most usb peripherals contain firmware
that can be infected with malware,
so that a website can infect computer firmware;
then it can infect your flash drive firmware
which can then infect other computers.

2019-10-08

bluff email ransomware for bitcoin# 1C2EbKJCZKtHMJawxBqyzZ9SHQVwRyfist

mis.cyb/sec/malware/
bluff email ransomware for bitcoin# 1C2EbKJCZKtHMJawxBqyzZ9SHQVwRyfist:
. this letter was in my spam
(Oct 6, 2019, 12:50 PM
subject: Hohe Gefahr. Konto wurde angegriffen.)
seeming to come from my own account;
but gmail warns there is no way to verify this;
it warns of a trojan but I use a chromebook,
which is not so prone to trojans.
. here is what the letter said
translated by google from german
(not necessarily the language of the attacker):

2018-02-19

Intel ME OS is Minix3 -Google wants Linux

17.11.6: news.cyb/sec/Intel Mgt Engine OS is Minix3 while Google wants Linux:
2018: summary:
. below the OS level is hypervisor,
and below hypervisor level is
the ME (mgt engine).
. it allows the maker of the pc
to do updates even when power seems off,
as long as there is internet.
. the ME uses the secure Minix OS kernel,
but also includes a web browser,
and other huge amounts of functionality
that you can't get the bugs out of,
so Google suggests replacing it with
a Linux kernel and less functionality.
. this has the potential to be a back door
with which the national security agencies
can better protect us from terrorists
and others who take advantage of privacy.

2018-01-16

call for increasing offensive cyber capability

1.3: news.cyb/sec/call for increasing offensive cyber capability:
. the military wants to focus on cyber offense;
the thing to keep in mind with offense,
is it involves placing vulnerabilities
in the hardware that is used internationally;
and that will affect the security of everyone
when those vulnerabilities get out
into the hands of cyber criminals.

apps using #Python may be vulnerable

1.2: news.cyb/sec/lang/python/undocumented methods:
Liam Tung 2017:
IOActive researcher Fernando Arnaboldi
revealed Python has "undocumented methods
and local environment variables
that can be used for OS command execution".
ref:
blackhat presentation:
Exposing Hidden Exploitable Behaviors in Programming Languages
Using Differential Fuzzing:
A differential fuzzing framework was created to detect
dangerous and unusual behaviors in
similar software implementations.
1.16: the paper:
. some Python commands are undocumented because
they are for deprecated functions;
meaning don't use the functions in new code,
but for backward compatiblity we are
keeping the function in place undocumented.
. documentation can be there to warn you
that a function doesn't check its inputs,
so you shouldn't feed it data from an untrusted source.

2016-10-18

DOD DNI want #cyberwar command split from #NSA

10.6: news.pol/purges/war/
DOD DNI want cyberwar command split from NSA:
10.18: summary:
. the same technology used for hacking into computers
can be used for both gathering info (NSA activities)
and for making foreign computers do malicious things
(cyberwar command activities).
. anybody with that technology can do both;
not surprisingly both activities have been headed by
the same director (a military general)
but since Snowden exposed that NSA is spying on its citizens
privacy defenders want NSA headed by senate-selected civilian
rather than a general selected by the military.

2015-05-31

#NSA owns #linux even without #monolithic arch

2.19: cyb/sec/#NSA owns #linux even without #monolithic arch:
. I once thought the creator of linux
must be part of the NSA's conspiracy to
put vulnerabilities in open source:
he spurned the idea of a securable microkernel,
promoting instead the efficiency of a monolithic OS
written in the C programming language
which is notoriously difficult to secure .
. but if you look at all the other vulnerabilities
(such as USB support, and firmware rewritability),
a microkernel written in a safe language
would not have really mattered much .
. just look at what Chrome OS did with linux:
it removed many of the other vulnerabilities
and the linux core remains a survivor .

2015-05-28

#encryption export controls #Logjam

5.27: news.cyb/sec/encryption export controls/Logjam:
arstechnica:
The new attack has been dubbed Logjam,
( the name is a pun on the "discrete log"
math operation used to break the weak keys.
But the name is also an allusion to the fact that
these '90s-era export ciphers are part of an
immense amount of technical debt
that's built up in our crypto protocols,"
"There's just too much dead wood that's accumulated over the years."
)
The weakness is the result of export restrictions
the US government mandated in the 1990s
to enable less secure encryption for foreigners
so the FBI and NSA could eavesdrop on them .

2015-05-03

Google`Project Zero on #Apple

2.4: news.cyb/sec/Google`Project Zero on #Apple:
intego.com`mac security:
. Google's Project Zero finds flaws in software;
and gives a 90-day warning before releasing details
including proof-of-concept code .

2015-03-29

Defense sees cloud computing as insecure

news.cyb/sec/Defense sees cloud computing as insecure:
3.17: 3.29: summary:
. I'm interested in cloud computing primarily because
that is promoted by Google's Chrome OS platform;
however, what makes that platform most secure
is not so much that it relies on cloud computing,
but because it strictly controls the firmware
and this avoids advanced persistent malware .
. the usa's DoD (Dept of Defense) is moving to cloud computing
(saving money by outsourcing to private industry
instead of using DoD's own servers)
but they are not putting all their data there;
because, some of it is too sensitive .
. what they are hoping for
is that they can get private industry
to set up their servers on DoD property,
where physical access to the servers
can be monitored by the DoD .
. another issue is that top secret communications
are done on a network that is separate from
the public's internet .

2015-02-15

@google warns rely only on printers

2.15: news.cyb/net/@google warns rely only on printers:
. Google is the king of cloud computing
but Google's vice-president Vint Cerf warned:
"If there are photos you really care about,
print them out."
. I have all my photos on Google Drive;
is he worried WWIII destroys Google servers?

2015-02-09

"g-d" as the voice of community survival

1.29: relig/god/the voice of community survival:
. when we say of a work, "god said that",
or "god had the prophets or the son say that"
we mean that work supports a plan that is
in the best interest of your community or the world,
or something your common sense will agree with
given you are sufficiently educated
to think about the spirit of the law .
2.9:
. otherwise, how do we know god's voice
when there can be false prophets?

2015-01-24

@NafeezAhmed I love #google /AND/ the #NSA

1.23: news.pol/gemini/@NafeezAhmed I love google AND the NSA:
summary:
. I've been noticing that google's chromebook
is the only safe place to be
given today's firmware-based malware;
but also that it nudges you into cloud computing
which is an invasion of privacy .
. @NafeezAhmed recently wrote an article
asserting that google and other cloud suppliers
were nurtured by the CIA-NSA-MDDS program
in order to implement pervasive surveillance .

2015-01-03

#malware for #iOS #2014

news.cyb/sec/malware for iOS:
1.3: summary:
. some might say Wirelurker is no big deal
since it requires the mac user to install
an untrusted enterprise app:
moral of the story, reap what you sew;
don't trust any apps
unless you can trust its source;
right?
. but did you know that one mistake
could rewrite your other iOS apps?
in the name of user friendliness,
iOS security could be better,
and zdziarski.com has some suggestions .

2014-11-09

#Secret Manuals Show #Spyware Sold to #police

11.5: news.cyb/sec/Secret Manuals Show Spyware Sold to police:
firstlook.org 2014/10
When Apple and Google unveiled
new encryption schemes last month,
law enforcement officials complained that
they wouldn't be able to unlock evidence
on criminals’ digital devices.
What they didn't say is that there are
already methods to bypass encryption,
thanks to off-the-shelf digital implants
readily available to the smallest national agencies
and the largest city police forces
— easy-to-use software that takes over and monitors
digital devices in real time.
First Look Media are publishing in full, for the first time,
manuals explaining the prominent commercial implant software
“Remote Control System,” manufactured by
the Italian company Hacking Team.
. they mention citizenlab.org's June 24 Police Story:
 Hacking Team’s Government Surveillance Malware

2014-10-11

#BadUSB code made public #badBIOS #android #linux #mac #Windows

news.cyb/sec/#badBIOS/#BadUSB code made public:
10.11: summary:
. in 2013 I wrote about #badBIOS malware
apparently infecting my mac and linux/pc;
 recently a demonstration of badUSB
has proven a key technology needed by badBIOS;
but the code was not revealed; because,
USB is considered to be unpatchable,
unless $billions in hardware were replaced .
. even more recently,
other researchers have released the code .
 

2014-09-20

#USAFREEDOMAct reauthorizes #PATRIOTAct until after #wwIII is over

news.pol/privacy rights
/#USAFREEDOMAct reauthorizes #PATRIOTAct until after #wwIII is over:
. it's ok to lose privacy; we're in a war until 2017;
and after that we're in a global union;
how can you keep global peace
without keeping an eye on every guy
since you can't know who's evil until you look .
sign the petition:

2014-07-31

national security challenge of the 21st century

30: news.pol/purges/wwIII/national security challenge of the 21st century:
defense.gov news:
Aspen Security Forum in Colorado,
 A panel of experts discussed the specter of
terrorists armed with WMD's (weapons of mass destruction)
-- nuclear, biological, chemical, etc .
Among the panelists was Andrew C. Weber,
assistant secretary of defense for
nuclear, chemical and biological defense programs .

2014-06-07

DARPA's automated internet disinfectant

6.4: news.cyb/sec/DARPA's automated internet disinfectant:
Mike Walker, DARPA program manager
on Reddit.com:
In April of 2014,  insurers started selling insurance products
that covered physical harm generated by cyber effects
-- Google "cyber insurance" "property damage".
In May of 2014,
Sky News reported that over 42,000 London cars
-- nearly half of the cars stolen in the city of London --
were stolen with hacking.
The networked civilization we are building
is going to need to be able to make
strong promises about the safety of software,
because it won't just be guarding our data security
-- it will be guarding our physical security.
If we're going to be able to make strong promises about
software safety, we're going to need automation
that can investigate software in a
uniform, scalable and effective manner.
We know that expert auditors can't get there
-- IBM/Rational points out that our civilization crossed
1 trillion lines of code in the early 2000's.
Operating systems weigh in above 40 million lines
under constant development.
The problem is too big and it’s moving too fast.
We also know that today's automation is
losing every contest of wits to experts
-- in the wake of Heartbleed,
not a single automation product has come forward to say
that this flaw could have been detected
without expert annotation or intervention.
CGC is open technology development
on the problem of software safety,
a problem seen by the DoD
-- and everyone with a vested interest in our connected future.
cybergrandchallenge/about:
. What if a purpose built supercomputer
could scour the billions of lines of code we depend on,
find and fix the toughest flaws,
upend the economics of computer security,
and level the playing field
between attackers and defenders?
co.reddit comment:
. a lot invested in the [stale] attack/defense model
of computer security competition.
I've heard arguments from many players
that the current model of attack/defense CTF
[capture the flag competitions] is "stale". 
Mike Walker:
. great innovation is happening in the CTF community:
see Build It / Break It / Fix It,
funded by the National Science Foundation.
6.7: my response:
. what is stale is the attack/defense model;
because, the chip firmwares have backdoors;
you need to secure the hardware;
then you can analyze the software;
but, at least with DECREE
they are promoting a microkernel OS
that can guarantee isolation between app's?
(well, the interface is tiny, if not the Trusted Code Base).
. unfortunately what they have in mind
is to use their simple OS only for
easily managing the budding automation competition;
then they plan to evolve the winning buds
for auto-fixing today's software on today OS's.
. but, what can they do for firmware breaches?
. they are trying to show concern about cybercrime
without actually blocking the backdoors used by NSA .