Skip to content

Category: Hackerterrorcybercyber

Scaleway now with 2FA

Cloud Provider Scaleway now has ARM64 based bare metal in Amsterdam. They are also now offering 2FA auth based on Google Authenticator (or other, compatible 2FA apps).

No U2F token support, yet, though (but still a better solution than steam).

This blog is hosted on a Scaleway instance.

Leave a Comment

Shit found on github: crashos

Infinite Fun in Infinite Combinations:

CrashOS is a tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations. CrashOS is a minimalist Operating System which aims to lead to hypervisor crashs, hence its name. You can launch existing tests or implement your owns and observe hypervisor behaviour towards this unusual kernel.

I think you might want to talk to your hoster first.

Leave a Comment

Google Chrome integrates Adblocker

The Ad and Adblock situations both are now so bad that even Google considers integrating an Adblocker by default into the Chrome browser.

This is a twofold action. It’s purpose is of course to filter out ads, the worst of the worst in annoyance and the obvious malvertising. It’s purpose is also to take back control on adblocking, because it will let through acceptable ads according to the Coalition for Better Ads standards.

CfBA condemns Popups, Sound, Prestitials and Large Stickies on the Desktop, and more on mobile.

It will be interesting to see if it changes anything. People are truly beyond caring.

1 Comment

Microsoft fixed Wannacrypt on XP in February, didn’t release

The Register reports:

[O]ur analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

Here’s the dates in the patches:

  • Windows 8 RT (64-bit x86): Feb 13, 2017
  • Windows 8 RT (32-bit x86): Feb 13, 2017
  • Windows Server 2003 (64-bit x86): Feb 11, 2017
  • Windows Server 2003 (32-bit x86): Feb 11, 2017
  • Windows XP: Feb 11, 2017
  • Windows XP Embedded: Feb 17, 2017

This is bad.

7 Comments

WSJ on Government Backdoors, intentional and unintentional

The episode underscores the folly of the U.S. law enforcement demand that tech companies install backdoors into their devices and services.

the WSJ comments. This time the leak is an unintentional backdoor the NSA used to get onto devices. The NSA used the Vulnerabilities Equities Process to determine that ETERNALBLUE is burnt and informed Microsoft, which then promptly generated an urgent critical patch, which did not make it out to systems in the field fast enough.

There is little difference according to the WSJ between flaws being used as government backdoors, and intentional government backdoors, which may be detected and abused, or leaked. So this whole Wannacry(pt) thing is a very good example of what will happen with Government mandated backdoors in systems.

Leave a Comment

Rittal sends USB sticks that act as keyboards – as advertisement

Holger Köpke got a USB stick (article in German) that supposedly is from data center equipment maker Rittal, unsolicited, in the mail. Of course he did not plug it into a device, it could be anything.

He then (from his first comment in the same article) set up a test VM on a scratch device, inserted the USB stick there and the stick identified not as USB memory, but as a USB HID, a keyboard. Seemed that he was right not to trust it. Sends a mail to Rittal explaining them why he thinks this is dangerous, and asks if this is indeed legit.

Gets a response (another article in German), a letter as a PDF sent by email.

1 Comment

CVE-2017-0290

So the above Tweet came along, but the way it was framed it was not very worthy reporting, because it was nothing actionable: »I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.«

And reported and handled it was, in record time. This is now public on Project Zero, and a fix is being rolled out to all current Windows.

Leave a Comment

Protecting MySQL Network Traffic

Percona Live Talk by Daniël van Eeden: Protecting MySQL Network Traffic.

Warning: It is somewhat more complicated than this:

Slideshare

Check out the performance slide (#22), too.

Tl;Dr: You want a MySQL compiled against OpenSSL, because SSL Tickets and AES-NI support. YaSSL sucks, hard. With Tickets and hardware symmetric encryption, TLS support in MySQL is actually no longer slow.

Tl;DR 2: MariaDB is actually pretty well positioned here.

Leave a Comment