sylver_dragon

Never mind recent motherboards, I’m still salty about the era of boards from 2004-2010 or so which had USB ports but the BIOS would refuse to accept inputs from them until after POST so you’d have to dredge up a separate PS/2 keyboard and jack it in to be able to configure the damn thing or use the boot menu.

Had one of these in a server rack. Which was all kinds of fun because the rack KVM was USB. We ultimately just left the PS/2 keyboard plugged in and sitting on top of the server in the rack. Given the shitshow which was cable management in those racks (we shared them with several departments), that keyboard was hardly the worst sin.

The American version would require a modified F350HD with a fork lift to get the Pope lifted into the back.

And rigged to roll coal incense.

While an interesting idea, this sounds like an organization designed to separate some doofus investment manager with a lot of capital before inevitably folding because companies won’t give a damn. Sure, if we were to pass laws allowing us to hunt down anyone responsible for using blue LEDs on devices which did not specifically need blue light, and burn their eyes out with a hot poker. Then, such a certification might make sense. But, so long as there are no repercussions for companies making horrible design decisions, why would any company pay for a certification like this.

Not terribly surprising, Google would often direct me to StackOverflow threads as I was googling for an answer to a question. And as often as not, either the question was closed; or, instead of anyone providing an answer, the commenters would spiral off into questioning everything about the original question asker’s life choices. While I do get the whole XY Problem, this sort of thing seemed to be over-used on SO.

Granted, I don’t know if AI answers are any better. Sure, they can answer a lot of the simple questions, but I’ve not seen them be useful on hard, more obscure questions. Probably because those questions don’t have ready answers on SO.

We learned this lesson over two decades ago. If you put your database server on the internet, you should lose your internet privileges. At minimum, the companies hit by this should consider the coin-mining done on their systems as a consulting fee from the hackers demonstrating how fucking stupid it was to set it up this way.

That is really rich coming from the person who wrote the decision making the President unaccountable to the Rule of Law.

I don’t get why people think putting manifests on a blockchain is a good idea.

Because you can still separate many fools from their money by adding “blockchain” to whatever you are doing.

Fair enough, but absent any evidence that password reuse is leading to a problem, the article is trying to claim that him being the victim of previous breaches is somehow a failure of security on his part. That’s just dumb. Maye he did reuse passwords and that’s going to cause problems. But, absent any evidence of it, the whole article just comes off as yellow journalism, at best.

I understand your desire to be charitable or tempered, but this isn’t some random schmuck who made an oopsie and reused a password from a previous database hack.

And nothing we know shows that he did that. Sure, he could have, and maybe he is that bad at security. The whole article is based on the supposition that he is reusing passwords. With no proof provided. If there’s some evidence, then sure burn the witch. Otherwise, it’s just baseless supposition.

This idiot has his dumb fingers in vital government systems, and the fact that he didn’t clean up his security profile before wreaking havoc says a lot about his ability to do his job safely.

There isn’t anything he could have done about past breaches. As I said, my email is still in the HaveIBeenPwned database, not because I didn’t clean up anything, but because I can’t clean up anything. Once those creds have been published, they stay published forever. The only thing you can do is rotate any affected passwords and move on with life.

And yes, the obvious failures on the DOGE website do speak to poor coding practices. I wouldn’t hire the guy to code anything, but I still think the article is just over the top muck raking trying to turn breached credentials into a story which really isn’t there.

I’m no fan of the folks at DOGE; but, I feel this bit is important to highlight:

the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points.

I know that my own credentials show up in the HaveIBeenPwned database quite a few times. I’ve had the same email address going on three decades now and have been signed up to a lot of services which got breached. The result is that you can find my personal email address and the associated password for whatever service got popped. Does that mean my own security is bad and/or my credentials for anything else are compromised? No, because I use complex, unique passwords everywhere. Yes, if you dig through the data, you can find my username and password for Dungeons and Dragons Online. And that will net you fuck all, because that was the only place I used that password.

Honestly, this article is more an embarrassment to the person who wrote it than the person it’s about. Anyone who has had the same email address for any significant length of time and has used it to sign up to internet based services has probably had their credentials for some of those sites compromised. Sure, the OpSec and practices of folks in DOGE have been terrible, but all we know is that this user has had their credentials from other sites and services dumped, just like every other victim of such breaches. That’s not news, nor does it reflect on the victims of those breaches. This is just a sad attempt at a hit piece, which only shows the author’s lack of ability to find anything interesting to write about.

ServiceNow is very much aimed at the managers. It’s good at reporting metrics like SLAs, ticket counts and anything else management dreams up to track metrics on. The interface for analysts putting data into it is slimy shit on toast. I swear, one of the questions I plan to ask, the next time I’m interviewing for a job is, “what do you use for security case management”. If the answer is “ServiceNow” or “ServiceNow Security Incident Response (SIR)”, that’s going to be a mark against that company. The only thing worse than ServiceNow ITSM is ServiceNow SIR. It’s all the terrible design of ITSM, but with basic security case management features implemented by clueless idiots.

The entertaining question would be: what do the salaries of the new employees look like, compared to the old ones? I’d suspect that the administration is thinking they can fire a well experienced, but expensive employee and hire on a cheap replacement. However, I also suspect many of those positions are fairly specialized and they are going to end up paying to get rid of all that experience and then end up paying a premiums to hire someone with the needed experience for the position.

Any sufficiently advanced technology would be indistinguishable from magic.

Sorry, just recognized my typo, I meant to say “I wouldn’t be surprised…”., Not sure how I missed that.

It’s Yahweh’s laws but the mythology has it provided by Moses in his sermons to the Israelites. As for Christians ignoring bits of it, part of that is based on saying attributed to Jesus in the gospels (e.g. the bit from Mark I quoted above) and also the simple fact that most religions update themselves as society changes. If anything, I think the Catholic church was smart to have a leader who could receive “new revelations from God”. It lets them update canon, while maintaining the illusion that they aren’t just making shit up to stay relevant.

I would be surprised if they were borrowing ideas from other cultures in the area (and vice versa). The various peoples in Mesopotamia were interacting regularly; so, some back and forth of ideas is to be expected. Though as a law code, Deuteronomy seems like it would be more home grown.

Every sperm is sacred. Every sperm is good. If a sperm is wasted, God gets quite irate.

Deuteronomy is originally from the Hebrew Bible. According to Jewish mythology, the book is from the sermons of Moses. Though, it’s believed to be much more recent (something like a 1000 years) than the time period where the figure of Moses (or the person(s) he was based on) would have existed. But, even taking Jewish and Christian mythologies at their word, Jesus had nothing to do with that rule. Also, Jesus probably meant for this rule to end for adherents of Christianity.

Mark 7:14-23:
14 Again Jesus called the crowd to him and said, “Listen to me, everyone, and understand this.
15 Nothing outside a person can defile them by going into them. Rather, it is what comes out of a person that defiles them.”
17 After he had left the crowd and entered the house, his disciples asked him about this parable.
18 “Are you so dull?” he asked. “Don’t you see that nothing that enters a person from the outside can defile them?
19 For it doesn’t go into their heart but into their stomach, and then out of the body.” (In saying this, Jesus declared all foods clean.)
20 He went on: “What comes out of a person is what defiles them.
21 For it is from within, out of a person’s heart, that evil thoughts come—sexual immorality, theft, murder,
22 adultery, greed, malice, deceit, lewdness, envy, slander, arrogance and folly.
23 All these evils come from inside and defile a person.”

So, feel free to boil a young goat in its mother’s milk. Jesus is A-ok with that.

Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?

Ya, I’d bet on something similar. According to the CVE, the vulnerability is around “Improper link resolution before file access”. My bet is that there is something hardcoded somewhere which assumes the existence of this folder. If it doesn’t exist, this can let the attacker get something in place which then gets executed with SYSTEM permissions, leading to privilege escalation. Not the worst thing in the world, for most users. But, it would be a problem in an enterprise environment where part of the security model is users not having local admin.

Move fast and break things!
“Things” in many cases includes “security”.