@SwiftOnSecurity's Threads
10 subscribers
The danger isn’t that machines will become as intelligent as humans. That in itself is not a threat postulate.
The risk is we were wrong in our anthropocentric assessment – machines didn’t need to be intelligent at all.
Mirrors do not need to think to make us hate what we see.
The risk is we were wrong in our anthropocentric assessment – machines didn’t need to be intelligent at all.
Mirrors do not need to think to make us hate what we see.
It’s always been like this.
It’s never going to be different.
Humans fearing an empowered ‘Other’ spawning arrayed subversive stories of ascendency.
We finally reckon ourselves villain in the story of Earth; and suddenly invoke a new specter.
Created by the genius of our genus
It’s never going to be different.
Humans fearing an empowered ‘Other’ spawning arrayed subversive stories of ascendency.
We finally reckon ourselves villain in the story of Earth; and suddenly invoke a new specter.
Created by the genius of our genus
Empires of men don’t need actual villains to falter and collapse.
Just someone to blame.
Just someone to blame.
Holy shit Packetbeat is amazing
Should have listened when y’all told me to not use Windows native DNS/DHCP logging. Packetbeat is the coolest fucking thing I’ve seen in years. Knew it existed but actually dealing with the power of the configuration files is wow. This is like my Sysmon obsession all over again.
Note: PacketBeat dissects full fidelity by default, and it includes “flows” data, so it seems noisy until tuned. Great documentation and the config files are super powerful with conditional statements and field filtering.
Output to file then use JSON prettyfy to tune it quick.
Output to file then use JSON prettyfy to tune it quick.
Jeffrey here is my resident corn genomics expert. That’s right I got a corn braintrust.
How is Okra going to compete with Jeff? It can’t.
This is a weird twitter account.
When the brand-new environment has security policies enabling compatibility features from two decades ago
The LM compatibility registry key is from Windows 98, to let it TALK TO OLDER COMPUTERS.
“Send NTLMv2 response only?
Wow that sounds like scary new bleeding edge technology.”
“— Wait, I’m getting – yes I’m getting new information –“
“Okay I’ve just confirmed Windows NT supported NTLMv2.”
Wow that sounds like scary new bleeding edge technology.”
“— Wait, I’m getting – yes I’m getting new information –“
“Okay I’ve just confirmed Windows NT supported NTLMv2.”
Very few tools, friendly or malicious, have any provision to understand or get past Deny permissions.
This is the kind of sysadmin-experience area that very few coders have experience to anticipate or care to invest time remediating.
This is the kind of sysadmin-experience area that very few coders have experience to anticipate or care to invest time remediating.
Because Deny overrides Allow, and coders are only anticipating needing to perform additive functions, it can blindside them.
Virus EXE can’t be killed and keeps adding itself back to Run?
Deny ‘Write Value’ access to the registry key for Everyone, then delete the entry and reboot.
Want to mess up a security tool? Add ‘Deny Read’ to the service or program files folder.
Deny ‘Write Value’ access to the registry key for Everyone, then delete the entry and reboot.
Want to mess up a security tool? Add ‘Deny Read’ to the service or program files folder.
Malware/phishing hosted on blob.core.windows.net:
google.com/search?hl=en&q…
Microsoft requires customers to whitelist blob.core.windows.net.
docs.microsoft.com/en-us/windows/…
🤨🤨🤨🤨🤨🤨🤨🤨
google.com/search?hl=en&q…
Microsoft requires customers to whitelist blob.core.windows.net.
docs.microsoft.com/en-us/windows/…
🤨🤨🤨🤨🤨🤨🤨🤨
Sorry if I got a little freaked out after getting malware download alerts from a Microsoft backend infrastructure URL...
Group Policy auditing tip:
Due to legacy administration practices and mistakes, Domain Admins can see a different list of GPOs than you.
When auditing Group Policy, request they backup all GPOs from their account and send you a ZIP.
Due to legacy administration practices and mistakes, Domain Admins can see a different list of GPOs than you.
When auditing Group Policy, request they backup all GPOs from their account and send you a ZIP.
You can troubleshoot inability to see all Group Policy Objects by opening ADSIedit, browsing to System/Policies/ and then looking for any objects you can’t expand or see properties of.
These will need to be fixed by them unless this is a specific design choice, which is doubtful.
These will need to be fixed by them unless this is a specific design choice, which is doubtful.
Microsoft’s PowerShell script they give to customers to diagnose Group Policy permissions issues with MS16-072 actually doesn’t detect this if you run it from an unprivileged account.
I wonder how Red Team could abuse this to hide GPOs from the admin console. Hmm.
I wonder how Red Team could abuse this to hide GPOs from the admin console. Hmm.
Bitcorn bitcorn.org
I have read this entire page and I still have no idea what Bitcorn is
Oh no you taydotted it
Note: I would wait for further hard written statements on this. Strict interpretation of the video conversation’s implications get very murky very quickly on what he’s trying to say here. Hold off.
Update: Provisional conclusion is a MAGA cultist took the pictures off his sister’s phone. Much more likely than penetration of Apple/Google text backup infrastructure.
Time and again, humans are routinely the weakest element in encrypted messaging, and it’s best to hold off panic.
If anything comes out of this Bezos/AMI thing, I hope the de-exotification of personal imagery and instructive in handling sextortion.
It’s unreal the amount of leverage that miscreants have enjoyed the last two decades based on digital fear. Teens. Adults.
It’s unreal the amount of leverage that miscreants have enjoyed the last two decades based on digital fear. Teens. Adults.
Although now aging as tech moves forward, this article is one of the most important things I’ve ever read that truly grounded to me the importance of pervasive digital security. It is not a value-add. It’s our duty as technologists to shepherd for others.
arstechnica.com/tech-policy/20…
arstechnica.com/tech-policy/20…
It’s not okay. It’s not okay for anyone to be a victim because they use the same tool I do, and it failed them.
Speculation: Only thing that could crash two ships of world’s premier navy is Chinese cyber.
Reality: Human factors, leadership
Everyone thinks failures in other industries are far more elaborate on the surface. But complexity is in drivers, not events.
features.propublica.org/navy-accidents…
Reality: Human factors, leadership
Everyone thinks failures in other industries are far more elaborate on the surface. But complexity is in drivers, not events.
features.propublica.org/navy-accidents…
Why do companies get continually breached due to the same bone-headed designs and security failures over and over again?
Because that is not the complexity.
The complexity are the organizational and operational hurdles in how those end-states ended up being chosen by operators.
Because that is not the complexity.
The complexity are the organizational and operational hurdles in how those end-states ended up being chosen by operators.
There is no button you can press to fix network security because technology is not the problem.
I say this over and over, but you could competently defend a network running just Vista. The logical controls, segmentation technologies, and management infrastructure all exist.
I say this over and over, but you could competently defend a network running just Vista. The logical controls, segmentation technologies, and management infrastructure all exist.
I am a god damn genius
I am a god of computer kind
Just solved two different months-long problems other departments have been having, on the same day, in just a few hours, because they asked for help, and I taught a vendor something new, AMA
If the security industry wants to support FIDO2, they’re going to need to do better than the 7th result on Amazon for FIDO2.
Anyone else notice search algorithms are trash now? It’s like I’m delegating a library search to an illiterate goon whenever I use Google these days, it just ignores my actual search.
You made me do this @Google
Google employee laptops don’t use VPN on public WiFi. They get along just fine at Starbucks or on an airplane.
It’s time to move on from the threat model of 1998.
It’s time to move on from the threat model of 1998.
Considering the fact most corporate VPNs are split-tunnel anyway, your web traffic doesn’t go through the VPN at all, most of the world has moved past this a decade and a half ago.
“I don’t work at google all our laptops are unpatched trash and IT staff have no visibility unless we’re on the full tunnel VPN.”
Hey I think I just found your -actual- problem.
Hey I think I just found your -actual- problem.
Sorry your money got stolen by wellsfargo.com because you didn’t understand how domains on URLs go from untrustworthy to trustworthy then once they switch to folder paths they go from truthworthy to untruthworthy.
A thousand people have clicked this link so far.
They’re going to click. They’re always going to click.
And our design paradigms are going to tell them it’s WellsFargo.com with a lock icon next to it.
This is not tenable.
They’re going to click. They’re always going to click.
And our design paradigms are going to tell them it’s WellsFargo.com with a lock icon next to it.
This is not tenable.
URL:
connect[.]secure.wellsfargo[.]com.auth.login.fargo-mobile[.]com
iOS Safari
vs
iOS Chrome
Note how the the address bar privileges what information is displayed.
connect[.]secure.wellsfargo[.]com.auth.login.fargo-mobile[.]com
iOS Safari
vs
iOS Chrome
Note how the the address bar privileges what information is displayed.
A K12 student has filed a Chromium bug complaining that their school's admin turned off the Chrome browser dino game
(Please don't flood this bug bug and make more work for the Chromium admins)
Tweet from 2016 where I noticed the addition of this Chrome restriction policy.
SwiftOnSecurity is your source for Full Coverage Reporting of the Chrome Dino Game.
SwiftOnSecurity is your source for Full Coverage Reporting of the Chrome Dino Game.
CHROME GROUP POLICY MANAGEMENT TIP:
You can now customize the extension installation blocked message!
support.google.com/chrome/a/answe…
{"*":{"blocked_install_message":"\n\nCONTOSO CORP EMPLOYEE: Please contact IT to have this extension added to the Chrome management Group Policy."}}
You can now customize the extension installation blocked message!
support.google.com/chrome/a/answe…
{"*":{"blocked_install_message":"\n\nCONTOSO CORP EMPLOYEE: Please contact IT to have this extension added to the Chrome management Group Policy."}}
The inability to customize this error message in Chrome WAS a major blocker in me deploying default-deny extension installation.
We don't want to stop users from doing legit work and look for other workarounds! I want them to use a browser I manage! Mad users are unsafe users.
We don't want to stop users from doing legit work and look for other workarounds! I want them to use a browser I manage! Mad users are unsafe users.
This is part of my OrgKit project, where I'm building out a complete real-world Windows and Office365 configuration regime others can look at for inspiration and see best-practices.
It’s possible this will be an inflection point for Progressive Web Apps, which do not rely on app stores, and work as a super-charged model of the original iPhone vision of websites as phone apps. HP TouchPad 2011 tried this with WebOS but was too early. en.wikipedia.org/wiki/Progressi…
In reality Website-As-An-App has a long history but I don’t have the full knowledge.
Twitter appears to be attempting to move to a PWA and have theirs at mobile.twitter.com. PWAs also work in the Win10 App Store, which will be helped by eventual move to a Chromium engine.
Twitter appears to be attempting to move to a PWA and have theirs at mobile.twitter.com. PWAs also work in the Win10 App Store, which will be helped by eventual move to a Chromium engine.
Oh no I didn’t mention Firefox OS! Web Applications have been the goal for a long time and it’s unfortunate they hit a bit before it could be realized.
Professional title protections vary by state and country. And I’m having difficulty finding any central listing.
Anyone can call themselves doctor in the United States; it’s things like Medical Doctor, Registered Nurse, and Psychologist which usually have actual protection.
Anyone can call themselves doctor in the United States; it’s things like Medical Doctor, Registered Nurse, and Psychologist which usually have actual protection.
States which have some form of legal protection for nursing titles nursingworld.org/practice-polic…
Note: A lot of occupational licensing is an anticompetitive scamming trash fire (as @senatorshoshana tweets about endlessly), I’m just interesting in prestige titles like doctor which are thought to be protected but aren’t.
I have a cold about to hit me like a freight train what should I do before I’m a blubbering mess blowing my nose into the mattress pad because I’m too exhausted to put my sheets back on.
Thanks for advice got Meth-tier Sudafed (non-PE) at pharmacy and I’ll order other things you recommended.
❤️❤️❤️❤️❤️❤️❤️❤️
❤️❤️❤️❤️❤️❤️❤️❤️
If I don’t make it through... I need you to know.
It was Corn.
I exposed the industry and they’re trying to crush me. All because I saw their tendrils everywhere. I broke away and exposed them.
Maybe they can stop me.
But they cannot stop the signal.
(which is made of corn)
It was Corn.
I exposed the industry and they’re trying to crush me. All because I saw their tendrils everywhere. I broke away and exposed them.
Maybe they can stop me.
But they cannot stop the signal.
(which is made of corn)
If you’re wondering what Kingdom Heart’s story is: Don’t bother there is literally nothing on the internet that explains it I tried. Get ready to play 100 hours of PS2 games.
Imagine translating Disney Tumblr fanfic into Japanese and then trying to make a video game out of it and that’s Kingdom Hearts.
Hey remember how we found out SSD encryption was junk and Bitlocker was relying on it and we’d all have to reencrypt our drives.
Anything happen with that.
Anything happen with that.
Don’t worry I’m sure all the executives going to China won’t mind if the encryption on their laptop doesn’t actually work.
Funny, following Microsoft @AaronMargosis team security baselines for Windows 10 would have prevented that “SSD broken encryption” thing even being a problem since they force CPU encryption.
It’s like they threat model better than I do...
docs.microsoft.com/en-us/windows/…
It’s like they threat model better than I do...
docs.microsoft.com/en-us/windows/…
Fun fact: They’re called Registry Values not Registry Keys.
Keys are the folders that contain values.
However, Keys can have Default Values that represent the Key.
Keys are the folders that contain values.
However, Keys can have Default Values that represent the Key.
Wow that’s not fun at all
Note: In common parlance, calling a Value a Registry Key is perfectly normal and it’s normally how I speak outside expert circles. You would never correct someone’s terminology. Just a weird little factoid.
Taylor Swift.
September 2014.
September 2014.
(Speakers and microphones both operate on the same principle, and yes, speakers can be used as microphones.)
"Swift says she never feels completely safe, especially when it comes to her privacy. 'There’s someone whose entire job it is to figure out things that I don’t want the world to see,' she says. 'They look at your career, they look at what you prioritize'"
rollingstone.com/music/music-ne…
rollingstone.com/music/music-ne…
