Wednesday, August 24, 2016

Extra bacony goodness - What I am reading 8/24/2016

Ars Technica - NSA-linked Cisco exploit poses bigger threat than previously thought -

An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version. While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.

Since I didn't really cover this when it was first reported here is a link to a good explanation of the EXTRABACON attack.  The fastest fix I see is to change your SNMP string names.  That isn't perfect of course but it will work until the underlying problem is fixed.

The Verge - Climate Hackers: One man’s plan to stop global warming by shooting particles into the atmosphere -

I have said for years that the solution to global warming was to set off a couple nukes, and to think my friends were castigating me the other day for saying that I missed the cold war and the always imminent threat of nuclear war.

I know, another short one but I am trying to get this back on track - what a minute why am I apologizing?  I have no readers so I could literally type nonsense and it would have the same effect.

Yes, I know most of what I type is nonsense anyway but I mean it in the hjsaklhfjklsafhjaksdfhjkdsf sense.

Monday, August 22, 2016

New African-American Female Iron Man will be known as Ironheart

(Edit:  As I looked at the title I realized it appears I am complaining about the characters race or sex.  I am not.  I am perfectly fine with both.  Some of my favorite characters are Luke Cage, Rogue, and Jean Grey, and Gravedigger from DC's WWII comics.  Point being I screwed up on the title and I apologize, I was just trying to make it clear who we were talking about since I don't think everyone knows the character is changing.)

Obviously she wasn't going to be known as Iron Man (unless she is a FTM transsexual and no one has mentioned it, but I find that unlikely), but come on Ironheart.  That is like the laziest possible name.  Not only does it not sound good coming off the tongue it sounds like a cheap Jean-Claude Van Damme movie.

Personally I would have gone with something like FerroGyn which sounds cool (but is probably insulting) or something with Steel in it.  I thought about Steel Resolve but that sounds like a bad beer.  Lady Steel doesn't sound bad but I am pretty sure that there is a already a character with a variation of that name (actually there isn't according to my 30 sec google search)

I guess we have to go with Iron Maiden.  Then she can get a really ugly sidekick named Eddie and our theme will be complete.

Another option, since she is caged in the suit would be Caged Fury.

or my personal favorite Fred.  Simple easy to remember and it rolls off the tongue.  Definitely it should be Fred.

(In case you have guessed I am generally not a fan of the new Iron Man, at least from what I have seen so far.  I don't mind the female part or the African-American part but the origin, as I have heard it so far deviates to far from the tenets of the character for me. )

Thursday, August 18, 2016

Washington Post Irony Alert

From Today's Washington Post:

This particular case concerned Kurt Metzger, a (potentially former) writer and actor for her Comedy Central show “Inside Amy Schumer,” who wrote several Facebook posts about sexual assault victims.
Metzler was angry that the comedian was reportedly ousted from the club due to accusations alone rather than formal charges or a conviction. Representatives from UCB haven’t spoken out on the matter.
The post or comments?

Here is part of what he wrote, edited to remove profanity:
Guys I have just heard some disturbing news, this guy Jiff Dilfyberg is a rapist! I know because women said it and that’s all I need! Never you mind who they are. They are women! ALL women are as reliable as my bible! A book that, much like a women, is incapable of lying!
You think I would dare ask my God, Lord Jesus Christ the Nazarene to provide any “details” or “evidence” of any kind before I believe in him? Or a woman? No, because that be that would be like hammering the nails into Jesus My Lord’s feet! … Or asking for proof in a murder trial!
Anyway Jiff Dilfyberg is dangerous! So … dangerous that we can’t go to the police to report his many rapes! That would just be tooooo rapey, and the women are too brave for that. If we ask them to even merely also post a vague account of what happened before asking us to believe that would like re-raping their rape! These women are as BRAVE as they are sore!
Now for the good news! [He] … is now banned from the Times Square Art Center And Halloween Adventure! Yeah let’s see you try and rape anyone without specifically being at The Times Square Art Center and Halloween Adventure, now, you … rapist! BAM! Lady Ghostbusters! Little girl looks up at us! Tear. “I WILL go to college after all!” Don’t mention it, little girl. Just knowing I got to be part of an unthinking herd of mewling progressive cattle is reward enough!”
OK, not the most sensitive thing ever written, but not exactly incorrect in pointing out that accusations don't necessarily mean guilt.  Apparently a large number of people disagree with my assessment:
Another wrote, “TL;DR: I am privileged and have never HAD to care about/ talk about rape culture and get to be a contrarian dumbass that creates an environment where women feel unsafe and can diminish a conversation about rape culture and say ‘no, no, I’m talking just about how it’s unfair for this one guy specifically and let me tell you how to fix it’ because of my privilege.” A third wrote, “Kurt, I don’t know you, but man there is something deeply wrong with your point of view in the world.”
and from the tone the WaPo appears to agree (their editorial prerogative) BUT, then, in the same paper we have:

A father from the United Kingdom had only one defense against his daughter's accusation that he had raped her for six years: He didn't do it.
The next day, after seven minutes of cross-examination, the accuser, according to McCulloch, wavered.
"She suddenly broke and said I was absolutely right. She had made the whole thing up because she was angry with her father and wanted to teach him a lesson," McCulloch said.
She said the accuser said her father is strict and was "ruining her life," according to the blog, so she leveled false allegations based on "Fifty Shades of Grey" and other books.

Do you see the conflict here?  

Look, I am not pro-rape or anti-woman, I just want a little bit of common sense applied.  Women should be given the benefit of the doubt when they say they are raped, but that doesn't mean that men don't have a presumption of innocence.  It means take their story seriously and investigate.  If the investigation reveals the woman was raped or possibly raped - prosecute.  Then, if guilty, lock the guy up and let justice take it's course.

What I am reading 8/18/2016

Ars Technica - Cisco will lay off 5,500 employees, hoping to stay nimble -
Cisco said Wednesday that it will lay off 5,500 employees, or 7 percent of its 74,000 employees. That's less than the 14,000 predicted this morning, but still shows a company desperate to adapt to changes in business technology.
I've said this before - I have never seen a company reverse it's fortunes thru layoffs.  Not holding out hope here.

WiredJ.K. Rowling Is Releasing 3 E-Books of Secret Hogwarts History -
On Sept. 6, Pottermore, J.K. Rowling’s official portal to her Wizarding World, will release three e-book shorts on the secret history of Hogwarts. Each story will combine details from Pottermore archives with new material from Rowling to give new background on the school. So if you ever wondered how a witch becomes a portrait or longed for a biography of Care of Magical Creatures teacher Silvanus Kettleburn, you’re in luck.
Tech Crunch - Cisco and Fortinet say vulnerabilities disclosed in ‘NSA hack’ are legit -
A group calling itself the Shadow Brokers dumped data online this weekend that it claimed to have stolen from the Equation Group, a hacking team widely believed to be associated with the NSA. Firewall makers Cisco and Fortinet have now confirmed that vulnerabilities included in the data dump affected their products — a disclosure that lends credence to the theory that the Equation Group is indeed an NSA operation.
I believe the working theory now, backed by Edward Snowden, is that Russia is behind this leak.  The fact that all the tools released so far date from 2013 or earlier (or at least that is the last I read) makes me wonder if they were contained as part of the Snowden files (although you all (both of you) know my feelings on that). 

Boing Boing - The surprising spryness of fighters in 15th C armor -

We just had this discussion at the Friday night game I participate in.  In fact I think I even used the same video as proof of my point.  

Dark Reading - What Mr. Robot Can Teach Businesses About Security -

McGregor and Kazanciyan were quick to note that all of Elliot's coding tricks and social engineering are drawn from real cases. "We're not showing anything that's magical or hasn't been thought of – it's all been done in the private sector or already written," McGregor added. And they're not worried about copycats since all the hacks are essentially in the public domain already.
The technical advisors are also careful to show that hacking requires long, sometimes tedious hours and that code doesn't always work right – or in the way it was intended.
I have made the same arguments surrounding Blackhat which, while not a perfect movie by any means does demonstrate a) That hacking isn't all about magic code.  b) How much damage a properly engineered social engineering attack can do (yes, even the NSA phishing attack) c) Insider threats, and d) How often a hack devolves into a knife fight or barroom brawl.  OK, that last one maybe be a misinterpretation on my part, but you get my point.

Tuesday, August 16, 2016

Super compelling NIST goodness - What I am reading - 8/16/2016

NIST - Framework for Improving Critical Infrastructure Cybersecurity - Read this before, but we have a meeting at work today about the direction the department is going, so reviewing it again.  For your enjoyment here is the world's most boring lunch and learn discussing the framework

Buzzfeed - Juanita Broaddrick Wants To Be Believed -
In September, Clinton tweeted that every sexual assault survivor had “the right to be believed.” In November, she reiterated that “every survivor of sexual assault deserves to be heard, believed, and supported.” The following month, she was asked at a campaign event whether the handful of women who’ve accused her husband, former President Bill Clinton, of sexual harassment and assault — Juanita Broaddrick included — deserved to be “believed” as well.
The article is actually pretty fair, at least to Broaddrick.   Clinton might not think so.  The one thing I noticed was the continued references to the GOPs newly discovering concern about Broaddrick's claims, however, I distinctly remember pundits challenging NOW on their refusal to support Broaddrick and Willey back in the 90's.  Of course both cases had some serious issues at the time and got wrapped up in trying to tie the Clinton's to things like the alleged murder (officially suicide) of Vince Foster.  I am not a fan of the Clinton's so I tend to believe these accusations (the sex assaults not the murders / alien abductions etc.) could be true, but with all the problems surrounding the cases there is definitely reasonable doubt.

BBCHackers auction files 'stolen from NSA' -

In a message on file-sharing site Pastebin, Shadow Brokers describes its haul as "cyber weapons" and says it is offering programs "made by creators of Stuxnet, Duqu, Flame" - high profile forms of computer malware said to be government-sponsored.

The department Shadow Brokers claims to have stolen it from is named by security company Kaspersky as the Equation Group, which is believed to be linked to the US security services.

There is no end date for the auction, but the group says that it will send decryption instructions to the winner "when we feel it is time to end". 
I encourage everyone with a few bitcoin to contribute to this group.  Not because I believe them but because I like the idea of people wasting bitcoins.

Monday, August 15, 2016

What I am reading 8/15/2016

Ars Technica - Can 42 US, a free coding school run by a French billionaire, actually work? -
As you read these words, hundreds of students are hunched over iMacs in a massive computer lab. Most of them have little, if any, programming experience, and they haven’t paid a cent to get here.
And yet, here they sit, just 7.6 miles directly across the Dumbarton Bridge from Facebook headquarters in Menlo Park, dreaming of joining Silicon Valley’s legions of programmers. Each day, the students get new programming assignments, but there are no teachers. There is a help desk, or rather a “help” desk—which really, really doesn’t want students to ask for guidance—all in the name of “peer-to-peer learning.”

I am not one of those guys who thinks coding is the answer to everything currently wrong in the labor market, with the country, with mankind etc.  Coding is just a skill that can be valuable.  That siad I kind of like the idea of this place.  I did notice this piece of irony though:
“If we put up barriers to education with money or with backgrounds, that means there are innovative talents and individuals that are not able to have access to education. So the idea behind 42 is to create an opportunity where individuals from all different kinds of backgrounds, all different kinds of financial backgrounds, can come and have access to this kind of education so that then we can have new kinds of ideas. Because in order to innovate, you need to have new people who think differently.”
Unless you are over 30.  If you are over 30 you are a piece of shit with nothing to contribute and shouldn't bother applying.

Slashdotters on the other hand don't seem particularly impressed.

Dark Reading - Here's The Business Side Of Thwarting A Cyberattack -
Ponemon Group study data illustrates the balancing act of running a business while trying to stay secure.
The most interesting thing, in my opinion, was the perceived lack of responsibility / accountability on the part of management.  That's an argument that I have been having at work.  That if you don't have someone who is accountable for fixing issues then you don't have any way of actually getting them fixed.

The Next Web - There’s a $200k reward for anyone who proves Microsoft ripped off MS-DOS source code -

Hey, easy money right?  Everyone knows Gates stole DOS.  Right?

Infosec Island - Back to Basics: How Simple Techniques Can Thwart Complex APT Attacks -
It might seem that mitigating the risk of an APT means deploying highly sophisticated cyber security measures, out of reach of most ordinary organizations.  Not so. In fact, you can go a long way towards mitigating the risk of an APT by going back to basics: understanding the fundamentals of how such an attack is planned and deployed, and how your organization’s network structure can help or hinder such an attack.  Understanding, in short, how to reduce the attack surface you have available to malicious hackers.
These are the types of articles I like.  Short and simple.  Much like myself.  Unlike me though the article has some good suggestions.

Saturday, August 13, 2016

Today's adventures in Vancouver WA - Faux gunplay at Walmart.

Went to Carhart, then went got my haircut, and then stopped at Walmart to do some grocery shopping.  Finished up went out to the and put my stuff in the back seat.  As I am finishing up a guy walks up to me and says "Hey Buddy, give me 4.80".  

I always pay by card so I din't have anything smaller than a $20 on me.  I told him "Sorry, I don't have any cash" 

 As I am saying this he starts to step in real close and I catch a reflection on someone else behind me in the window.  

I stepped back turned my back to the car and pretty quickly put my hand in the small of my back like I was grabbing something.  Both of them stopped and I asked "Dude, do you really want to get shot for $.80"

I guess the answer was no because they both headed off into the Walmart.  Good thing too because it was a total bluff.  I used to carry all the time but I haven't for years now.  Probably a good thing I got my haircut because that always pisses me off enough that I probably looked enough like a psycho serial killer that they didn't want to try it.

I'll tell you though Vancouver is getting bad enough anymore that a CCW may be worthwhile.

Suicide Squad - can't say enough bad about the Joker

So, despite all the horrible critic reviews I went and saw Suicide Squad yesterday.

It was bad.

But, it wasn't as bad as I thought it was going to be based on the reviews so far, and I think a lot of the problems could be fixed by a little better editing.  The story is just too disjointed and poorly organized.

My main complaints -

1.  The music - Not the selection; I liked most of the most of the music itself.  It was just too upfront and in a couple cases jarring.  If they had toned the music down a little bit that would have helped a lot.

2.  Deadshot - ehhhh, the character was ok.  The bad part about him was the kept trying to shoehorn dramatic moments in and they don't fit.  First they don't fit with the story line - i.e. the "We almost made it" speech in the bar.  No they didn't.  They didn't almost do anything plus the speech was inappropriate for the group and context.  They hadn't jelled on a mission yet and hadn't really come together (actually weren't really coming together at that point) as a team yet so the speech only existed to give Will Smith a chance to be dramatic.

3.  Harley Quinn - First off, despite being psychotic, and obsessively infatuated with the Joker, which a lot of people have complained disqualifies Harley as a strong empowering female role model Harley is by far the most well developed and strongest character in the movie.   (BTW if you are trying to use murderous supervillians as your feminist icons you need to reexamine your life choices)  They wasted that.  Mostly in the same way that they did with Deadshot.  Trying to squeeze in shit that doesn't fit.  Example, the I'm quite vexxing quip.  It didn't fit and fell flat.  Her speech to Diablo in the bar was out of left field.  It was the old Harlene Quinzell poking through and could have been used for some character growth in later movies - if they had set it up first.  The list goes on.  Of all the characters in the movie though, the only two I actually liked were Harley and Captain Boomerang.  I think I only liked him because he had a couple good lines (and a bunch that fell flat) but they didn't just try and shoehorn every possible hero trope onto him.

Finally let me just say I think Margot Robie was an excellent choice to play the character.  One of the reasons the fan boys like Harley is under it all she is hot and they think hey hot damaged chick. Score!  Well Robie pulls that off.  That girl could walk thru the ugly forest wearing a bag full of dog shit and still be hot as hell.  Good call casting director.

4.  The Joker - I can't emphasize how much I disliked Jared Leto's performance as the Joker.  In fact it was so viscerally bad that I can't even describe it.  I would have far preferred the Heath Ledger Joker (although it's hard to see him staying with Harley) I also would have preferred the Jack Nickolson Joker or the Cesar Romero Joker. (BTW I hear Leto is upset with the reception of his portrayal.  Tough Shit, it sucked)  BTW - I know the title says I can't say enough bad about the Joker and so you probably expected pages of stuff here, but that title is literally true.  I can't say it because the performance was so bad it has literally impsed a mental block preventing me from describing it's awfulness.

There were a lot of other thing that added up to make this movie a bit of a disappointment, but still It's better than almost all the Superman movies (I am conflicted on Man of Steel) better by far than any of the Fantastic 4 movies and any of the Spiderman movies I have seen.  Atthis point it's kind of a wash.  I am not unhappy for having gone, but I won't go again and I would tell people to wait for the 5 dollar theatre.

Thursday, August 11, 2016

18 String Guitar

Here is something you don't hear everyday - an 18 string guitar

The single best thing about Trump being the nominee...

Watching the hoops some people will jump thru to defend him.  It is amazing how far "bedrock conservative principles" can be twisted to justify anything Trump says or does.

I am just hoping that after the trouncing in November the "true conservatives" in the Trump camp (which mainly means tea-partiers and oath-keepers) get the figurative curbing they deserve.

Yeah - I'm thinking that Ocean's 8 may be headed for disaster

I don't want to jump on the hate wagon, just because it is an all female primary cast.  I can see some potential in the movie and if Sandra Bullock can bring the Demolition Man / Miss Congeniality (not Miss Congeniality 2) vibe it can be hilarious.

Here is my problem -  Awkwafina

I watched a couple videos and this was the funniest I saw.  I'm not going to try and inflict my taste on everybody, but I didn't find her that funny.  I am betting that a lot of others won't either and it is going to drag the movie down.