sylver_dragon

Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?

Ya, I’d bet on something similar. According to the CVE, the vulnerability is around “Improper link resolution before file access”. My bet is that there is something hardcoded somewhere which assumes the existence of this folder. If it doesn’t exist, this can let the attacker get something in place which then gets executed with SYSTEM permissions, leading to privilege escalation. Not the worst thing in the world, for most users. But, it would be a problem in an enterprise environment where part of the security model is users not having local admin.

Move fast and break things!
“Things” in many cases includes “security”.

So, he finally took Andrew Llyod Webber’s advice from Jesus Christ Superstar and popped into the age of mass communication.

This is why many communication options these days advertise that they are encrypted.

Like Signal. You know, the app they were using, as was mentioned in the article, multiple times. You did read the article, right?

It’s also not really a bug. It’s just understanding that whitespace characters are often ignored and can be used to push a command past the end of the textbox in the “edit shortcut” form. I’m not sure I really see a fix for it either. Granted, I think always showing file extensions would be a good start; but, that horse is so long out of the barn it’s grown old and died in the woods. Much like hyperlinks, I think people just need to learn to be careful where they put their click.

You could create one with the normal shortcut editor, which is built right into Windows. As for considering Windows a risk, well yes it is.

This is going to be a teaching moment for cyber security.

This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.

That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.

I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:

While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.

The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.

I was introduced to it when it was still Hero’s Quest (and EGA)

This is the version I always play. There’s something just “right” about the EGA graphics and text parser. A clicky interface will never replicate:
Hut of brown, now sit down

There’s probably a lot of nostalgia in the choice, but my all time favorite game is Quest for Glory: So You Want to be a Hero. The game was just the right mix of fantasy, adventure and humor for a young me, and I still go back an play it about once a year. A close second is Valheim. It’s kinda my “cozy game”. I find building and exploring relaxing, and there’s enough fighting to keep the game from getting boring.

Sounds more like a feature than a bug.

We dun fucked up when we made tarring and feathering CEOs illegal.

This is exactly the problem, they have no accountability for bad updates causing hardware to become unusable. So, Q&A just becomes a needless expense and untested firmware is dropped on users. Sure, you could try and sue, or more likely get fucked by a binding arbitration clause. But, the cost would be far beyond what the device costs. So, it never makes sense. There need to be fines when this shit happens, which are significant percentages of worldwide revenue, to scare companies into actually testing updates before they are released.

In the end, all we can do is shake our heads and remind folks to never buy HP. They put out great products 30 years ago, but those days are long gone. Now, they just put out crap.

I think the most surprising thing here is that 60% of networks don’t allow any/any. I swear, the number of devs I’ve had to convince that they don’t actually need to plop their MySQL backend on the open web, to allow their web front end to reach it, is way higher than it should be. Folks moved their workloads to “the cloud” and decided that we needed to internet like it was 1999.

This is what I mean by my constant insistence upon “moderation” in government. Should any political party attempt to abolish social security, unemployment insurance, and eliminate labor laws and farm programs, you would not hear of that party again in our political history. There is a tiny splinter group, of course, that believes you can do these things. Among them are H.L. Hunt (you possibly know his background), a few other Texas oil millionaires, and an occasional politician or business man from other areas. Their number is negligible and they are stupid.
– President Eisenhower

It seems that this is going to be put to the test.

Kinda makes sense. Microsoft Teams fills the same space and Skype hasn’t been P2P for a long time. Other than the brand, there’s nothing really left of Skype anyway to turn off.

Once again, Google make positive changes for their customers.
You the user of the browser are not the customer, you are the product. Advertisers are the customer and the Chrome Browser is the cattle feed they use to keep you fat, dumb and happy for the customers.

The honeymoon period is slowly coming to an end. We’re just about to reach the bleary eyed, “what the fuck did I just do?” period.

At least on Android (I’d assume iOS does it as well), you can set Do Not Disturb (DND) to turn on and off automatically, based on the time. You can also designate certain contacts to be allowed to bypass DND, so the phone will ring normally. I setup DND a long time ago, because I don’t want to be bothered by random shit while I am trying to sleep. However, my job is such that I might reasonably be called at 03:00 and need to roll my arse out of bed and start working. So, the number they call from is set to bypass DND. My elderly mother and brother are both similarly set to bypass. It all works out quite well and if some random marketer figures out my number and calls in the middle of the night, I don’t get woken up to talk about my car’s warranty.

It makes little sense why it works on an offsite WiFi, but not mobile data.

I’d agree with unbuckled above, it’s a DNS issue. If your mobile device is capable, use nslookup or dig to see what responses you are getting in different scenarios. It’s possible that your VPN software is leaking DNS queries out to the mobile data provider’s DNS servers while you are on mobile data and only using the correct DNS settings when you are on wifi. Possibly look for split tunnel settings in the VPN software, as this can create this type of situation.

You can also confirm this from the pihole side. Connect to the VPN via mobile data and browse to some website you don’t use often, but is not your own internal stuff. Then open the query log on your pihole and see if that domain shows up. I’d put money on that query not showing in the pihole query log.