Your solution to the elusiveness of human memory and perception is to throw your lot in with the panopticon? Really? Not that you're in favor of universal surveillance... but you're willing to double down on a bad argument with it. Seriously?
You have a very binary view of a world that actually runs through many shades of gray from black to white. Police body cameras are actually quite subjective. For one, the officer wearing them is responsible for starting recording. Department policy can dictate recording under a wide variety of circumstances, but at the end of the day, the officer must start recording. And can we even trust the data they produce as being untampered?
I didn't say there is no truth. That is a strawman of your design. I just said that subjective truth is much harder to nail down than objective truth, and most of our experience is run through the lens of subjective not objective reality. Humans are quite fragile in that way, and they will continue to be so far beyond our deaths, panopticon or not.
Why would I lie about this. You're just being silly and lazy. It's not a huge issue unless you are a cloud provider who shares CPU space among your tenants. http://web.archive.org/web/201...
I guess technically the CVSS scale runs from 0 to 10, but still this one wallows in the bottom half of the Low classification. https://nvd.nist.gov/vuln-metr...
The whole thing is overblown. US CERT gave it a CVSS of 1.5... which means on a scale from 1 to 10 in severity, it didn't even break a 2. https://www.kb.cert.org/vuls/i...
Take with a grain of salt and dydd, but according to John Williams @shadowstats, "long-term discouraged workers [...] were defined out of official existence in 1994" so the definition of discouraged workers is a shifting target from a historical perspective. Maybe he's a crackpot with an axe to grind, but he substantiates his arguments quite extensively.
Another lever that BLS uses in their statistics is the "seasonal adjustment," a rather squishy concept once you investigate.
Guess you've never heard of the phenomenon of bullshit jobs.
The issue is not that jobs used to have meaning and now they don't; most jobs in most periods have undoubtedly been staffed by people who would prefer to be doing something else. The issue is that too little of the recent gains from technological advance and economic growth have gone toward giving people the time and resources to enjoy their lives outside work.
He accesses memory of a running system kernel using a variation of the pcileech and then uses Volatility to examine the dump. I guess the key is that "the FileVault password is stored in clear text in memory and that it's not automatically scrubbed from memory once the disk is unlocked." No need to do anything prior to OS load, except set a boot flag, and he's leveraging an earlier device called Slotscreamer. Still impressive, especially pulling/etc/shadow and pushing it back onto an encrypted drive via DMA at the end of his talk.
I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.
Not exactly cleartext (but close):
The password, when entered, is stored in memory as unicode. Every 2nd byte will be zero if a password consisting only of ascii characters is used. Enter a "random" phrase, not naturally occurring in memory, at the password prompt. In this example the phrase eerrbbnn is used. In memory this is stored as 6500650072007200620062006e006e
Setting aside the device, just finding the exploit, cleartext or not, is an accomplishment. I'm not entirely sure all the steps one would take, but guessing it would involve starting with the supposition that a vulnerability like this might exist. Then writing a software tool to dump DMA memory very early in the boot process from EFI, prior to the OS, or perhaps concocting a remote EFI debugger. Does such a thing exist? If you have a memory dump, should be possible to perform a search in something like IDA Pro for a known string as a 'eerrbbnn' whether unicode or not.
Beyond that he performed the test frequently enough to determine "The password is put in multiple memory locations - which all seems to move around between reboots, but within a fixed memory range." So he likely had to automate his homebrew toolchain to generate enough samples to determine this.
The open question is did they hijack real accounts or only crawl via fake profiles? Would like to know how command & control was handled. Based on my read, this was more than a scrape job and much more programatic.
I've been on LinkedIn a long time and observed a few botnets in my day that operate through other vectors. This botnet was not just scraping public profiles! Keep in mind that on LinkedIn you can have a public profile and you can have a private profile (only available to your contacts).
I would bet that these bots were LI profiles that passed for people. After all LI bots are unlikely to be so different from Twitter bots. My guess is that this botnet used fake profiles and scraped private data that was only available to contacts in-network. Probably also crawled contact lists and tried to "link in" with all contacts of every new contact that was made. Undoubtably a ToS violation and arguably criminal under the CFAA. Most people are promiscuous in their social networks and will accept connections without much thought. I have always tried to be very diligent about my contacts on LI -- If we didn't work together or meet in person, you're out of network BUZZ OFF. I have seen plenty of fake profiles and recruiters try to claim a connection with me that did not exist. Recruiters are almost as bad as the bots.
Presumably the LinkedIn team now believes they've expunged the culprits and must have enough forensic evidence to tie together a short list of IP addresses where the trail goes cold on someone else's network. Would be interested to understand more about how automated this botnet was and how C&C was implemented. Was C&C completely internal to LI using their messaging system or old-school IRC or new-school Twitter?
Started this thread as AC at work earlier today. I do not want my original point to be buried in the comment system but do agree with the follow-on comments and own the Creature from Jekyll Island already. We're on the same page there.
I work as a security professional. The criminal negligence we continue to see at all levels of government and quasi-government within the realm of "cyber security" is shocking. If Obama (and the Democratic Party by extension) is serious about cybersecurity, his AG would indict the CIO of the FDIC. There is enough evidence in the complaint to do so. It is a slam dunk.
1. The Chief Information Officer (CIO) has created a toxic work environment, misled Congress, and retaliated against whistleblowers.
2. The FDIC deliberately evaded Congressional oversight.
3. The FDIC has historically experienced deficiencies related to its cybersecurity posture and those deficiencies continue to the present.
The China part of the story is a distraction by the propagandists. Lawrence Gross appears guilty of criminal behavior as much, if not more, than the Chinese. As I first read the report, I thought this man should no longer have his job and should be blackballed. The more I read, the more I thought it requires an indictment. Doubt it will happen, but if nothing else FISMA violations and lying in sworn testimony to Congress should result in penalties of a high order. He apparently chased off all the people at FDIC who gave a shit about security. WTF?
It's likely that the same person who took down FinFisher took down HT. Maybe he adopted the name FinFisher as a badge of honor?
Here's an example of his previous writing. http://0x27.me/HackBack/0x00.t...
To be precise, it was a "CNG auto-rickshaw"... doubt he felt he was in any danger until the moment they whisked him off. From the run-around his family got by the local constabulary, it sounds as if the local police are part of the rendition, if no more than serving as an obstruction for someone else.
Has to be the largest single heist attempt ever, though perhaps pales to the systemic pillaging that Kaspersky mentioned last year.... and they would have gotten away with it too if it wasn't for those meddling keys.
Slashdot Mirror
Your solution to the elusiveness of human memory and perception is to throw your lot in with the panopticon? Really? Not that you're in favor of universal surveillance ... but you're willing to double down on a bad argument with it. Seriously?
You have a very binary view of a world that actually runs through many shades of gray from black to white. Police body cameras are actually quite subjective. For one, the officer wearing them is responsible for starting recording. Department policy can dictate recording under a wide variety of circumstances, but at the end of the day, the officer must start recording. And can we even trust the data they produce as being untampered?
I didn't say there is no truth. That is a strawman of your design. I just said that subjective truth is much harder to nail down than objective truth, and most of our experience is run through the lens of subjective not objective reality. Humans are quite fragile in that way, and they will continue to be so far beyond our deaths, panopticon or not.
You come across as a theoretical scientist who has not much ventured into the nuanced real world of humankind.
Please watch the movie Roshomon and then let's continue the conversation about objective truth and subjective truth.
Yes, but didn't you read. This one is the *universal* Linux app packaging format.
Why would I lie about this. You're just being silly and lazy. It's not a huge issue unless you are a cloud provider who shares CPU space among your tenants.
http://web.archive.org/web/201...
They updated it. Was a 1.5 earlier.
http://web.archive.org/web/201...
I guess technically the CVSS scale runs from 0 to 10, but still this one wallows in the bottom half of the Low classification.
https://nvd.nist.gov/vuln-metr...
The whole thing is overblown. US CERT gave it a CVSS of 1.5 ... which means on a scale from 1 to 10 in severity, it didn't even break a 2.
https://www.kb.cert.org/vuls/i...
Architecting security into the DNA of a product instead of grafting it on half-assedly later on, if at all.
DevSecOps is where the industry is headed.
i can i i everything else . . .
facebook have zero to me to me to me to me to me to me to me to me to
you i everything else . . .
This phenomenon is real. In order to compensate, I have developed a fear of fear of missing out. Some might call me fomophobic.
Just because 20% of people don't work
Labor Force Participation rate, which is a better measure of real employment, is at 62.8% thus 37.2% of people don't work.
https://data.bls.gov/timeserie...
This is a better link to the background rather than the charts.
http://www.shadowstats.com/art...
Which reminds me that I also forgot about the equally squishy Birth/Death models.
Take with a grain of salt and dydd, but according to John Williams @shadowstats, "long-term discouraged workers [...] were defined out of official existence in 1994" so the definition of discouraged workers is a shifting target from a historical perspective. Maybe he's a crackpot with an axe to grind, but he substantiates his arguments quite extensively.
Another lever that BLS uses in their statistics is the "seasonal adjustment," a rather squishy concept once you investigate.
http://www.shadowstats.com/alt...
Guess you've never heard of the phenomenon of bullshit jobs.
The issue is not that jobs used to have meaning and now they don't; most jobs in most periods have undoubtedly been staffed by people who would prefer to be doing something else. The issue is that too little of the recent gains from technological advance and economic growth have gone toward giving people the time and resources to enjoy their lives outside work.
http://www.economist.com/blogs...
The Def Con talk is quite informative regarding tools and methods ... OS X starts around 30:00 mark.
https://www.youtube.com/watch?...
He accesses memory of a running system kernel using a variation of the pcileech and then uses Volatility to examine the dump. I guess the key is that "the FileVault password is stored in clear text in memory and that it's not automatically scrubbed from memory once the disk is unlocked." No need to do anything prior to OS load, except set a boot flag, and he's leveraging an earlier device called Slotscreamer. Still impressive, especially pulling /etc/shadow and pushing it back onto an encrypted drive via DMA at the end of his talk.
I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.
Not exactly cleartext (but close):
The password, when entered, is stored in memory as unicode. Every 2nd byte will be zero if a password consisting only of ascii characters is used. Enter a "random" phrase, not naturally occurring in memory, at the password prompt. In this example the phrase eerrbbnn is used. In memory this is stored as 6500650072007200620062006e006e
Setting aside the device, just finding the exploit, cleartext or not, is an accomplishment. I'm not entirely sure all the steps one would take, but guessing it would involve starting with the supposition that a vulnerability like this might exist. Then writing a software tool to dump DMA memory very early in the boot process from EFI, prior to the OS, or perhaps concocting a remote EFI debugger. Does such a thing exist? If you have a memory dump, should be possible to perform a search in something like IDA Pro for a known string as a 'eerrbbnn' whether unicode or not.
Beyond that he performed the test frequently enough to determine "The password is put in multiple memory locations - which all seems to move around between reboots, but within a fixed memory range." So he likely had to automate his homebrew toolchain to generate enough samples to determine this.
But still the device is some next level shit,
The open question is did they hijack real accounts or only crawl via fake profiles? Would like to know how command & control was handled. Based on my read, this was more than a scrape job and much more programatic.
I've been on LinkedIn a long time and observed a few botnets in my day that operate through other vectors. This botnet was not just scraping public profiles! Keep in mind that on LinkedIn you can have a public profile and you can have a private profile (only available to your contacts).
I would bet that these bots were LI profiles that passed for people. After all LI bots are unlikely to be so different from Twitter bots. My guess is that this botnet used fake profiles and scraped private data that was only available to contacts in-network. Probably also crawled contact lists and tried to "link in" with all contacts of every new contact that was made. Undoubtably a ToS violation and arguably criminal under the CFAA. Most people are promiscuous in their social networks and will accept connections without much thought. I have always tried to be very diligent about my contacts on LI -- If we didn't work together or meet in person, you're out of network BUZZ OFF. I have seen plenty of fake profiles and recruiters try to claim a connection with me that did not exist. Recruiters are almost as bad as the bots.
Presumably the LinkedIn team now believes they've expunged the culprits and must have enough forensic evidence to tie together a short list of IP addresses where the trail goes cold on someone else's network. Would be interested to understand more about how automated this botnet was and how C&C was implemented. Was C&C completely internal to LI using their messaging system or old-school IRC or new-school Twitter?
Started this thread as AC at work earlier today. I do not want my original point to be buried in the comment system but do agree with the follow-on comments and own the Creature from Jekyll Island already. We're on the same page there.
I work as a security professional. The criminal negligence we continue to see at all levels of government and quasi-government within the realm of "cyber security" is shocking. If Obama (and the Democratic Party by extension) is serious about cybersecurity, his AG would indict the CIO of the FDIC. There is enough evidence in the complaint to do so. It is a slam dunk.
1. The Chief Information Officer (CIO) has created a toxic work environment, misled Congress, and retaliated against whistleblowers.
2. The FDIC deliberately evaded Congressional oversight.
3. The FDIC has historically experienced deficiencies related to its cybersecurity posture and those deficiencies continue to the present.
The China part of the story is a distraction by the propagandists. Lawrence Gross appears guilty of criminal behavior as much, if not more, than the Chinese. As I first read the report, I thought this man should no longer have his job and should be blackballed. The more I read, the more I thought it requires an indictment. Doubt it will happen, but if nothing else FISMA violations and lying in sworn testimony to Congress should result in penalties of a high order. He apparently chased off all the people at FDIC who gave a shit about security. WTF?
It's likely that the same person who took down FinFisher took down HT. Maybe he adopted the name FinFisher as a badge of honor? Here's an example of his previous writing. http://0x27.me/HackBack/0x00.t...
My bad. Actually he articulates in the article using masscan and not Shodan.
>only a brute force scan of the net for addresses with an open port 9100
Still giving him too much credit. Probably just searched in Shodan for those addresses.
To be precise, it was a "CNG auto-rickshaw" ... doubt he felt he was in any danger until the moment they whisked him off. From the run-around his family got by the local constabulary, it sounds as if the local police are part of the rendition, if no more than serving as an obstruction for someone else.
Has to be the largest single heist attempt ever, though perhaps pales to the systemic pillaging that Kaspersky mentioned last year. ... and they would have gotten away with it too if it wasn't for those meddling keys.