Only Lao Tzu is smiling in the picture. The other 2 men are meant to be Buddha, and Confucius. Buddha believed the world was Samsara, an illusion in which the wheel of suffering needed to be escaped. Confucius believed the world was meant to be overcome with discipline, ergo; "sour". Why then is Lao Tzu smiling? Vinegar was not only a representation of life, but also of; decay, and forward thinking. Vinegar is and was made through a process of fermentation much as wine can become a vinegar under the right conditions. In tasting what is arguably not simply vinegar as, "life" one may recognize that this thinking was upon the direction the process of life may go. Tasting the product of a belief or a process is almost a theme of most Eastern philosophical writing. Much as many today might stand in awe of certain technological wonders, and either like or dislike the end result.Read More
While Black Hat 2017 videos are still in my YouTube list we are already looking at the newest Black Hat 2018 videos. I'll include many but certainly not all of them in one article. This first video uploaded by Seunghun Han's Conference Video is regarding Shadow Box Version 2 and highlights how :"If you use kernel-level protection mechanisms with Shadow-box v2 (for ARM), then rootkits can not neutralize it and the system, Raspberry Pi 3, will be safe."Read More
Go back to any good science fiction film of the 80's and look at what they imagined an intelligent machine would be. Nobody asked if Terminator's Skynet was trained using sensors over predictive algorithms, or if that neural network was based in a specific data set that had been developed for something unrelated. Most Artificial intelligence is directed at machine learning to a very specific purpose, and while that may not sound very interesting at first glance, you might be surprised by some of what we're looking at - watch the video and... I'll be back.Read More
No matter how you spell Berenstain bears there are bizarre examples everywhere that seem to defy explanation of the now ubiquitous Mandela Effect. The central theme being events that large numbers of people recall being different than current media (mostly) can confirm. Everything from JFK's assassination to Jif peanut butter seem to be affected so we'll dive in and try to talk a bit about the far out science that might account for some of this phenomena.Read More
Mac users will be delighted to know that a single character can crash any existing Mac, Iphone, Ipad, and even watch os device. The character is a Telugu character from the native Indian language charset used by over 70 million people. The potential for this character to be spammed across social media is fairly high. The attack doesn't seem to affect Skype however the character can disable third-party apps like iMessage, Slack, Facebook Messenger, WhatsApp, Gmail, and Outlook for iOS, as well as Safari and Messages for the macOS versions.Read More
Historically my articles have varied from intensely personal and spiritual topics to clinical technical evaluations with minimal narrative. Blogging in neutral is a bit closer to descriptive blogging, which perhaps, in spite of my narrative, is precisely how one teaches this technique. Knowing what to say without needing to elaborate is a practical exercise for descriptive blogging but to truly blog in neutral one must occasionally abandon the idea of the reader needing total clarity to get the gist of what is meant to be conveyed.Read More
The Shadow Brokers - A group claiming to have stolen this code from the NSA - This code was included in the April 2017 Shadow Brokers Dump which was reported by Bleeping Computers on April 14th. A security researcher has ported the exploits to work on every existing version of Windows. The full article by Bleeping Computers can be found here.
Security researcher Sean Dillon, aka @zerosum0x0, is who ported the Microsoft Server Message Block (SMB) exploits to work on Windows versions released over the past 18 years. - CSO reporting here on the exploit vectors.
The Shadow Brokers activities are reasonably well documented, and articles like this one from The Atlantic give an overview of their general representation by small media. These ported exploits in question were not altogether as popular as Eternal Blue (Used in Wannacry and related ransomware) but as there are now open source projects on Metasploit for these vulnerabilities/exploits, I suspect we'll be hearing more about this in the near future.Read More
By the 3rd quarter of 2017 64% of malicious email attacks contained one form of ransom ware or another. These attacks are on the rise so it seems prudent to disclose some information regarding these attacks, and perhaps some strategies for prevention and removal. Below we'll list the top 10 ransom ware attacks and below that some specific steps that can be taken.Read More
2017 is over and 2018 is already buzzing with thoughts about what role AI based cyber attacks will play in an evolving landscape. To be clear, artificial intelligence does not have to be either particularly clever, nor does it have to be significantly adept, to become a nuisance. A system that can do 20 scans per hour and only bother executing an exploit under even the most exacting specifications could be set and forgotten on a server, waiting for the unsuspecting visitor. If such a system targeted either a given IP range, a specific OS, or even a set of ssh keys that hadn't been changed from their defaults, such a system could prove devastating with very little functional intelligence.Read More
Enterprises often require that their IT teams have no access to data kept inside the machines they administer, a separation that is crucial for compliance, privacy and defense in depth. To this end, industries use VMWare's rich security model to separate the infrastructure domain from the guest machine domain. For example, most companies allow their IT teams to create, modify, backup and delete guest machines, but deny them guest machine operation functions such as file manipulation and console interaction. ~ By Ofri ZivRead More
Everything you know about hacking is probably going to change soon. Specter and Meltdown are "among" the first vulnerabilities that potentially make use of weaknesses in isolation layers. Layers that generally are protected from programs that might try to bypass them through more conventional exploitation. The x86 addresses and sinkholes - which are only documented by the manufacturers of processors in ways that read like censored encyclopedias, are in fact being documented in the wild by a few hackers - if not many. This means that anyone who knows how to fuzz a processor's microcodes and has enough time on their hands can in point of fact find exactly the kinds of exploitable snippets of microcode that would make use of vulnerabilities like the ones we are discussing.Read More
Ancient scholars would debate endlessly about all things theoretical. They could imagine the factual basis for their arguments were completely valid, thanks mostly to confirmation bias. It happens once in a while that people come to such erroneous conclusions about things in the modern age, especially things like this. Many of you neither know nor care what a kernel even is, but it is an essential component of your computer's operating system, that determines how your machine will present your requests to the processors, memory, or controlled devices. It does little things like: running device drivers either within, or outside of itself in user space, determining where file systems are accessed, holding the modules that communicate through itself. This topic actually gave rise in the 1970's to a debate that still continues to this day, over whether it is better to use a Micro Kernel, or Monolithic Kernel. Many of those debating still rely on the same arguments in spite of decades of minor changes that pretty much negate any significant difference between these subsystems as anything more than a happenstance.Read More
2017 is drawing to a close but in this season it is not uncommon to find exceptional gems when you least expect it. In this case I was surprised and delighted to receive this Amazon Fire HD 10 from my sweetheart for Christmas. I had no idea what to expect as I hadn't even looked at the Fire's specs due to it's branding. I remember my original generation Kindle Fire has impressed me a great deal. Several tablets since then have surpassed that experience, and to my delight this one has as well.Read More
*Picture somewhat unrelated to content
2017 is nearly over, and my friends and luscious followers... I have opinions. Dear God I've been making money online since 2010, and it still always becomes about looking back at what went wrong or could have gone better. I sold some books, but has anyone ever sold nearly enough books to be happy about it? I've sold services, but again I'd have loved to done 20 times the volume that I have done. Is it marketing to the poor, or is it something else? Something harder to spot?Read More
Arguably one of the hardest aspects of regulatory control of 2017 is and has been Net Neutrality. The often misunderstood regulation that in some ways was meant to protect current internet users from price hikes and data preferences as those potentially costly data types like movies have been up until now been considered data with no bias. What this means is that an ISP like Comcast could now charge more for faster streaming of some types of data, websites may have to pay more to be fast enough to get the same speeds as sites like Amazon, Verizon could offer those few measly Gb of data per month at 56 Mb per second, etc with nothing preventing such unsavory practices except for their competitors.Read More
Kaspersky Labs has a rich history as the maker of the worlds first true antivirus product. The company introduced heuristics based antivirus ages ago and long before any of it's competition. The company is based in Moscow and has operated well above the expected standard for a normal antivirus product. So why has the US government banned it's use recently? Are they really working with Russian government? Where is the evidence?Read More
Litecoin shot up over the last few days giving rise to the uninformed masses (many of whom were journalists) once again berating Bitcoin as something that will inevitably fail. Between articles citing that "pump and dump" is the future of bitcoin, and that it is valueless because it is based on "nothing." Fiat money has been in circulation since 1000 AD and has no intrinsic value. It's first recorded use was in ancient China, and every single US dollar is a form of Fiat money since we abandoned the gold standard in 1971. Credit cards, are literally a system of debt at interest against valueless fiat currency, and at a fixed rate against even more valueless currency, even that still seems to be going strong.Read More
Let's consider this more of a "heralding of the next big small thing." As I write this I am less than 2 feet away from my original generation Latte Panda which has left me so impressed that I was actually skeptical of the notion of any real improvement being possible on a device of this scale. I use single board computers for a wide variety of tasks, most of those tasks are development related but some are not. The original Latte Panda handles both quite favorably by utilizing an Intel Cherry Trail chipset, 64Gb storage, 4 Gb Ram, mind you this device physically sits on top of my phone sometimes, so those specs are astonishingly good.Read More
Newcomers to GNU, Linux, and BSD Operating systems will want very specific instruction regarding the installation of an operating system for their own specific PC, Laptop, or device. However many variations exist due to the variety of Bios, Uefi, and other similar systems. Fortunately the process doesn't change much and this guide can act as an overview to the process itself. This process is almost identical to installing to SD card, but SD cards require an .img file rather than an ISO. A tool called win32 disk imager is preferable for writing to SD cards. This process from Linux requires slightly different tools but those tools exist on the Linux systems themselves i.e. USB image writer on Linux Mint vs Rufus etc.Read More
Some of the challenges of breaking into information security as a career involve finding the right resources. Fortunately it is becoming easier and with the right mentality you can avoid becoming a pseudo expert by learning the real fundamental skills to make the constant evolution in a challenging field.Read More
In recent weeks we've heard how fuzzing is good for Linux, and how security professionals are posing dangers to the Linux kernel's functionality. Both of these statements were entirely fair, and both were from Linux creator Linus Torvalds. His instruction to: ""Do no harm,"" perhaps requires an overview of how security implementations often disable useful services, change commonly used protocols, and similarly can: "complicate existing infrastructures" in ways that can lead to general avoidance of use. From a developer's point of view, security is just one small aspect of a much larger picture. From a security perspective, it is a landscape full of weaknesses that were caused by poor planning by developers.Read More
How many times have you seen the list of updates on any given OS and wondered what went wrong? Security patches, bugfixes, upgrades, and even some of the stuff you know you aren't using seems to just need constant babying to keep it operational. Chances are you are using an x86 or x86_64 machine, but even on arm there are plenty of updates - just a bit less often. The reason that many of you don't really hear about is kind of a neat story.Read More
Courtesy of Wikipedia
We've all been responsible for something at some point. Website Admins, Linux System Admins, Bake sale operators? Whomever you are you have undoubtedly had at least one experience where something was organized neatly for a reason and had someone come along and screw it up royally by being ID 10 T. In new systems this isn't a massive problem, but on established systems someone with the wrong privilege can ruin quite a bit and quickly. Admins go to great pains to prevent this by believing in education until that fails - which it does in dramatic and costly ways.Read More
Imagine for a moment you keying up serious computer with real muscle. One of those fancy $40,000 Puget Systems jobs. You login to a server and see a distributed network waiting for a command, everything is pristine, a controller GUI - no even better a CLI list in front of you shows which resources on which machine are just waiting for your command. Now of course the question becomes, "Which process on which machine do you actually need to do what?" If what you needed was to solve a massive resource issue, you might need to break it into components and let the machine solve it in Parallels.Read More
Whether you prefer Windows or Linux there are steps you can take to improve your system's security and network topology. Step 1 is always information gathering, and that is true of your host system as well. No matter if you are a Pen Tester or just feeling anxious about people sniffing around your PC, these tools help.Read More
Before I go any further I want to say this device gets a well deserved 4.5 out of 5 in my rating system which includes speed, reliability, user friendliness, power consumption, and price. While slightly more expensive than a Raspberry Pi3 it is hands down a better PC replacement in my opinion. It would be suitable for a very wide range of devices and certainly exceeded my expectations in every way.Read More
I've rated this device a perfect 5 out of 5 for it's exemplary performance and will list it's specs below.
Processor: Intel Cherry Trail Z8300 Quad Core 1.8GHz Operation System: Pre-installed full edition of Windows 10 Ram: 4GB DDR3L Storage Capability: 64GB GPU: Intel HD Graphics, 12 EUs @200-500 Mhz, single-channel memory One USB3.0 port and two USB 2.0 ports WiFi and Bluetooth 4.0 Built-in Arduino Co-processor: ATmega32u4 Video output: HDMI and MIPI-DSI Onboard touch panel overlay connector Supports 100Mbps Ethernet GPIO: 6 GPIOs from Cherry Trail processor 20 GPIOs from Arduino Leonardo 6 Plug and play Gravity sensor connectors Power: 5v/2A Dimension of board: 88 * 70 mm/ 3.46 * 2.76 inches Packing Size: 110 * 94 * 30 mm/4.33 * 3.70 * 1.18 inches N.W.: 55g G.W.: 100g
If you are dual booting Windows, and Linux, chances are that at least once you've been greeted with a broken bootloader, a busybox, or ash shell. If you happen to be dual booting a Debian, Ubuntu, or related distro you can actually fix your bootloader with ease by booting the installer again and run the following from a terminal:
In recent years I've had the opportunity to test and use many of the Linux Distributions, centered around information security. To be clear what I'll be doing in this article is evaluating overall impressions of the distribution, and not the specific tool sets. Many of the tools are suited to many IT tasks and might be confusing to use as a basis for comparison, especially considering they can generally be added to other distributions of Linux. Our evaluation will include overall performance, ease of use, adaptability, and scale, as these are the important factors to consider when selecting a tool for protecting an infrastructure.Read More
Hypothetical scenarios can be annoying when they aren't realistic but have you ever wondered what you would do if you only had one laptop/pc and it fried? How badly would you be setback? Many people deal with this scenario without the added pressure of having anything painfully important to do online, but some have no alternative but to try to get by at least for awhile on nothing but an android device. Lucky for them, and possibly for you, that isn't nearly as bad as you might think.Read More
Mashable mentioned in an article, that Google is looking for hackers to participate in their challenge. The goal is of course to pay out $1000 in addition to the reward from any given app exploited and reported. To quote the article: "Here's how it works. If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer."
As an example of what they might expect - I'll offer the following:
Whether you are just looking for something to do with a weekend, or are trying to get enough experience with testing to start a career in Cyber Security, practical exercises can be hard to come by. I'll share a few videos here and make a few suggestions, and depending on the questions we get this might become a regular feature here.Read More
Originally posted on my last website version and still accurate as my assessment.
If you haven't begun investigating bitcoin because you weren't sure where to begin, a good place might be coinbase. A fairly typical exchange with paypal access and stringent security that is user friendly enough to get started with.
One of the reasons we like coinbase, is their ability to accept small payouts from experimental mining like small scale cloud mining. Cloud mining involves purchasing hashpower and allocating to a specific cryptocurrency like litecoin, bitcoin, ethereum etc.
On a small scale a $30 investment tends to payout small change daily, but as time goes by some of these allocations can add up/add to other small scale mining efforts. In an article next week we'll probably be going over how to build a small bitcoin mining rig.
Between it's uses for security and visualizations there are more handy snippets of python than I can keep track of. It has become my favorite language for scripting, and possibly for programming in general. I use it constantly. I wanted to include some useful snippets here that you might enjoy, some will be in pdf formats, and I will add more as time goes by.Read More