December 8, 2022

bad news

        December 8, 2022

December 8, 2022

molly conger @socialistdogmom
ok never mind it was all worth it just to accidentally stumble across this exchange between a judge, a prosecutor, and a federal agent where only the judge knows who biggie smalls is 
3:26 AM ∙ Dec 5, 2022
16,514Likes4,376Retweets
-
The Info Op is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

-
Eric Pellegrino @ericsshadow
[burglar gently waking me] you live like this?6:01 AM ∙ Jan 15, 2016
57,785Likes35,610Retweets
-
Amnesty International Canada target of sophisticated cyber-attack linked to China https://amnesty.ca/news/news-releases/cyber-breach-statement/

            Adam Segal: "Amnesty International Canada target of sophistica…" - Mastodon
            Amnesty International Canada target of sophisticated cyber-attack linked to China https://amnesty.ca/news/news-releases/cyber-breach-statement/

-

            James Hart: "This modified version of the famous ‘turn #chatGP…" - Hachyderm.io
            Attached: 3 images

This modified version of the famous ‘turn #chatGPT into a pretend Linux system’ prompt is also my prototype for a product that will sell millions.

            James Hart: "Nigel didn’t see this kill -9 httpd command coming" - Hachyderm.io
            Attached: 1 image

Nigel didn’t see this kill -9 httpd command coming

-
John Scott-Railton @jsrailton
NEW:  clear US policy towards mercenary spyware industry in the new #NDAA.

And it's bad news for shady spyware companies.
Quick thread of highlights from Sec 6318 of this robust bit of legislation 1/ 
4:02 AM ∙ Dec 7, 2022
272Likes116Retweets-
Propagandopolis @propagandopolis
'Support Afghan freedom fighters' — Soldier of Fortune magazine ad, 1981, calling for donations to 'pro-western Afghan resistance groups selected by the SOF staff'. 
5:23 PM ∙ Feb 9, 2022
171Likes53Retweets
And to round it out, 
A huge collection of almost every issue of Soldier of Fortune magazine:

            Soldier of Fortune Magazine : Free Download, Borrow, and Streaming : Internet Archive
            Editions of the Soldier of Fortune magazine

-
Apple to enable end to end encryption for more iCloud services, including photos and notes, starting in 2023. 

            Apple Expands End-to-End Encryption to iCloud Backups | WIRED
            The company will also soon support the use of physical authentication keys with Apple ID, and is adding contact verification for iMessage in 2023.

-
Update: 
Thanks to a reader, if you want to read the website on how to hunt deer with a howitzer, now you can. 

http://www.buckstix.com/howitzer.htm
-
Russian spies!
The Justice Department has charged a Russian spy who fed Rudy Giuliani bogus dirt on the Biden family with money laundering over his alleged attempt to secretly buy two luxury Beverly Hills condos. https://www.rollingstone.com/politics/politics-news/giuliani-russian-spy-pal-andrii-derkach-charged-money-laundering-1234643249/

            Rolling Stone: "The Justice Department has charged a Russian spy …" - Mastodon 🐘
            The Justice Department has charged a Russian spy who fed Rudy Giuliani bogus dirt on the Biden family with money laundering over his alleged attempt to secretly buy two luxury Beverly Hills condos. https://www.rollingstone.com/politics/politics-news/giuliani-russian-spy-pal-andrii-derkach-charged-money-laundering-1234643249/

-
Yesterday's Print @yesterdaysprint
The Miami News, Florida, March 8, 1959 
3:07 AM ∙ Dec 8, 2022
424Likes101Retweets
-
blackorbird @blackorbirdInternet Explorer 0-day exploited by North Korean actor APT37
blog.google/threat-analysi…
inews24.com/view/1534369
CVE-2022-41128: Type confusion in Internet Explorer's JScript9 engine
googleprojectzero.github.io/0days-in-the-w…
Sample
github.com/blackorbird/AP… 
3:03 AM ∙ Dec 8, 2022
112Likes47Retweets
-
Old tricks are new again. Scanning ssh memory for passwords. 

            Sniffing SSH Passwords | The Network Logician
            Is it possible to get someone’s password in plaintext over ssh? Yes! Surely, this makes no sense when the purpose of ssh is to prevent such a thing. Well, I’m speaking of monitoring the…

-
village fetish @botandy
me: Gary, plse hand me the vial of ultra contagious lethal virus with no known cure

Gary, who up until now has never dropped anything: ok
8:10 AM ∙ May 21, 2016
6,478Likes2,376Retweets
-
Yesterday's Print @yesterdaysprint
The Miami News, Florida, March 3, 1960 
5:19 AM ∙ Dec 8, 2022
172Likes29Retweets
-
jac0xb.sol @jacobdotsol
Oh look FTX hosted all the NFTs minted on their platform using a web2 API and now all those NFTs have  broken metadata and the links go to a restructuring website. 
4:24 PM ∙ Dec 7, 2022
2,359Likes338Retweets
-
This is such a fascinating story, and also an interesting thought problem. In 1970s there was a murder on an ice sheet floating in the Arctic. No country had jurisdiction, but the US decided to arrest and try the guy in Virginia. The part that stuck with me is, how can a jury of a dozen people in Virginia be “peers” with someone who was one of just 19 people on an ice sheet with literally nothing to do and a crazed drunk wielding a butcher knife stealing alcohol? 

            A bizarre 1970 Arctic killing and the looming problem of criminal justice in space.
            Murder will happen in outer space. This 50-year-old death on a now-melted chunk of ice shows how complicated it will get.

-
Daniel Cuthbert @dcuthbert
Brilliant piece about MI6’s top female spies. Q appeals to me a lot as a role. Top gadget maker  ft.comThe secret lives of MI6’s top female spiesFor the first time ever, SIS officers reveal why women often make the best spies for our times8:57 AM ∙ Dec 8, 2022
36Likes11Retweets
-
Denis Skvortcov @Denis_SkvortcovJust published new blog post tinyurl.com/4ua23wzv! How can you hook systemcalls in kernel on Windows 11 22H2, how does Avast Free Antivirus use it and how you can bypass Avast’s self-defense in 10 lines of PowerShell code right now? All answers are provided in the article
tinyurl.comHooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass0x00: Introduction8:29 AM ∙ Dec 8, 2022
53Likes34Retweets
-

So, a thoughtful piece here from @ciaranmartin that I'd recommend tipping off a series about the lessons we need to be thinking about from of the Optus and Medibank hacks in Australia. In particular, this post concerns the need to reexamine how we think about data breaches.

            Brian in Pittsburgh: "So, a thoughtful piece here from @ciaranmartin th…" - Infosec Exchange
            So, a thoughtful piece here from @ciaranmartin that I'd recommend, tipping off a series addressing the lessons we need to be thinking about from the Optus and Medibank hacks in Australia. In particular, this post concerns the need to reexamine how we think about data breaches.

https://infosec.exchange/@ciaranmartin/109466429318465248

Briefly, I think Dr. Martin gets a number of important points right and one important point wrong. 

Among other things, what he gets right is that we need to start having much more serious discussions about how we value the data stolen in data breaches. ("Value" economically, legally, and otherwise.) And more specifically how we need to focus much more on the nature of the data that is stolen and the practical ways in which it can result in harm tham we often currently do. Not just the headline numbers about the amounts of data taken.

What he gets wrong, (well, at least in my humble opinion) comes from the fact that he appears to assume a too-simplistic model of how data breaches produce important injury. [Note: Yes, I said the Oxford professor and first head of NCSC has an overly simplistic view of how damage is done by data leaks in cyber breaches.] Which, in fairness, is also the model many of our current governmental systems in the Anglo-American world use, especially court systems.

Dr. Martin conceptualizes the harm done from data loss by what harm can be unambiguously felt by the victim and directly clearly connected to the incident at hand. In other words, he is thinking about harm much like how a civil court operating under current law might think of it: What provable, known injury can be shown to have been directly caused by the theft of the data.
But while this is certainly an important type of harm, I believe we are increasingly coming to understand that much or most of the harm that occurs from data theft/loss is actually of a different nature. While still very real, this type of harm is not so directly demonstrable. That is due to our lack of visibility into what happens with the data after it has been stolen, the limitations that naturally apply to proving direct causation in court, and a number of other very significant factors.

While I won't go too far down this line this early Thursday morning here in Pennsylvania, let me just offer one concrete example for thought: 
How do we measure how much "harm" has resulted from the OPM theft of U.S. gov employee information by Chinese intelligence services? 
(Note: Dr. Martin raises this example as well, but doesn't really talk about in in this same context.)

Well first I'd argue that we should, indeed, must, think about the harms there broadly, and as concerning both the national security of the United States and the individuals who's data was stolen in particular. But even setting aside the new value of harm to national security--an obviously significant but hard question to answer-- how do we adequately measure the harm to individuals here? For surely, having sensitive personal secret data stolen about you by an adversary nation's foreign intelligence service does indeed inflict harm upon you personally. But how do we by conventional measures possibly value that harm? Does it matter that apparently the PRC hasn't made that info available for criminal identity theft? Do we have to consider that harm in concert with the effects of the harm produced by the theft of Anthem health insurance also carried out by Chinese intelligence? (Presumably, the two pools of information are used together in some fashion through data analysis.)    How do we put a dollar (or pound, Euro, or whatever) figure on any of this by conventional measures?

We could ask similar questions (and many of them) about a great many examples from other cases of public and private organizations that were breached. My overall point is that conventional narrow measures of direct harm don't serve us well in calculating the real value of data and the real value of its loss. And we need to start reconsidering them more broadly. Dealing with both harm to the individual and society, and assigning monetarily value to data that has been lost/stolen in both legal proceedings and in other contexts  Such that our ways of measuring harm take some account of the injuries that occur after our direct visibility into them has been lost behind the closed doors of malicious actors and in the maze of places when stolen/lost data can wind up

-
Glenn Wilkinson 🇿🇼 @glennzw
...and everyone thought hacker sitcoms would be boring! #ChatGPT

@dcuthbert @singe @thegrugq 
12:04 PM ∙ Dec 8, 2022
6Likes3Retweets

the grugq's newsletter

December 8, 2022

Adam Segal: "Amnesty International Canada target of sophistica…" - Mastodon

Amnesty International Canada target of sophisticated cyber-attack linked to China https://amnesty.ca/news/news-releases/cyber-breach-statement/

James Hart: "This modified version of the famous ‘turn #chatGP…" - Hachyderm.io

Attached: 3 images This modified version of the famous ‘turn #chatGPT into a pretend Linux system’ prompt is also my prototype for a product that will sell millions.

James Hart: "Nigel didn’t see this kill -9 httpd command coming" - Hachyderm.io

Attached: 1 image Nigel didn’t see this kill -9 httpd command coming

A huge collection of almost every issue of Soldier of Fortune magazine:

Soldier of Fortune Magazine : Free Download, Borrow, and Streaming : Internet Archive

Editions of the Soldier of Fortune magazine

Apple Expands End-to-End Encryption to iCloud Backups | WIRED

The company will also soon support the use of physical authentication keys with Apple ID, and is adding contact verification for iMessage in 2023.

Update:

Rolling Stone: "The Justice Department has charged a Russian spy …" - Mastodon 🐘

Sniffing SSH Passwords | The Network Logician

Is it possible to get someone’s password in plaintext over ssh? Yes! Surely, this makes no sense when the purpose of ssh is to prevent such a thing. Well, I’m speaking of monitoring the…

A bizarre 1970 Arctic killing and the looming problem of criminal justice in space.

Murder will happen in outer space. This 50-year-old death on a now-melted chunk of ice shows how complicated it will get.

Brian in Pittsburgh: "So, a thoughtful piece here from @ciaranmartin th…" - Infosec Exchange

Add a comment: