Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Adapting Windows for needs of system administrators

News

Unix Command Line Tools and Unix protocols (X11, NFS) in Windows

Recommended Books Recommended Links Microsoft Windows Keyboard remapping

Microsoft IntelliType Macros

Windows Powershell

Windows Slow Startup and Shutdown Windows 7 XP mode Windows 7 Tips Controlling path in windows 7 Burn ISO Images Natively in Win7 Windows Process Viewers Windows Data Recovery
Windows XP Windows XP Slow Startup and Shutdown Reinstallation of Windows XP Performance tuning exFAT Formatting partition as exfat in windows 7 Selected Utilities
Windows 10     Windows 8 Tips Windows 8    
Windows bulk file copy tools Hard drive Click of Death crash recovery Windows Terminal Services Network Tools for Windows Free Registry Tools    
Windows Keyboard and Mouse Utilities Clipboard managers Macrorecoders and Keyloggers Microsoft IntelliType Macros Keyboard remapping Recovery Unable to Access Hotmail or Microsoft account
Undeleting files under Windows Norton Ghost Alternatives to Norton Ghost FAT32 Partitions Data Recovery Resizing Windows partitions Fighting spyware Windows Integrity Checkers
Alternatives to Norton Utilities Windows Powershell WSH Scripting in Windows      
Working with ISO Images Office NetDrive Windows Security Windows Tips Humor Etc

Introduction

Microsoft is the king of software complexity and Windows becomes more complicated with each new version. Features get added. The UI gets "improved". Privacy disappears. Security gets tightened.  Windows 10 is this respect is a disaster and I do not recommend upgrade to it from Windows 7 unless you are using your PC purely for entertainment.

Typically in enterprise environment you get Windows laptop with the "'standard" for a given enterprise version of Windows (typically one version down  from the current). Now you need to adapt it to the needs of system administration. Which is challenging, especially if you administer mostly Unix/Linux servers.

Windows 7 is also not without problems and in comparison with XP SP3 was the fist OS when Microsoft went (slightly) downhill and while all features were provided without significantly increasing power consumption or decreasing performance it essentially accomplished little over Windows XP. As for the ease of recognizing, recognizing and working with new devices was a definite step back. It was far more capricious.  Propensity to self-destruct with age in this version of Windows is less pronounced then in case of Windows XP

Windows 10 marks at important stage in Microsoft OS development -- Microsoft lost control of the complexity and was essentially buried under avalanche of created complex subsystems and wrong architectural decisions. The removal off start menu was probably the greatest blunder. This is the first in a long line of Microsoft operating systems which can be called one step forward -- two steps back.  Problems with subsystems due to patches are systemic. Looking at system messages log gives impression that in Microsoft left hand no longer knows what right hand is doing and no amount of testing now can help.

As touch is unimportant for a laptop and mostly useless for desktop,  I will also say that a decent Windows 7 laptop still holds it own against newer version of Windows (both 8.1 -- the most common in  enterprise environment as of 2017, and Windows 10). Also with Windows 10 Microsoft became really intrusive in privacy space.  In customer version starting from Windows 8 the default is to login to your Hotmail account.

One interesting feature of Windows that makes it more Unix like is Powershell which is modelled on Korn shell.

Another is possibility to install Ubuntu or OpenSuse in Win 10 Install the Linux Subsystem on Windows 10

The most important enhancements

This page contains the recommendations for the enhancement "default" Windows installation  with some additional, mostly command line, utilities.  Sometimes your corporate policy is restrictive and you need to jump through the hoops to get those listed below. In some case may be installing Virtual Machine with Linux might be the path of less resistance.

Anyway here is the recommended list:

  1. Get the best keyboard and mouse and set of supporting drivers/applictions you can: Capral tunnel syndrome is a real threat for sysadmins, especially if you are over forty.
  2. Get good terminal emulator and file transfer program. Terminal emulator should be able to use different backgrounds for different sessions to help to avoid "performing operation of the wrong server" blunder (see Sysadmin Horror Stories). Macro capabilities are a plus as they allow you to automate routine tasks. 
  3. Install Cygwin.  It provide Unix command line tools. 32 bit version recommended: Teraterm does not work correctly with 64-bit versions.  Please note that In Windows 10 you can install Ubuntu of OpenSuse as well, but they have some limitations  as for access to partitions (only C partition is visible by default).
  4. Install OFM managers are really superior file manager for advanced users then Windows Explorer. Two leading OFM are Windows 7 compatible:
  5. Install better editors. For example:
  6. Create C:\Utils directory and install  archivers including  info-zip in it (Note zip and unzip are also available in Cygwin)
  7. Correct PATH env variable to include C:\Utils directory and Perl. You can use pathed.exe to do that

Some other possibilities

  1. Install tools for working with ISO
    1. Windows 10 can work with ISO archives out of the box
    2. Windows 7 support burning ISO images out of the box
    3. Microsoft Virtual CD-ROM Control Panel This is a self-extracting Zip archive. Download the file and execute it. Click Unzip and select any appropriate folder to extract the contents. Before using this tool, read the readme.txt file and follow its instructions for installation and use.
      • alternative is Virtual Clone Drive That latter utility lets you mount  not only .ISO, but also  .CCD, .DVD, .IMG, .UDF and .BIN files. Download the utility and select the necessary associations. Now you should be able to mount any ISO image by just double-clicking on the file. You can also right-click on the cd-rom drive to mount or unmount an image.
    4. You can also install ISO Recorder Power Toy  -- the tool that was popular with Windows XP. The tool that can create ISO images from CD/DVD disks as well as burn CD/DVD ISO images to media. The tool was written by Alex Feinman
  2. Install clip.exe from Windows 2003 server

    Quickly Copy Error and Display Messages

    ...copy the CLIP.EXE file from a Windows Server 2003 into your system's path (best if placed in %systemroot%\system32 folder). You can also get the file from HERE (14kb)

For Windows XP and Windows 7 only:

  1. PasswdFinder Magical Jelly Bean Similar to previous but extract passwords stored by Windows. Running it is a useul exersize. Should be done without netwroking and program should be deinstalled immediately after run. Just in case. This is an interesting exercise to see what can be stolen from your computer ;-)
  2. For windows XP only: Tweak look and feel using built-in ClearType text tuning utility by typing cttune in the Start Menu search field and opening the search result.

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Nov 07, 2018] Stuxnet 2.0? Iran claims Israel launched new cyber attacks

Nov 07, 2018 | arstechnica.com

President Rouhani's phone "bugged," attacks against network infrastructure claimed.

Sean Gallagher - 11/5/2018, 5:10 PM

reader comments

Last week, Iran's chief of civil defense claimed that the Iranian government had fought off Israeli attempts to infect computer systems with what he described as a new version of Stuxnet -- the malware reportedly developed jointly by the US and Israel that targeted Iran's uranium-enrichment program. Gholamreza Jalali, chief of the National Passive Defense Organization (NPDO), told Iran's IRNA news service, "Recently, we discovered a new generation of Stuxnet which consisted of several parts... and was trying to enter our systems."

On November 5, Iran Telecommunications Minister Mohammad-Javad Azari Jahromi accused Israel of being behind the attack, and he said that the malware was intended to "harm the country's communication infrastructures." Jahromi praised "technical teams" for shutting down the attack, saying that the attackers "returned empty-handed." A report from Iran's Tasnim news agency quoted Deputy Telecommunications Minister Hamid Fattahi as stating that more details of the cyber attacks would be made public soon.

Jahromi said that Iran would sue Israel over the attack through the International Court of Justice. The Iranian government has also said it would sue the US in the ICJ over the reinstatement of sanctions. Israel has remained silent regarding the accusations .

The claims come a week after the NPDO's Jalali announced that President Hassan Rouhani's cell phone had been "tapped" and was being replaced with a new, more secure device. This led to a statement by Iranian Supreme Leader Ayatollah Ali Khamenei, exhorting Iran's security apparatus to "confront infiltration through scientific, accurate, and up-to-date action."

While Iran protests the alleged attacks -- about which the Israeli government has been silent -- Iranian hackers have continued to conduct their own cyber attacks. A recent report from security tools company Carbon Black based on data from the company's incident-response partners found that Iran had been a significant source of attacks in the third quarter of this year, with one incident-response professional noting, "We've seen a lot of destructive actions from Iran and North Korea lately, where they've effectively wiped machines they suspect of being forensically analyzed."


SymmetricChaos </> , 2018-11-05T17:16:46-05:00 I feel like governments still think of cyber warfare as something that doesn't really count and are willing to be dangerously provocative in their use of it. ihatewinter , 2018-11-05T17:27:06-05:00 Another day in international politics. Beats lobbing bombs at each other. +13 ( +16 / -3 ) fahrenheit_ak </> , 2018-11-05T17:46:44-05:00

corey_1967 wrote:
The twin pillars of Iran's foreign policy - America is evil and Wipe Israel off the map - do not appear to be serving the country very well.

They serve Iran very well, America is an easy target to gather support against, and Israel is more than willing to play the bad guy (for a bunch of reasons including Israels' policy of nuclear hegemony in the region and historical antagonism against Arab states).
revision0 , 2018-11-05T17:48:22-05:00 Israeli hackers?

Go on!

Quote:

Israeli hackers offered Cambridge Analytica, the data collection firm that worked on U.S. President Donald Trump's election campaign, material on two politicians who are heads of state, the Guardian reported Wednesday, citing witnesses.

https://www.haaretz.com/israel-news/isr ... -1.5933977

Quote:

For $20M, These Israeli Hackers Will Spy On Any Phone On The Planet

https://www.forbes.com/sites/thomasbrew ... -ulin-ss7/

Quote:

While Israelis are not necessarily number one in technical skills -- that award goes to Russian hackers -- Israelis are probably the best at thinking on their feet and adjusting to changing situations on the fly, a trait essential for success in a wide range of areas, including cyber-security, said Forzieri. "In modern attacks, the human factor -- for example, getting someone to click on a link that will install malware -- constitutes as much as 85% of a successful attack," he said.

http://www.timesofisrael.com/israeli-ha ... ty-expert/

+5 ( +9 / -4 )
ihatewinter </> , 2018-11-05T17:52:15-05:00
dramamoose wrote:
thorpe wrote:
The pro-Israel trolls out in front of this comment section...

You don't have to be pro-Israel to be anti-Iran. Far from it. I think many of Israel's actions in Palestine are reprehensible, but I also know to (rightly) fear an Islamic dictatorship who is actively funding terrorism groups and is likely a few years away from having a working nuclear bomb, should they resume research (which the US actions seem likely to cause).

The US created the Islamic Republic of Iran by holding a cruel dictator in power rather than risking a slide into communism. We should be engaging diplomatically, rather than trying sanctions which clearly don't work. But I don't think that the original Stuxnet was a bad idea, nor do I think that intense surveillance of what could be a potentially very dangerous country is a bad one either.

If the Israelis (slash US) did in fact target civilian infrastructure, that's a problem. Unless, of course, they were bugging them for espionage purposes.

Agree. While Israel is not about to win Humanitarian Nation of the year Award any time soon, I don't see it going to Iran in a close vote tally either.

[Nov 06, 2018] Flaws in Self-Encrypting SSDs Let Attackers Bypass Disk Encryption

Nov 06, 2018 | it.slashdot.org

(zdnet.com) 62 Researchers have found flaws that can be exploited to bypass hardware encryption in well known and popular SSD drives. Master passwords and faulty standards implementations allow attackers access to encrypted data without needing to know the user-chosen password.

SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user's knowledge. More in the research paper .

[Nov 02, 2018] US Government Employee's Addiction to Russian Porn Gives USGS Network a Virus

Notable quotes:
"... The DOI conducts IT security training once a year, during which employees sign a statement saying they understand those rules. The employee attended those annual training events and the OIG "confirmed he agreed to the Rules of Behavior for several years prior." ..."
"... The OIG recommended that USGS step up its monitoring of employee web usage, block pornographic websites and prevent unauthorized USB devices from being used on all employee computers. It gave USGS 90 days to indicate whether it plans on implementing those recommendations. ..."
Nov 02, 2018 | sputniknews.com

A US government employee with an apparent addiction to Russian pornography is causing a headache at the US Geological Survey (USGS) after infecting their network with malware. The USGS's Office of Inspector General (OIG) released a report October 17 detailing the compromise. The employee was apparently visiting pornography sites on his government-issued laptop, which is how the malware was contracted and spread through the network.

The employee, whose name is redacted from the report, visited thousands of pornographic websites. "Many of the 9,000 web pages [redacted] visited routed through websites that originated in Russia and contained malware," the report says.

"Most of the larger porn sites are not actively trying to install malware on your device, because that would interrupt their business model of getting you to come back to the site, click and view ads, and subscribe to their premium content," web developer and technologist Chris Garaffa told Sputnik News Tuesday. "However, third-party ad networks that do not properly screen the ads they run can be exploited to serve malware along with the ad. This applies not just to porn sites but to any site with advertisements on it."

"I recommend people use a safer browser like Mozilla Firefox or Brave, along with an ad-blocker add-on like uBlock Origin to help mitigate the risks -- regardless of what content they're viewing," Garaffa added.

According to the government's analysis, a number of pornographic images were saved on an unauthorized USB device and the employee's personal Android phone, which also got infected with the malware.

USGS is under the Department of Interior (DOI), which prohibits employees from viewing or distributing pornography on government computers. Employees are also banned from connecting their personal devices to government computers or networks, another rule that was violated by the employee.

The DOI conducts IT security training once a year, during which employees sign a statement saying they understand those rules. The employee attended those annual training events and the OIG "confirmed he agreed to the Rules of Behavior for several years prior."

The OIG recommended that USGS step up its monitoring of employee web usage, block pornographic websites and prevent unauthorized USB devices from being used on all employee computers. It gave USGS 90 days to indicate whether it plans on implementing those recommendations.

According to NextGov, a number of US government agencies have had similar scandals in recent history, including the Environmental Protection Agency, the Securities and Exchange Commission, the Internal Revenue Service and about a dozen others .

Representative Mark Meadows (R-NC) has on three occasions introduced legislation banning the viewing of pornography on federal government computers, NextGov notes. It isn't clear why the bills have failed to come to fruition.

"If your employer owns your phone, computer or even just the network you're connecting to, they have the legal right to monitor, log and save records of what you're typing, what websites you're visiting, the content of the emails you send -- even on your personal accounts -- and the right to look at your screen," Garaffa said.

"Employees should effectively keep in mind that they currently have no legal right to privacy when using a company-owned device or network," he added.

[Nov 02, 2018] Stuxnet 2.0 'New Generation' of Likely US-Israeli Attack Virus Hits Iran - Sputnik International

Notable quotes:
"... Iranian Students News Agency (ISNA) then reported on Monday that Rouhani's cell phone had recently been discovered to be bugged, citing Jalali as saying that Rouhani's phone would be replaced with a more secure device. Again, Jalali made no indication as to who was believed to be behind the wire tap ..."
"... Earlier this year, Israel claimed it had accomplished a vast cyber-heist, stealing an archive that Israel claimed documented Tehran's continuing nuclear weapons program. Israeli Prime Minister Benjamin Netanyahu presented those claims to the UN in September. ..."
"... "What Iran hides, Israel will find," Netanyahu declared in his UN speech at the time. ..."
"... What kind of sick people put viruses in nuclear power stations? ..."
"... Who else could it be but one of the dirty 4, US, UK, France or Israel ..."
Nov 02, 2018 | sputniknews.com

The head of Iran's civil defense agency announced on Sunday that a new version of the Stuxnet virus, believed to be a US-Israeli creation, had been found by Iranian authorities. The announcement came amid news that President Hassan Rouhani's phone had been bugged and a call for increased defenses to "confront infiltration." "Recently we discovered a new generation of Stuxnet which consisted of several parts and was trying to enter our systems," announced Brigadier General Gholamreza Jalali, head of Iranian civil defense, Reuters reported. He gave no further details, such as whom the Iranian government believes to be behind the attack or how much damage it had caused.

The original Stuxnet virus targeted nuclear centrifuges at Iran's Natanz Uranium Enrichment Facility in June 2009, when it caused about 20 percent of the facility's centrifuges to spin out of control until they broke. It's widely believed to have been a joint creation by the US and Israel.

The Times of Israel noted that Israeli officials have refused to discuss what role, if any, they played in either Stuxnet operation.

That same day, Iranian Supreme Leader Ayatollah Ali Khamenei said Sunday, "In the face of the enemy's complex practices, our civil defense should confront infiltration through scientific, accurate and up-to-date action."

Iranian Students News Agency (ISNA) then reported on Monday that Rouhani's cell phone had recently been discovered to be bugged, citing Jalali as saying that Rouhani's phone would be replaced with a more secure device. Again, Jalali made no indication as to who was believed to be behind the wire tap .

Still, Israel seems to be name on everyone's lips. The news is only one episode in a rapid succession of moves between Israel and Iran, with Israel's Mossad intelligence agency saying on Wednesday it had thwarted an Iranian murder plot in Denmark against three members of the Arab Struggle Movement for the Liberation of Ahvaz, an organization connected to those who carried out a terrorist attack during a military parade in the Iranian city of Ahvaz on September 22, killing 25 people.

Earlier this year, Israel claimed it had accomplished a vast cyber-heist, stealing an archive that Israel claimed documented Tehran's continuing nuclear weapons program. Israeli Prime Minister Benjamin Netanyahu presented those claims to the UN in September.

"What Iran hides, Israel will find," Netanyahu declared in his UN speech at the time.

Lex W. Porter
What kind of sick people put viruses in nuclear power stations? The same kind that shoot kids with sniper rifles while their citizens watch and cheer, I guess. Straight up criminal rogue regime...

John Mason

Who else could it be but one of the dirty 4, US, UK, France or Israel who have been involved in creating global chaos.

[Oct 26, 2018] Vault 7 "Dark Matter" contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB)

Notable quotes:
"... Apple is a shit proprietary company that has somehow convinced people around the world that their product is as important as eating, and costs you as much to have an iPhone as it costs you to buy food each month. Oh but it has a camera and these really cool weather apps that cuss at you, and my selfie stick is made for the iPhone 7, but they will be coming out with an iPhone 8 soon. I sure hope my selfie stick works with it! ..."
Mar 23, 2017 | www.zerohedge.com

Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.

Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStake" are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise

TheMeatTrapper Mar 23, 2017 10:20 AM

They should change the name of the company to CIApple. The millenials can then line up for them in the cold.

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

Manthong froze25 Mar 23, 2017 10:27 AM

It appears that some real patriots are blowing the lid off of the pervasive evil.

The Amendments only clarified what is the law of the land.

I F'NG WANT THEM ADHERED TO.

Start with the 4 th one and then work your way up and down.

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

JRobby brianshell Mar 23, 2017 11:05 AM Get your red iPhone! On sale this week!!!! Brand new color! Red!!!!!

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

mtl4 Manthong Mar 23, 2017 11:14 AM After seeing this, any wonder why Shillary was so stuck on using Blackberry?!

I think Blackberry really missed a huge opportunity as the anti-eavesdropping cell phone platform.

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

PrayingMantis mtl4 Mar 23, 2017 11:59 AM

... "Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008."

... time to ditch those CiApple devices ... now you know why the Canadian Blackberry was killed off the US market ... they wouldn't play the US alphabet agencies' surveillance game ...

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

brianshell kavlar Mar 23, 2017 2:21 PM Ban dual nationals in government.

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

wren Manthong Mar 23, 2017 12:41 PM

I knew it was a publicity hoax when Apple didn't want to allow the feds access to the phone that was used by the killers in the San Bernadillo Massacre. Like Apple really cares about giving your info to the feds...

Apple is a shit proprietary company that has somehow convinced people around the world that their product is as important as eating, and costs you as much to have an iPhone as it costs you to buy food each month. Oh but it has a camera and these really cool weather apps that cuss at you, and my selfie stick is made for the iPhone 7, but they will be coming out with an iPhone 8 soon. I sure hope my selfie stick works with it!

"Hi, my name is Lisa and I am in like 7th grade. Other kids in my class only have the iPhone 5, but I have the new iPhone 7. I go to school with such pathetic loooserrs. Everyone in my school is jealous of me and my new iPhone 7, cause it shows that my parents really care about me, because, you know, they spent a lot of money on me for this phone so it must show they like, really care, right?

And the other kids in school chant my name as I walk down the halls because they're like so jealous of how much my parents love me. They are jealous because I'm like really rich, really cool, and my parents really love me too."

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

WillyGroper JRobby Mar 23, 2017 1:31 PM

went to the site from SGT...interesting seeeyeyah rabbit hole runs decades back.

of course the usual suspects.

https://www.muckrock.com/news/archives/2017/mar/20/cia-waffled-promise-destroy-records/

AldousHuxley d brianshell •Mar 23, 2017 4:46 PM

Smartphone won't make you smarter when all you do on it is chatting about superficial issues.

Idiots paying $500 every year to talk to other idiots is why Apple has $700B market cap.

http://ads.pubmatic.com/AdServer/js/showad.js#PIX&kdntuid=1&p=52041

Latina Lover froze25 Mar 23, 2017 10:32 AM

In a honest country where the rule of law applies to all, USA prisons would be filled with CIA and NSA operatives. Instead, we live in a banana republic, without the bananas.

[Oct 11, 2018] Insidious propaganda attack on Taiwan manufactures by Western MSM

Oct 11, 2018 | thenewkremlinstooge.wordpress.com

et Al October 5, 2018 at 4:00 am

The Register: Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/

Who's your money on? Bloomberg's sources? Apple? Amazon? Super Micro?

####

Hit the comments. Quite a few very good points made, namely 'Why now?' (its da Chinese!) as it supposed occurred some years ago, the US breaks this kind of story when it knows it will shortly be fingered for doing the same (the US did a demo SCADA attack for the media before the STUXNET story broke), if it was done it would have only been on select machines etc. etc.

Euractiv: Apple, Amazon deny Bloomberg report on Chinese hardware attack
https://www.euractiv.com/section/cybersecurity/news/apple-amazon-deny-bloomberg-report-on-chinese-hardware-attack/

There was a headlining (which of course I cannot find now*) saying that the US is calling on the UK, EU & Japan should get together and take on China economically. Why does the might US need help? It's quite an admission. This is at the same time that the US is targeting EU companies that do business with Russia and also telling Brussels that they do not agree with its very modest proposals for WTO reform.** There's no balance. They're all over the place, no to mention their spokespersons going tonto and shooting off their mouths so casually (US NATO Amb).

The more you look at all the current revelations, who they are made by, the way they are all being fed to the press and the demands now being made, it looks more and more that the Euro-Atfantacists are making another concerted and desperate campaign to retain some sort of influence. The UK is leaving the EU. Even if it rejoins, it won't be a 'special partner'. The fact that the USA-insane Netherlands and the UK are running their stories together shows us that the target is the rest of Europe, just as outgoing Pres of the EU J-C Juncker has said that Europe's best interests are with a security treaty with Russia. BTW, Finland's Stubb is putting himself forward to replace Juncker

* et voila! US, EU should 'clean the house' and deal with China – US ambassador
https://www.euractiv.com/section/eu-china/news/us-eu-should-clean-the-house-and-deal-with-china-us-ambassador/

** US says it cannot support some of EU's ideas for WTO reform
https://www.euractiv.com/section/economy-jobs/news/us-says-it-cannot-support-some-of-eus-ideas-for-wto-reform/

[Oct 08, 2018] Hacking and Propaganda by Marcus Ranum

Highly recommended!
Notable quotes:
"... There has been an ongoing campaign on the part of the US, to get out the idea that China, Russia, North Korea, and Iran have massive armies of hackers that are constantly looking to steal American secrets. The absurdity of the US' claims is pretty obvious. As I pointed out in my book The Myth of Homeland Security ..."
"... "The Great US/China Cyberwar of 2010" is one cyberwar that didn't happen, but was presaged with a run-up of lots of claims that the Chinese were hacking all over the place. I'm perfectly willing to accept the possibility that there was Chinese hacking activity, but in the industry there was no indication of an additional level of attack or significance. ..."
"... One thing that did ..."
"... US ideology is that "we don't start wars" -- it's always looking for an excuse to go to war under the rubric of self-defense, so I see these sorts of claims as justification in advance for unilateral action. I also see it as a sign of weakness; if the US were truly the superpower it claims it is, it would simply accept its imperial mantle and stop bothering to try to justify anything. I'm afraid we may be getting close to that point. ..."
"... My assumption has always been that the US is projecting its own actions on other nations. At the time when the US was talking the loudest about Chinese cyberwar, the US and Israel had launched STUXNET against the Iranian enrichment plant at Natanz, and the breeder reactor at Bushehr (which happens to be just outside of a large city; the attack took some of its control systems and backup generators offline). Attacks on nuclear power facilities are a war crime under international humanitarian law, which framework the US is signatory to but has not committed to actually follow. This sort of activity happens at the same time that the US distributes talking-points to the media about the danger of Russian hackers crashing the US power grid. I don't think we can psychoanalyze an entire government and I think psychoanalysis is mostly nonsense -- but it's tempting to accuse the US of "projection." ..."
"... All of this stuff happens against the backdrop of Klein, Binney, Snowden, and the Vault 7 revelations, as well as solid attribution identifying the NSA as "equation group" and linking the code-tree of NSA-developed malware to STUXNET, FLAME, and DUQU. ..."
"... the US has even admitted to deploying STUXNET -- Obama bragged about it. When Snowden's revelations outlined how the NSA had eavesdropped on Angela Merkel's cellphone, the Germans expressed shock and Barack Obama remarkably truthfully said "that's how these things are done" and blew the whole thing off by saying that the NSA wasn't eavesdropping on Merkel any more. [ bbc ] ..."
"... It's hard to keep score because everything is pretty vague, but it sounds like the US has been dramatically out-spending and out-acting the other nations that it accuses of being prepared for cyberwar. ..."
"... it's hard not to see the US is prepared for cyberwar, when both the NSA and the CIA leak massive collections of advanced tools. ..."
"... My observation is that the NSA and CIA have been horribly sloppy and have clearly spent a gigantic amount of money preparing to compromise both foreign and domestic systems -- that's bad enough. With friends like the NSA and CIA, who needs Russians and Chinese? ..."
"... The Russian and Chinese efforts are relatively tiny compared to the massive efforts the US expends tens of billions of dollars on. The US spends about $50bn on its intelligence agencies, while the entire Russian Department of Defense budget is about $90bn (China is around $139bn) -- maybe the Russians and Chinese have such a small footprint because they are much smaller operations? ..."
"... That brings us to the recent kerfuffle about taps on the Supermicro motherboards. That's not unbelievable at all -- not in a world where we discover that Intel has built a parallel management CPU into every CPU since 2008, and that there is solid indications that other processors have similar backdoors. ..."
"... There are probably so many backdoors in our systems that it's a miracle it works at all. ..."
"... So, with respect to "propaganda" I would say that the US intelligence community has been consistently pushing a propaganda agenda against the US government, and the citizens in order to justify its actions and defend its budget. ..."
"... What little I've been able to find out the new Trump™ cybersecurity plan is that it doesn't involve any defense, just massive retribution against (perceived) foes. ..."
"... Funny how those obsessed with "false flag" operations work so hard to invite more of same. ..."
Oct 07, 2018 | freethoughtblogs.com

Bob Moore asks me to comment on an article about propaganda and security/intelligence. [ article ] This is going to be a mixture of opinion and references to facts; I'll try to be clear which is which.

Yesterday several NATO countries ran a concerted propaganda campaign against Russia. The context for it was a NATO summit in which the U.S. presses for an intensified cyberwar against NATO's preferred enemy.

On the same day another coordinated campaign targeted China. It is aimed against China's development of computer chip manufacturing further up the value chain. Related to this is U.S. pressure on Taiwan, a leading chip manufacturer, to cut its ties with its big motherland.

It is true that the US periodically makes a big push regarding "messaging" about hacking. Whether or not it constitutes a "propaganda campaign" depends on how we choose to interpret things and the labels we attach to them -- "propaganda campaign" has a lot of negative connotations and one person's "outreach effort" is an other's "propaganda." An ultra-nationalist or an authoritarian submissive who takes the government's word for anything would call it "outreach."

There has been an ongoing campaign on the part of the US, to get out the idea that China, Russia, North Korea, and Iran have massive armies of hackers that are constantly looking to steal American secrets. The absurdity of the US' claims is pretty obvious. As I pointed out in my book The Myth of Homeland Security (2004) [ wc ] claims such as that the Chinese had "40,000 highly trained hackers" are flat-out absurd and ignore the reality of hacking; that's four army corps. Hackers don't engage in "human wave" attacks.

"The Great US/China Cyberwar of 2010" is one cyberwar that didn't happen, but was presaged with a run-up of lots of claims that the Chinese were hacking all over the place. I'm perfectly willing to accept the possibility that there was Chinese hacking activity, but in the industry there was no indication of an additional level of attack or significance.

One thing that did happen in 2010 around the same time as the nonexistent cyberwar was China and Russia proposed trilateral talks with the US to attempt to define appropriate limits on state-sponsored hacking. The US flatly rejected the proposal, but there was virtually no coverage of that in the US media at the time. The UN also called for a cyberwar treaty framework, and the effort was killed by the US. [ wired ] What's fascinating and incomprehensible to me is that, whenever the US feels that its ability to claim pre-emptive cyberwar is challenged, it responds with a wave of claims about Chinese (or Russian or North Korean) cyberwar aggression.

John Negroponte, former director of US intelligence, said intelligence agencies in the major powers would be the first to "express reservations" about such an accord.

US ideology is that "we don't start wars" -- it's always looking for an excuse to go to war under the rubric of self-defense, so I see these sorts of claims as justification in advance for unilateral action. I also see it as a sign of weakness; if the US were truly the superpower it claims it is, it would simply accept its imperial mantle and stop bothering to try to justify anything. I'm afraid we may be getting close to that point.

My assumption has always been that the US is projecting its own actions on other nations. At the time when the US was talking the loudest about Chinese cyberwar, the US and Israel had launched STUXNET against the Iranian enrichment plant at Natanz, and the breeder reactor at Bushehr (which happens to be just outside of a large city; the attack took some of its control systems and backup generators offline). Attacks on nuclear power facilities are a war crime under international humanitarian law, which framework the US is signatory to but has not committed to actually follow. This sort of activity happens at the same time that the US distributes talking-points to the media about the danger of Russian hackers crashing the US power grid. I don't think we can psychoanalyze an entire government and I think psychoanalysis is mostly nonsense -- but it's tempting to accuse the US of "projection."

The anti-Russian campaign is about alleged Russian spying, hacking and influence operations. Britain and the Netherland took the lead. Britain accused Russia's military intelligence service (GRU) of spying attempts against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague and Switzerland, of spying attempts against the British Foreign Office, of influence campaigns related to European and the U.S. elections, and of hacking the international doping agency WADA. British media willingly helped to exaggerate the claims: [ ]

The Netherland [sic] for its part released a flurry of information about the alleged spying attempts against the OPCW in The Hague. It claims that four GRU agents traveled to The Hague on official Russian diplomatic passports to sniff out the WiFi network of the OPCW. (WiFi networks are notoriously easy to hack. If the OPCW is indeed using such it should not be trusted with any security relevant issues.) The Russian officials were allegedly very secretive, even cleaning out their own hotel trash, while they, at the same, time carried laptops with private data and even taxi receipts showing their travel from a GRU headquarter in Moscow to the airport. Like in the Skripal/Novichok saga the Russian spies are, at the same time, portrayed as supervillains and hapless amateurs. Real spies are neither.

The U.S. Justice Department added to the onslaught by issuing new indictments (pdf) against alleged GRU agents dubiously connected to several alleged hacking incidents . As none of those Russians will ever stand in front of a U.S. court the broad allegations will never be tested.

There's a lot there, and I think the interpretation is a bit over-wrought, but it's mostly accurate. The US and the UK (and other NATO allies, as necessary) clearly coordinate when it comes to talking points. Claims of Chinese cyberwar in the US press will be followed by claims in the UK and Australian press, as well. My suspicion is that this is not the US Government and UK Government coordinating a story -- it's the intelligence agencies doing it. My opinion is that the intelligence services are fairly close to a "deep state" -- the CIA and NSA are completely out of control and the CIA has gone far toward building its own military, while the NSA has implemented completely unrestricted surveillance worldwide.

All of this stuff happens against the backdrop of Klein, Binney, Snowden, and the Vault 7 revelations, as well as solid attribution identifying the NSA as "equation group" and linking the code-tree of NSA-developed malware to STUXNET, FLAME, and DUQU. While the attribution that "Fancy Bear is the GRU" has been made and is probably fairly solid, the attribution of NSA malware and CIA malware is rock solid; the US has even admitted to deploying STUXNET -- Obama bragged about it. When Snowden's revelations outlined how the NSA had eavesdropped on Angela Merkel's cellphone, the Germans expressed shock and Barack Obama remarkably truthfully said "that's how these things are done" and blew the whole thing off by saying that the NSA wasn't eavesdropping on Merkel any more. [ bbc ]

It's hard to keep score because everything is pretty vague, but it sounds like the US has been dramatically out-spending and out-acting the other nations that it accuses of being prepared for cyberwar. I tend to be extremely skeptical of US claims because: bomber gap, missile gap, gulf of Tonkin, Iraq WMD, Afghanistan, Libya and every other aggressive attack by the US which was blamed on its target. The reason I assume the US is the most aggressive actor in cyberspace is because the US has done a terrible job of protecting its tool-sets and operational security: it's hard not to see the US is prepared for cyberwar, when both the NSA and the CIA leak massive collections of advanced tools.

Meanwhile, where are the leaks of Russian and Chinese tools? They have been few and far between, if there have been any at all. Does this mean that the Russians and Chinese have amazingly superior tradecraft, if not tools? I don't know. My observation is that the NSA and CIA have been horribly sloppy and have clearly spent a gigantic amount of money preparing to compromise both foreign and domestic systems -- that's bad enough. With friends like the NSA and CIA, who needs Russians and Chinese?

The article does not have great depth to its understanding of the situation, I'm afraid. So it comes off as a bit heavy on the recent news while ignoring the long-term trends. For example:

The allegations of Chinese supply chain attacks are of course just as hypocritical as the allegations against Russia. The very first know case of computer related supply chain manipulation goes back to 1982 :

A CIA operation to sabotage Soviet industry by duping Moscow into stealing booby-trapped software was spectacularly successful when it triggered a huge explosion in a Siberian gas pipeline, it emerged yesterday.

I wrote a piece about the "Farewell Dossier" in 2004. [ mjr ] Re-reading it, it comes off as skeptical but waffly. I think that it's self-promotion by the CIA and exaggerates considerably ("look how clever we are!") at a time when the CIA was suffering an attention and credibility deficit after its shitshow performance under George Tenet. But the first known cases of computer related supply chain manipulation go back to the 70s and 80s -- the NSA even compromised Crypto AG's Hagelin M-209 system (a mechanical ciphering machine) in order to read global communications encrypted with that product. You can imagine Crypto AG's surprise when the Iranian secret police arrested one of their sales reps for selling backdoor'd crypto -- the NSA had never told them about the backdoor, naturally. The CIA was also on record for producing Xerox machines destined for the USSR, which had recorders built into them So, while the article is portraying the historical sweep of NSA dirty tricks, they're only looking at the recent ones. Remember: the NSA also weakened the elliptic curve crypto library in RSA's Bsafe implementation, paying RSADSI $13 million to accept their tweaked code.

Why haven't we been hearing about the Chinese and Russians doing that sort of thing? There are four options:

  1. The Russians and Chinese are doing it, they're just so darned good nobody has caught them until just recently.
  2. The Russians and Chinese simply resort to using existing tools developed by the hacking/cybercrime community and rely on great operational security rather than fancy tools.
  3. The Russian and Chinese efforts are relatively tiny compared to the massive efforts the US expends tens of billions of dollars on. The US spends about $50bn on its intelligence agencies, while the entire Russian Department of Defense budget is about $90bn (China is around $139bn) -- maybe the Russians and Chinese have such a small footprint because they are much smaller operations?
  4. Something else.

That brings us to the recent kerfuffle about taps on the Supermicro motherboards. That's not unbelievable at all -- not in a world where we discover that Intel has built a parallel management CPU into every CPU since 2008, and that there is solid indications that other processors have similar backdoors.

Was the Intel IME a "backdoor" or just "a bad idea"? Well, that's tricky. Let me put my tinfoil hat on: making a backdoor look like a sloppily developed product feature would be the competent way to write a backdoor. Making it as sneaky as the backdoor in the Via is unnecessary -- incompetence is eminently believable.

&

(kaspersky)

I believe all of these stories (including the Supermicro) are the tip of a great big, ugly iceberg. The intelligence community has long known that software-only solutions are too mutable, and are easy to decompile and figure out. They have wanted to be in the BIOS of systems -- on the motherboard -- for a long time. If you go back to 2014, we have disclosures about the NSA malware that hides in hard drive BIOS: [ vice ] [ vice ] That appears to have been in progress around 2000/2001.

Of note, the group recovered two modules belonging to EquationDrug and GrayFish that were used to reprogram hard drives to give the attackers persistent control over a target machine. These modules can target practically every hard drive manufacturer and brand on the market, including Seagate, Western Digital, Samsung, Toshiba, Corsair, Hitachi and more. Such attacks have traditionally been difficult to pull off, given the risk in modifying hard drive software, which may explain why Kaspersky could only identify a handful of very specific targets against which the attack was used, where the risk was worth the reward.

But Equation Group's malware platforms have other tricks, too. GrayFish, for example, also has the ability to install itself into computer's boot record -- software that loads even before the operating system itself -- and stores all of its data inside a portion of the operating system called the registry, where configuration data is normally stored.

EquationDrug was designed for use on older Windows operating systems, and "some of the plugins were designed originally for use on Windows 95/98/ME" -- versions of Windows so old that they offer a good indication of the Equation Group's age.

This is not a very good example of how to establish a "malware gap" since it just makes the NSA look like they are incapable of keeping a secret. If you want an idea how bad it is, Kaspersky labs' analysis of the NSA's toolchain is a good example of how to do attribution correctly. Unfortunately for the US agenda, that solid attribution points toward Fort Meade in Maryland. [kaspersky]

Let me be clear: I think we are fucked every which way from the start. With backdoors in the BIOS, backdoors on the CPU, and wireless cellular-spectrum backdoors, there are probably backdoors in the GPUs and the physical network controllers, as well. Maybe the backdoors in the GPU come from the GRU and maybe the backdoors in the hard drives come from NSA, but who cares? The upshot is that all of our systems are so heinously compromised that they can only be considered marginally reliable. It is, literally, not your computer: it's theirs. They'll let you use it so long as your information is interesting to them.

Do I believe the Chinese are capable of doing such a thing? Of course. Is the GRU? Probably. Mossad? Sure. NSA? Well-documented attribution points toward NSA. Your computer is a free-fire zone. It has been since the mid 1990s, when the NSA was told "no" on the Clipper chip and decided to come up with its own Plan B, C, D, and E. Then, the CIA came up with theirs. Etc. There are probably so many backdoors in our systems that it's a miracle it works at all.

From my 2012 RSA conference lecture "Cyberwar, you're doing it wrong."

The problem is that playing in this space is the purview of governments. Nobody in the cybercrime or hacking world need tools like these. The intelligence operatives have huge budgets, compared to a typical company's security budget, and it's unreasonable to expect any business to invest such a level of effort on defending itself. So what should companies do? They should do exactly what they are doing: expect the government to deal with it; that's what governments are for. The problem with that strategy is that their government isn't on their side, either! It's Hobbes' playground.

In case you think I am engaging in hyperbole, I assure you I am not. If you want another example of the lengths (and willingness to bypass the law) "they" are willing to go, consider 'stingrays' that are in operation in every major US city and outside of every interesting hotel and high tech park. Those devices are not passive -- they actively inject themselves into the call set-up between your phone and your carrier -- your data goes through the stingray, or it doesn't go at all. If there are multiple stingrays, then your latency goes through the roof. "They" don't care. Are the stingrays NSA, FBI, CIA, Mossad, GRU, or PLA? Probably a bit of all of the above depending on where and when.

Whenever the US gets caught with its pants down around its ankles, it blames the Chinese or the Russians because they have done a good job of building the idea that the most serious hackers on the planet at the Chinese. I don't believe that we're seeing complex propaganda campaigns that are tied to specific incidents -- I think we see ongoing organic propaganda campaigns that all serve the same end: protect the agencies, protect their budgets, justify their existence, and downplay their incompetence.

So, with respect to "propaganda" I would say that the US intelligence community has been consistently pushing a propaganda agenda against the US government, and the citizens in order to justify its actions and defend its budget.

The government also engages in propaganda, and is influenced by the intelligence community's propaganda as well. And the propaganda campaigns work because everyone involved assumes, "well, given what the NSA has been able to do, I should assume the Chinese can do likewise." That's a perfectly reasonable assumption and I think it's probably true that the Chinese have capabilities. The situation is what Chuck Spinney calls "A self-licking ice cream cone" -- it's a justifying structure that makes participation in endless aggression seem like a sensible thing to do. And, when there's inevitably a disaster, it's going to be like a cyber-9/11 and will serve as a justification for even more unrestrained aggression.


Want to see what it looks like? A thousand thanks to Commentariat member [redacted] for this link. If you don't like video, there's an article here. [ toms ]

https://www.youtube.com/embed/_eSAF_qT_FY

Is this an NSA backdoor, or normal incompetence? Is Intel Management Engine an NSA-inspired backdoor, or did some system engineers at Intel think that was a good idea? There are other scary indications of embedded compromise: the CIA's Vault7 archive included code that appeared to be intended to embed in the firmware of "smart" flatscreen TVs. That would make every LG flat panel in every hotel room, a listening device just waiting to be turned on.

We know the Chinese didn't do that particular bug but why wouldn't they do something similar, in something else? China is the world's oldest mature culture -- they literally wrote the book on strategy -- Americans acting as though it's a great surprise to learn that the Chinese are not stupid, it's just the parochialism of a 250 year-old culture looking at a 3,000 year-old culture and saying "wow, you guys haven't been asleep at the switch after all!"

WIRED on cyberspace treaties [ wired ]

Comments
  1. Pierce R. Butler says

    October 6, 2018 at 1:31 pm

    What little I've been able to find out the new Trump™ cybersecurity plan is that it doesn't involve any defense, just massive retribution against (perceived) foes.

    Funny how those obsessed with "false flag" operations work so hard to invite more of same.

  2. Marcus Ranum says

    October 6, 2018 at 2:28 pm

    Pierce R. Butler@#1:
    What little I've been able to find out the new Trump™ cybersecurity plan is that it doesn't involve any defense, just massive retribution against (perceived) foes.

    Yes. Since 2001, as far as most of us can tell, federal cybersecurity spend has been 80% offense, 20% defense. And a lot of the offensive spend has been aimed at We, The People.

  3. Cat Mara says

    October 6, 2018 at 5:20 pm

    Your mention of Operation Sundevil and Kevin Mitnick in a previous post made me think that maybe the reason we haven't seen the kind of leaks from the Russian and Chinese hacking operations that we've seem from the NSA is that they're running a "Kevin Mitnick style" operation; that is, relying less on technical solutions and using instead old-fashioned "social engineering" and other low-tech forms of espionage (like running troll farms on social media). I mean, I've seen interviews with retired US intelligence people since the 90s complain that since the late 1980s, the intelligence agencies have been crippled by management in love with hi-tech "SIGINT" solutions to problems that never deliver and neglecting old-fashioned "HUMINT" intelligence-gathering.

    The thing is, Kevin Mitnick got away with a lot of what he did because people didn't take security seriously then, and still don't. On a similar nostalgia vibe, I remember reading an article by Keith Bostic (one of the researchers who helped in the analysis of the Morris worm that took down a significant chunk of the Internet back in 1988) where he did a follow-up a year or so afterwards and some depressing number of organisations that had been hit by it still hadn't patched the holes that had let the worm infect them in the first place.

  4. Marcus Ranum says

    October 6, 2018 at 9:20 pm

    Cat Mara@#3:
    Your mention of Operation Sundevil and Kevin Mitnick in a previous post made me think that maybe the reason we haven't seen the kind of leaks from the Russian and Chinese hacking operations that we've seem from the NSA is that they're running a "Kevin Mitnick style" operation; that is, relying less on technical solutions and using instead old-fashioned "social engineering" and other low-tech forms of espionage (like running troll farms on social media).

    I think that's right, to a high degree. What if Edward Snowden was an agent provocateur instead of a well-meaning naive kid? A tremendous amount of damage could be done, as well as stealing the US' expensive toys. The Russians have been very good at doing exactly that sort of operation, since WWII. The Chinese are, if anything, more subtle than the Russians.

    The Chinese attitude, as expressed to me by someone who might be a credible source is, "why are you picking a fight with us? We don't care, you're too far away for us to threaten you, we both have loads of our own fish to fry. To them, the US is young, hyperactive, and stupid.

    The FBI is not competent, at all, against old-school humint intelligence-gathering. Compared to the US' cyber-toys, the old ways are probably more efficient and cost effective. China's intelligence community is also much more team-oriented than the CIA/NSA; they're actually a disciplined operation under the strategic control of policy-makers. That, by the way, is why Russians and Chinese stare in amazement when Americans ask things like "Do you think Putin knew about this?" What a stupid question! It's an autocracy; they don't have intelligence operatives just going an deciding "it's a nice day to go to England with some Novichok." The entire American attitude toward espionage lacks maturity.

    On a similar nostalgia vibe, I remember reading an article by Keith Bostic (one of the researchers who helped in the analysis of the Morris worm that took down a significant chunk of the Internet back in 1988) where he did a follow-up a year or so afterwards and some depressing number of organisations that had been hit by it still hadn't patched the holes that had let the worm infect them in the first place.

    That as an exciting time. We were downstream from University of Maryland, which got hit pretty badly. Pete Cottrel and Chris Torek from UMD were also in on Bostic's dissection. We were doing uucp over TCP for our email (that changed pretty soon after the worm) and our uucp queue blew up. I cured the worm with a reboot into single-user mode and a quick 'rm -f' in the uucp queue.

  5. Bob Moore says

    October 7, 2018 at 9:18 am

    Thanks. I appreciate your measured analysis and the making explicit of the bottom line: " agencies, protect their budgets, justify their existence, and downplay their incompetence."

[Oct 05, 2018] The SuperMicro chips problem may be an alleged use of the Intel Management Engine (or the AMD equivalent).

Oct 05, 2018 | www.moonofalabama.org

daffyDuct , Oct 5, 2018 8:35:21 PM | link

The SuperMicro chips may be an alleged use of the Intel Management Engine (or the AMD equivalent).

From Bloomberg: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

"In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips' operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board's temporary memory en route to the server's central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off."

From Wikipedia: https://en.wikipedia.org/wiki/Intel_Management_Engine

"The Intel Management Engine (ME), also known as the Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep.As long as the chipset or SoC is connected to current (via battery or power supply), it continues to run even when the system is turned off. Intel claims the ME is required to provide full performance. Its exact workings are largely undocumented and its code is obfuscated using confidential huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents. Intel's main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

The Electronic Frontier Foundation (EFF) and security expert Damien Zammit accuse the ME of being a backdoor and a privacy concern. Zammit states that the ME has full access to memory (without the parent CPU having any knowledge); has full access to the TCP/IP stack and can send and receive network packets independent of the operating system, thus bypassing its firewall. Intel asserts that it "does not put back doors in its products" and that its products do not "give Intel control or access to computing systems without the explicit permission of the end user."

[Oct 04, 2018] Despicable fear mongering by Bloomberg

Notable quotes:
"... Plus according to Microsemi's own website, all military and aerospace qualified versions of their parts are still made in the USA. So this "researcher" used commercial parts, which depending on the price point can be made in the plant in Shanghai or in the USA at Microsemi's own will. ..."
"... The "researcher" and the person who wrote the article need to spend some time reading more before talking. ..."
"... You clearly have NOT used a FPGA or similar. First the ProASIC3 the article focuses on is the CHEAPEST product in the product line (some of that model line reach down to below a dollar each). But beyond that ... Devices are SECURED by processes, such as blowing the JTAG fuses in the device which makes them operation only, and unreadable. They are secureable, if you follow the proper processes and methods laid out by the manufacturer of the specific chip. ..."
"... Just because a "research paper" claims there is other then standard methods of JTAG built into the JTAG doesn't mean that the device doesn't secure as it should, nor does it mean this researcher who is trying to peddle his own product is anything but biased in this situation. ..."
"... You do know that the Mossad has been caught stealing and collecting American Top Secrets. ..."
"... The original article is here. [cam.ac.uk] It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration. ..."
"... With regard to reprogramming the chip remotely or by the FPGA itself via the JTAG port: A secure system is one that can't reprogram itself. ..."
"... When I was designing VMEbus computer boards for a military subcontractor many years ago, every board had a JTAG connector that required the use of another computer with a special cable plugged into the board to perform reprogramming of the FPGAs. None of this update-by-remote-control crap. ..."
"... It seems that People's Republic of China has been misidentified with Taiwan (Republic of China). ..."
"... Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this. ..."
"... Where was this undocumented feature/bug designed in? I see plenty of "I hate China" posts, it would be quite hilarious if the fedgov talked the US mfgr into adding this backdoor, then the Chinese built it as designed. Perhaps the plan all along was to blame the Chinese if they're caught. ..."
"... These are not military chips. They are FPGAs that happen to be used occasionally for military apps. Most of them are sold for other, more commercially exploitable purposes. ..."
"... The page with a link to the final paper actually does mention China. However, it's an American design from a US company. I suspect we will find the backdoor was in the original plans. It will be interesting to see however. ..."
Oct 04, 2018 | it.slashdot.org

Taco Cowboy ( 5327 ) , Tuesday May 29, 2012 @12:17AM ( #40139317 ) Journal

It's a scam !! ( Score: 5 , Informative)

http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html [blogspot.com]

Bogus story: no Chinese backdoor in military chip
"Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious.

Furthermore, the Actel ProAsic3 FPGA chip isn't fabricated in China at all !!

jhoegl ( 638955 ) , Monday May 28, 2012 @01:30PM ( #40136003 )
Fear mongering ( Score: 5 , Insightful)

It sells...

khasim ( 1285 ) writes: < brandioch.conner@gmail.com > on Monday May 28, 2012 @01:48PM ( #40136097 )
Particularly in a press release like that. ( Score: 5 , Insightful)

That entire article reads more like a press release with FUD than anything with any facts.

Which chip?
Which manufacturer?
Which US customer?

No facts and LOTS of claims. It's pure FUD.

(Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)

ArsenneLupin ( 766289 ) , Tuesday May 29, 2012 @01:11AM ( #40139489 )
Re:Particularly in a press release like that. ( Score: 5 , Informative)

A quick google showed that that this is indeed the chip, but the claims are "slightly" overblown [blogspot.com]

Anonymous Coward , Monday May 28, 2012 @02:14PM ( #40136273 )
Most likely inserted by Microsemi/Actel not fab ( Score: 5 , Informative)

1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
2) This is talking about FPGAs designed by Microsemi/Actel.
3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional analysis (differential power analysis) was not sensitive enough to reveal it.

This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.

Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.

JimCanuck ( 2474366 ) , Monday May 28, 2012 @04:45PM ( #40137217 )
Re:Most likely inserted by Microsemi/Actel not fab ( Score: 5 , Interesting)

I don't think anyone fully understands JTAG, there are a lot of different versions of it mashed together on the typical hardware IC. Regardless if its a FPGA, microcontroller or otherwise. The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.

Something that can also be completely disabled by setting the right fuse inside the chip itself to disable all JTAG connections. Something that is considered standard practice on IC's with a JTAG port available once assembled into their final product and programmed.

Plus according to Microsemi's own website, all military and aerospace qualified versions of their parts are still made in the USA. So this "researcher" used commercial parts, which depending on the price point can be made in the plant in Shanghai or in the USA at Microsemi's own will.

The "researcher" and the person who wrote the article need to spend some time reading more before talking.

emt377 ( 610337 ) , Monday May 28, 2012 @07:02PM ( #40137873 )
Re:Most likely inserted by Microsemi/Actel not fab ( Score: 4 , Insightful)
The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.

With pin access to the FPGA it's trivial to hook it up, no bridges or transceivers needed. If it's a BGA then get a breakout/riser board that provides pin access. This is off-the-shelf stuff. This means if the Chinese military gets their hands on the hardware they can reverse engineer it. They won't have to lean very hard on the manufacturer for them to cough up every last detail. In China you just don't say no to such requests if you know what's good for you and your business.

JimCanuck ( 2474366 ) , Monday May 28, 2012 @11:05PM ( #40139083 )
Re:Most likely inserted by Microsemi/Actel not fab ( Score: 4 , Interesting)
Not being readable even when someone has the device in hand is exactly what these secure FPGAs are meant to protect against!

It's not a non-issue. It's a complete failure of a product to provide any advantages over non-secure equivalents.

You clearly have NOT used a FPGA or similar. First the ProASIC3 the article focuses on is the CHEAPEST product in the product line (some of that model line reach down to below a dollar each). But beyond that ... Devices are SECURED by processes, such as blowing the JTAG fuses in the device which makes them operation only, and unreadable. They are secureable, if you follow the proper processes and methods laid out by the manufacturer of the specific chip.

Just because a "research paper" claims there is other then standard methods of JTAG built into the JTAG doesn't mean that the device doesn't secure as it should, nor does it mean this researcher who is trying to peddle his own product is anything but biased in this situation.

nospam007 ( 722110 ) * , Monday May 28, 2012 @02:39PM ( #40136445 )
Re:What did the military expect? ( Score: 4 , Interesting)

"Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic."

Not to mention the non-backdoor ones.

'Bogus electronic parts from China have infiltrated critical U.S. defense systems and equipment, including Navy helicopters and a commonly used Air Force cargo aircraft, a new report says.'

http://articles.dailypress.com/2012-05-23/news/dp-nws-counterfeit-chinese-parts-20120523_1_fake-chinese-parts-counterfeit-parts-air-force-c-130j [dailypress.com]

0123456 ( 636235 ) , Monday May 28, 2012 @02:04PM ( #40136219 )
Re:Should only buy military components from allies ( Score: 3 , Funny)
The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

Didn't the US and UK governments sell crypto equipment they knew they could break to their 'allies' during the Cold War?

tlhIngan ( 30335 ) writes: < slashdot@[ ]f.net ['wor' in gap] > on Monday May 28, 2012 @03:30PM ( #40136781 )
Re:Should only buy military components from allies ( Score: 5 , Insightful)
Second problem.... 20 years ago the DOD had their own processor manufacturing facilities, IC chips, etc. They were shut down in favor of commercial equipment because some idiot decided it was better to have an easier time buying replacement parts at Radioshack than buying quality military-grade components that could last in austere environments. (Yes, speaking from experience). Servers and workstations used to be built from the ground up at places like Tobyhanna Army Depot. Now, servers and workstations are bought from Dell.

Fabs are expensive. The latest generation nodes cost billions of dollars to set up and billions more to run. If they aren't cranking chips out 24/7, they're literally costing money. Yes, I know it's hte military, but I'm sure people have a hard time justifying $10B every few years just to fab a few chips. One of the biggest developments in the 90s was the development of foundries that let anyone with a few tens of millions get in the game of producing chips rather than requiring billions in startup costs. Hence the startup of tons of fabless companies selling chips.

OK, another option is to buy a cheap obsolete fab and make chips that way - much cheaper to run, but we're also talking maybe 10+ year old technology, at which point the chips are going to be slower and take more power.

Also, building your own computer from the ground up is expensive - either you buy the designs of your servers from say, Intel, or design your own. If you buy it, it'll be expensive and probably require your fab to be upgraded (or you get stuck with an old design - e.g., Pentium (the original) - which Intel bought back from the DoD because the DoD had been debugging it over the decade). If you went with the older cheaper fab, the design has to be modified to support that technology (you cannot just take a design and run with it - you have to adapt your chip to the foundry you use).

If you roll your own, that becomes a support nightmare because now no one knows the system.

And on the taxpayer side - I'm sure everyone will question why you're spending billions running a fab that's only used at 10% capacity - unless you want the DoD getting into the foundry business with its own issues.

Or, why is the military spending so much money designing and running its own computer architecture and support services when they could buy much cheaper machines from Dell and run Linux on them?

Hell, even if the DoD had budget for that, some bean counter will probably do the same so they can save money from one side and use it to buy more fighter jets or something.

30+ years ago, defense spending on electronics formed a huge part of the overall electronics spending. These days, defense spending is but a small fraction - it's far more lucrative to go after the consumer market than the military - they just don't have the economic clout they once had. End result is the military is forced to buy COTS ICs, or face stuff like a $0.50 chip costing easily $50 or more for same just because the military is a bit-player for semiconductors

__aaltlg1547 ( 2541114 ) , Monday May 28, 2012 @02:29PM ( #40136361 )
Re:Should only buy military components from allies ( Score: 2 )

Anybody remember Jonathan Pollard?

Genda ( 560240 ) writes: < <ten.tog> <ta> <teiram> > on Monday May 28, 2012 @03:46PM ( #40136857 ) Journal
Re:Should only buy military components from allies ( Score: 2 )

You do know that the Mossad has been caught stealing and collecting American Top Secrets. In fact most of the nations above save perhaps Canada have at one time or another been caught either spying on us, or performing dirty deeds cheap against America's best interest. I'd say for the really classified stuff, like the internal security devices that monitor everything else... homegrown only thanks, and add that any enterprising person who's looking to get paid twice by screwing with the hardware or selling secrets to certified unfriendlies get's to cools their heels for VERY LONG TIME.

NixieBunny ( 859050 ) , Monday May 28, 2012 @01:34PM ( #40136025 ) Homepage
The actual article ( Score: 5 , Informative)

The original article is here. [cam.ac.uk] It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.

Anonymous Coward , Monday May 28, 2012 @02:09PM ( #40136249 )
Re:The actual article ( Score: 5 , Interesting)

From your much more useful link,

We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion.
we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products. This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.

emphasis mine. Key is retrieved using the backdoor. Frankly, if this is true, Microsemi/Actel should get complete ban from all government contracts, including using their chips in any item build for use by the government.

NixieBunny ( 859050 ) , Monday May 28, 2012 @02:44PM ( #40136487 ) Homepage
Re:The actual article ( Score: 3 )

I would not be surprised if it's a factory backdoor that's included in all their products, but is not documented and is assumed to not be a problem because it's not documented.

With regard to reprogramming the chip remotely or by the FPGA itself via the JTAG port: A secure system is one that can't reprogram itself.

When I was designing VMEbus computer boards for a military subcontractor many years ago, every board had a JTAG connector that required the use of another computer with a special cable plugged into the board to perform reprogramming of the FPGAs. None of this update-by-remote-control crap.

Blackman-Turkey ( 1115185 ) , Monday May 28, 2012 @02:19PM ( #40136305 )
Re:The actual article ( Score: 3 , Informative)

No source approved [dla.mil] for Microsemi (Actel) qualified chips in China. If you use non-approved sources then, well, shit happens (although how this HW backdoor would be exploited is kind of unclear).

It seems that People's Republic of China has been misidentified with Taiwan (Republic of China).

6031769 ( 829845 ) , Monday May 28, 2012 @01:35PM ( #40136031 ) Homepage Journal
Wait and see ( Score: 5 , Informative)

Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.

Here's his publications list from his University home page, FWIW: http://www.cl.cam.ac.uk/~sps32/#Publications [cam.ac.uk]

Anonymous Coward , Monday May 28, 2012 @01:36PM ( #40136039 )
samzenpus will be looking for a new job soon ( Score: 3 , Funny)
Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

Hey hey HEY! You stop that right this INSTANT, samzenpus! This is Slashdot! We'll have none of your "actual investigative research" nonsense around here! Fear mongering to sell ad space, mister, and that's ALL! Now get back to work! We need more fluffy space-filling articles like that one about the minor holiday labeling bug Microsoft had in the UK! That's what we want to see more of!

laing ( 303349 ) , Monday May 28, 2012 @02:08PM ( #40136243 )
Requires Physical Access ( Score: 5 , Informative)

The back-door described in the white paper requires access to the JTAG (1149.1) interface to exploit. Most deployed systems do not provide an active external interface for JTAG. With physical access to a "secure" system based upon these parts, the techniques described in the white paper allow for a total compromise of all IP within. Without physical access, very little can be done to compromise systems based upon these parts.

vlm ( 69642 ) , Monday May 28, 2012 @03:34PM ( #40136807 )
Where was it designed in? ( Score: 3 )

Where was this undocumented feature/bug designed in? I see plenty of "I hate China" posts, it would be quite hilarious if the fedgov talked the US mfgr into adding this backdoor, then the Chinese built it as designed. Perhaps the plan all along was to blame the Chinese if they're caught.

These are not military chips. They are FPGAs that happen to be used occasionally for military apps. Most of them are sold for other, more commercially exploitable purposes.

time961 ( 618278 ) , Monday May 28, 2012 @03:51PM ( #40136887 )
Big risk is to "secret sauce" for comms & cryp ( Score: 5 , Informative)

This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.

That said, it's still pretty bad, because hardware does occasionally end up in the hands of unfriendlies (e.g., crashed drones). FPGAs like these are often used to run classified software radio algorithms with anti-jam and anti-interception goals, or to run classified cryptographic algorithms. If those algorithms can be extracted from otherwise-dead and disassembled equipment, that would be bad--the manufacturer's claim that the FPGA bitstream can't be extracted might be part of the system's security certification assumptions. If that claim is false, and no other counter-measures are place, that could be pretty bad.

Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing. Also, a backdoor inserted that way would have to co-exist peacefully with all the other functions of the FPGA, a significant challenge both from an intellectual standpoint and from a size/timing standpoint--the FPGA may just not have enough spare capacity or spare cycles. They tend to be packed pretty full, 'coz they're expensive and you want to use all the capacity you have available to do clever stuff.

Fnord666 ( 889225 ) , Monday May 28, 2012 @09:16PM ( #40138557 ) Journal
Re:Big risk is to "secret sauce" for comms & c ( Score: 4 , Insightful)
This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.

Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing.

As someone else mentioned in another post, physical access can be a bit of a misnomer. Technically all that is required is for a computer to be connected via the JTAG interface in order to exploit this. This might be a diagnostic computer for example. If that diagnostic computer were to be infected with a targeted payload, there is your physical access.

nurb432 ( 527695 ) , Monday May 28, 2012 @02:43PM ( #40136477 ) Homepage Journal
Re:Is it called JTAG? ( Score: 2 )

I agree it most likely wasn't malicious, but its more than careless, its irresponsible, especially when dealing with military contracts.

rtfa-troll ( 1340807 ) , Monday May 28, 2012 @03:22PM ( #40136743 )
Re:No China link yet, probably a US backdoor ( Score: 2 )
There is no China link to the backdoor yet.

The page with a link to the final paper actually does mention China. However, it's an American design from a US company. I suspect we will find the backdoor was in the original plans. It will be interesting to see however.

[Oct 04, 2018] Bloomberg is spreading malicious propaganda trying to blame China for modifying hardware with some additional ships

Kind of Chinagate, but China means her Taivan and the design is US-based. Completely false malicious rumors -- propaganda attack on China. The goal is clearly to discredit Chinese hardware manufactures by spreading technical innuendo. In other words this is a kick below the belt.
Bloomberg jerks are just feeding hacker paranoia.
First of all this is not easy to do, secondly this is a useless exercise, as you need access to TCP/IP stack of the computer to transmit information. Software Trojans is much more productive area for such activities.
Oct 04, 2018 | www.zerohedge.com

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media's hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS's China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they're hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we ‎launched in China, they owned these data centers from the start, and the hardware we "sold" to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.

Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.

Security will always be our top priority. AWS is trusted by many of the world's most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.

– Steve Schmidt, Chief Information Security Officer

Trumptards are IDIOTs


CashMcCall , 5 hours ago

TRUMPTARDS have an enormous amount of surplus time on their hands to forward their Harry Potter Styled Conspiracies.

APPLE AND AMAZON DENIED THE STORY. STORY OVER... GET IT CREEPY?

CashMcCall , 5 hours ago

While TRUMPTARDS were posting their Conspiracy Theories and the "TrumpEXPERTS" were embellishing the ridiculous story with their lavish accounts of chip bug design, I was enjoying a Bloomberg windfall.

Having confirmed early that the story was False since AMAZON and APPLE BOTH DENIED IT... and their stock was not moving, I turned to Supermicro which was plunging and down over 50%. I checked the options, and noted they were soft, so I put in bids for long shares and filled blocks at 9 from two accounts.

The moronic TRUMPTARD Conspiracy posts continued, Supermicro is now up over 13.

That is the difference between having a brain in your head or having TRUMPTARD **** FOR BRAINS...

Urban Roman , 5 hours ago

On second thought, this story is just ********. Note that the BBG story never mentions the backdoors that were talked about for over a decade, nor did they mention Mr. Snowden's revelation that those backdoors do exist, and are being used, by the surveillance state.

Since the Chinese factories are manufacturing these things, they'd have all the specs and the blobs and whatever else they need, and would never require a super-secret hardware chip like this. Maybe this MITM chip exists, and maybe it doesn't. But there's nothing to keep China from using the ME on any recent Intel chip, or the equivalent on any recent AMD chip, anywhere.

The purpose of this article is to scare you away from using Huawei or ZTE for anything, and my guess is that it is because those companies did not include these now-standard backdoors in their equipment. Maybe they included Chinese backdoors instead, but again, they wouldn't need a tiny piece of hardware for this MITM attack, since modern processors are all defective by design.

Chairman , 5 hours ago

I think I will start implementing this as an interview question. If a job candidate is stupid enough to believe this **** then they will not work for me.

DisorderlyConduct , 4 hours ago

Well, hmmm, could be. To update a PCB is actually really poor work. I would freak my biscuits if I received one of my PCBs with strange pads, traces or parts.

To substitute a part is craftier. To change the content of a part is harder, and nigh impossible to detect without xray.

Even craftier is to change VHDL code in an OTP chip or an ASIC. The package and internal structure is the same but the fuses would be burned different. No one would likely detect this unless they were specifically looking for it.

Kendle C , 5 hours ago

Well written propaganda fails to prove claims. Everybody in networking and IT knows that switches and routers have access to root, built in, often required by government, backdoors. Scripts are no big thing often used to speed up updates, backups, and troubleshooting. So when western manufacturers began shoveling their work to Taiwan and China, with them they sent millions of text files, including instructions for backdoor access, the means and technology (to do what this **** article is claiming) to modify the design, even classes with default password and bypass operations for future techs. We were shoveling hand over foot designs as fast as we could...all for the almighty dollar while stiffing American workers. So you might say greed trumped security and that fault lies with us. So stuff this cobbled together propaganda piece, warmongering ****.

AllBentOutOfShape , 5 hours ago

ZH has definitely been co-oped. This is just the latest propaganda ******** article of the week they've come out with. I'm seeing more and more articles sourced from well known propaganda outlets in recent months.

skunzie , 6 hours ago

Reminds me of how the US pulled off covert espionage of the Russians in the 70's using Xerox copiers. The CIA inserted trained Xerox copy repairmen to handle repairs on balky copiers in Russian embassies, etc. When a machine was down the technician inserted altered motherboards which would transmit future copies directly to the CIA. This is a cautionary tale for companies to cover their achilles heel (weakest point) as that is generally the easiest way to infiltrate the unsuspecting company.

PrivetHedge , 6 hours ago

What another huge load of bollocks from our pharisee master morons.

I guess they think we're as stupid as they are.

CashMcCall , 6 hours ago

But but but the story came from one of the chosen money changers Bloomberg... everyone knows a *** would never lie or print a false story at the market open

smacker , 7 hours ago

With all the existing ***** chips and backdoors on our computers and smartphones planted by the CIA, NSA, M$, Goolag & friends, and now this chip supposedly from China, it won't be long before there's no space left in RAM and on mobos for the chips that actually make the device do what we bought it to do.

Stinkbug 1 , 7 hours ago

this was going on 20 years ago when it was discovered that digital picture frames from china were collecting passwords and sending them back. it was just a test, so didn't get much press.

now they have the kinks worked out, and are ready for the coup de grace.

I Write Code , 7 hours ago

https://www.reddit.com/r/news/comments/9lac9k/china_used_a_tiny_chip_in_a_hack_that_infiltrated/?st=JMUNFMRR&sh=10c388fb

ChecksandBalances , 7 hours ago

This story seemed to die. Did anyone find anything indicating someone on our side has actually got a look at the malicious chip, assuming it exists? Technical blogs have nothing, only news rags like NewsMaxx. If 30 companies had these chips surely someone has one. This might be one huge fake news story. Why Bloomberg would publish it is kind of odd.

FedPool , 7 hours ago

Probably a limited evaluation operation to gauge the population's appetite for war. Pentagram market research. They're probably hitting all of the comment sections around the web as we speak. Don't forget to wave 'hi'.

Heya warmongers. No, we don't want a war yet, k thanks.

underlying , 7 hours ago

Since were on the topic let's take a look at the scope hacking tools known to the general public known prior to the Supermicro Server Motherboard Hardware Exploit; (P.S. What the **** do you expect when you have Chinese state owned enterprises, at minimum quasi state owned enterprises in special economic development zones controlled by the Chinese communist party, building motherboards?)

Snowden NSA Leaks published in the gaurdian/intercept

https://www.theguardian.com/us-news/the-nsa-files

Wikileaks Vault 7 etc....

https://wikileaks.org/vault7/

Spector/Meltdown vulnerability exploits

https://leeneubecker.com/grc-releases-test-tool-spectre-and-meltdown-vulnerabilities/

Random list compiled by TC bitches

https://techcrunch.com/2017/03/09/names-and-definitions-of-leaked-cia-hacking-tools/

This does not include the private/corporate sector hacking pen testing resources and suites which are abundant and easily available to **** up the competition in their own right.

i.e., https://gbhackers.com/hacking-tools-list/

Urban Roman , 5 hours ago

Exactly. Why would they ever need a super-micro-man-in-the-middle-chip?

Maybe this 'chip' serves some niche in their spycraft, but the article in the keypost ignores a herd of elephants swept under the carpet, and concentrates on a literal speck of dust.

Moribundus , 8 hours ago

A US-funded biomedical laboratory in Georgia may have conducted bioweapons research under the guise of a drug test, which claimed the lives of at least 73 subjects...new documents "allow us to take a fresh look" at outbreaks of African swine fever in southern Russia in 2007-2018, which "spread from the territory of Georgia into the Russian Federation, European nations and China. The infection strain in the samples collected from animals killed by the disease in those nations was identical to the Georgia-2007 strain." https://www.rt.com/news/440309-us-georgia-toxic-bioweapon-test/

Dr. Acula , 8 hours ago

"In a Senate testimony this past February, six major US intelligence heads warned that American citizens shouldn't use Huawei and ZTE products and services." - https://www.theverge.com/2018/5/2/17310870/pentagon-ban-huawei-zte-phones-retail-stores-military-bases

Are these the same intelligence agencies that complain about Russian collusion and cover up 9/11 and pizzagate?

[Sep 05, 2018] West Virginia Offers Free Cybersecurity Training To the Elderly

Sep 04, 2018 | news.slashdot.org
msmash on Tuesday September 04, 2018 @10:50AM from the how-about-that dept

West Virginia's Attorney General Patrick Morrisey, who's currently running for U.S. Senate, announced Tuesday that he's partnering with two local community and technical colleges to connect senior citizens with college students for free cybersecurity training .

The announcement comes amid rising cyber scams, many of which are targeted at elderly.

[Aug 22, 2018] How Do You Get the "Recent Files" List Back in Windows 10? by Akemi Iwaya

Notable quotes:
"... Today's Question & Answer session comes to us courtesy of SuperUser -- a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites. ..."
"... Note: The contents of the Recent Items folder is different from the contents of the File Explorer entry Recent Places, which contains folders that have been recently visited rather than files. They often have quite different contents. ..."
"... Recent Items folder ..."
"... %AppData%\Microsoft\Windows\Recent\ ..."
"... Quick Access Menu ..."
"... Power User's Menu ..."
"... Quick Access Menu ..."
"... Windows Key+X ..."
"... Note: The original article was for Windows 8.1, but this works on Windows 10 at the time of writing this. ..."
"... Image/Screenshot Credit: Techie007 (SuperUser) ..."
Aug 22, 2018 | www.howtogeek.com

October 4th, 2016

how-do-you-get-the-all-recent-files-list-functionality-back-in-windows-ten-00

When you frequently use a long-standing and convenient feature in Windows, then suddenly see it removed from the latest version, it can be very frustrating. How do you get the missing feature back? Today's SuperUser Q&A post has some helpful solutions to a reader's "recent file" woes.

Today's Question & Answer session comes to us courtesy of SuperUser -- a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader Mr. Boy wants to know how to get the "All Recent Files" list back in Windows 10:

I can find the listings for recent items, but these only seem to let me see recent items opened by a particular app. For example, I can look at Microsoft Word's icon and see the documents recently opened in it.

I am unable to find a simple "these are the last ten documents/files opened with any application", which is very useful if I have not pinned the apps in question to my taskbar. This feature used to exist in Windows XP as "My Recent Documents":

how-do-you-get-the-all-recent-files-list-functionality-back-in-windows-ten-01-b

Is there a way to get this functionality back in Windows 10? For example, I open doc.docx, sheet.xlsl, options.txt, picture.bmp, etc. with different apps and then see these items all listed in one place indicating the files that I have most recently accessed?

How do you get the "All Recent Files" list functionality back in Windows 10?

The Answer

SuperUser contributors Techie007 and thilina R have the answer for us. First up, Techie007:

I believe that the new way of thinking at Microsoft during the Start Menu's redesign process was that if you want to access "files", then you should open the File Explorer to access them instead of the Start Menu.

To that end, when you open the File Explorer, it will default to Quick Access , which includes a list of Recent Files like the example shown here:

how-do-you-get-the-all-recent-files-list-functionality-back-in-windows-ten-02

Followed by the answer from thilina R:

Method 1: Use the Run Dialog Box

This will open the folder listing all of your recent items. The list can be quite long and may contain items that are not as recent, and you may even want to delete some of them.

Note: The contents of the Recent Items folder is different from the contents of the File Explorer entry Recent Places, which contains folders that have been recently visited rather than files. They often have quite different contents.

Method 2: Make a Desktop Shortcut to the Recent Items Folder

If you like (or need) to look at the contents of the Recent Items folder on a frequent basis, you may want to create a shortcut on your desktop:

You can also pin this shortcut to the taskbar or place it in another convenient location.

Method 3: Add Recent Items to the Quick Access Menu

The Quick Access Menu (also called the Power User's Menu ) is another possible place to add an entry for Recent Items . This is the menu opened by the keyboard shortcut Windows Key+X . Use the path:

Contrary to what some articles on the Internet say, you cannot simply add shortcuts to the folder that is used by the Quick Access Menu . For security reasons, Windows will not allow additions unless the shortcuts contain certain code. The utility Windows Key+X menu editor takes care of that problem.

Source: Three Ways to Easily Access Your Most Recent Documents and Files in Windows 8.x [Gizmo's Freeware] Note: The original article was for Windows 8.1, but this works on Windows 10 at the time of writing this.


Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here .

Image/Screenshot Credit: Techie007 (SuperUser)

[Aug 22, 2018] Microsoft has reason to get in the good graces of the CIA, NSA and Pentagon at this time: Quid pro quo

Notable quotes:
"... In the running are Amazon Web Services, IBM and Microsoft. Winning this contract gives the winner an advantage in winning future related contracts ..."
Aug 22, 2018 | www.moonofalabama.org

librul | Aug 21, 2018 11:04:43 PM | 48

Can we see Microsoft's actions today as a salespitch?

https://www.nextgov.com/it-modernization/2018/07/pentagon-accepting-bids-its-controversial-10-billion-war-cloud/150059/

The Defense Department on Thursday officially began accepting proposals for its highly-anticipated Joint Enterprise Defense Infrastructure cloud contract. The JEDI contract will be awarded to a single cloud provider -- an issue many tech companies rallied against -- and will be valued at up to $10 billion over 10 years, according to the final request for proposal. The contract itself will put a commercial company in charge of hosting and distributing mission-critical workloads and classified military secrets to warfighters around the globe in a single war cloud.

https://www.defenseone.com/technology/2018/08/someone-waging-secret-war-undermine-pentagons-huge-cloud-contract/150685/

As some of the biggest U.S. technology companies have lined up to bid on the $10 billion contract to create a massive Pentagon cloud computing network, the behind-the-scenes war to win it has turned ugly.

In the running are Amazon Web Services, IBM and Microsoft. Winning this contract gives the winner an advantage in winning future related contracts.

[Aug 02, 2018] There was a big row over Kaspersky s software actually doing its job and detecting malware on an NSA officer s personal workstation at home, where he was conducting development in an unauthorized manner.

Notable quotes:
"... There was a big row over Kaspersky's software actually doing its job and detecting malware on an NSA officer's personal workstation at home, where he was conducting development in an unauthorized manner. The software did as it is designed, which is upload the suspicious software to Kaspersky's servers for analysis. This was represented by the US government as some sort of "spying for the Russian intelligence community" by Kaspersky. The US government also made a big deal over the fact that Kaspersky does work with the Russian government on computer security issues, as one would expect of such a company. ..."
Aug 02, 2018 | turcopolier.typepad.com

richardstevenhack -> Bill Herschel , a day ago

Yes, PostgreSQL is very good. It's open source, meaning the source code is available for inspection, so if there was anything suspicious about it, it would likely have been caught before now. Of course, bugs and security issues might well remain, regardless.

Russians make a lot of good software. Their computer training in universities has always been first rate.

This is similar to the big issue over the Kaspersky company, a major manufacturer of a high-quality antimalware suite, being Russian. The US has made it a big issue, passing regulations that prohibit US government offices from using it, forcing Kaspersky to consider moving to Switzerland. I don't think many people in the infosec community have any concerns about Kaspersky being Russian. They've been in the antimalware business for quite a while and always get top marks in the independent antimalware tests.

There was a big row over Kaspersky's software actually doing its job and detecting malware on an NSA officer's personal workstation at home, where he was conducting development in an unauthorized manner. The software did as it is designed, which is upload the suspicious software to Kaspersky's servers for analysis. This was represented by the US government as some sort of "spying for the Russian intelligence community" by Kaspersky. The US government also made a big deal over the fact that Kaspersky does work with the Russian government on computer security issues, as one would expect of such a company.

The whole thing is just another example of "Russian Derangement Syndrome."

[Aug 01, 2018] There was a big row over Kaspersky's software actually doing its job and detecting malware on an NSA officer's personal workstation at home, where he was conducting development in an unauthorized manner.

Aug 01, 2018 | turcopolier.typepad.com

[Jul 05, 2018] Stuxnet opened a can of worms

Jul 05, 2018 | www.theamericanconservative.com

...Stuxnet, which was thought to be a joint American-Israeli assault on Iran's nuclear program. And there are reports of U.S. attempts to similarly hamper North Korean missile development. Some consider such direct attacks on other governments to be akin to acts of war. Would Washington join Moscow in a pledge to become a good cyber citizen?

[Jun 19, 2018] DOJ Indicts Vault 7 Leak Suspect; WikiLeaks Release Was Largest Breach In CIA History Zero Hedge

Jun 19, 2018 | www.zerohedge.com

A 29-year-old former CIA computer engineer, Joshua Adam Schulte, was indicted Monday by the Department of Justice on charges of masterminding the largest leak of classified information in the spy agency's history .

Schulte, who created malware for the U.S. Government to break into adversaries computers, has been sitting in jail since his August 24, 2017 arrest on unrelated charges of posessing and transporting child pornography - which was discovered in a search of his New York apartment after Schulte was named as the prime suspect in the cyber-breach one week after WikiLeaks published the "Vault 7" series of classified files. Schulte was arrested and jailed on the child porn charges while the DOJ ostensibly built their case leading to Monday's additional charges.

[I]nstead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found 10,000 illicit images on a server he created as a business in 2009 while studying at the University of Texas at Austin.

Court papers quote messages from Mr. Schulte that suggest he was aware of the encrypted images of children being molested by adults on his computer, though he advised one user, "Just don't put anything too illegal on there." - New York Times

Monday's DOJ announcement adds new charges related to stealing classified national defense information from the Central Intelligence Agency in 2016 and transmitting it to WikiLeaks ("Organization-1").

The Vault 7 release - a series of 24 documents which began to publish on March 7, 2017 - reveal that the CIA had a wide variety of tools to use against adversaries, including the ability to "spoof" its malware to appear as though it was created by a foreign intelligence agency , as well as the ability to take control of Samsung Smart TV's and surveil a target using a "Fake Off" mode in which they appear to be powered down while eavesdropping.

The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity .

...

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from .

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques . - WikiLeaks

Schulte previously worked for the NSA before joining the CIA, then "left the intelligence community in 2016 and took a job in the private sector," according to a statement reviewed in May by The Washington Post .

Schulte also claimed that he reported "incompetent management and bureaucracy" at the CIA to that agency's inspector general as well as a congressional oversight committee. That painted him as a disgruntled employee, he said, and when he left the CIA in 2016, suspicion fell upon him as "the only one to have recently departed [the CIA engineering group] on poor terms," Schulte wrote. - WaPo

Part of that investigation, reported WaPo, has been analyzing whether the Tor network - which allows internet users to hide their location (in theory) "was used in transmitting classified information."

In other hearings in Schulte's case, prosecutors have alleged that he used Tor at his New York apartment, but they have provided no evidence that he did so to disclose classified information. Schulte's attorneys have said that Tor is used for all kinds of communications and have maintained that he played no role in the Vault 7 leaks. - WaPo

Schulte says he's innocent: " Due to these unfortunate coincidences the FBI ultimately made the snap judgment that I was guilty of the leaks and targeted me," Schulte said. He launched Facebook and GoFundMe pages to raise money for his defense, which despite a $50 million goal, has yet to r eceive a single donation.

me name=

The Post noted in May, the Vault 7 release was one of the most significant leaks in the CIA's history , "exposing secret cyberweapons and spying techniques that might be used against the United States, according to current and former intelligence officials."

The CIA's toy chest includes:

"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages."

me title=

me title=

me title=

"Year Zero" documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.

In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.

CIA hackers operating out of the Frankfurt consulate ( "Center for Cyber Intelligence Europe" or CCIE) are given diplomatic ("black") passports and State Department cover.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeats , Personal Security Products , Detecting and defeating PSPs and PSP/Debugger/RE Avoidance . For example, Comodo was defeated by CIA malware placing itself in the Window's "Recycle Bin" . While Comodo 6.x has a "Gaping Hole of DOOM" .

You can see the entire Vault7 release here .

A DOJ statement involving the Vault7 charges reads:

"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization . During the course of this investigation, federal agents also discovered alleged child pornography in Schulte's New York City residence ," said Manhattan U.S. Attorney Geoffrey S. Berman.

On March 7, 2017, Organization-1 released on the Internet classified national defense material belonging to the CIA (the "Classified Information"). In 2016, SCHULTE, who was then employed by the CIA, stole the Classified Information from a computer network at the CIA and later transmitted it to Organization-1. SCHULTE also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system . SCHULTE subsequently made material false statements to FBI agents concerning his conduct at the CIA.

Schulte faces 135 years in prison if convicted on all 13 charges:

  1. Illegal Gathering of National Defense Information, 18 U.S.C. §§ 793(b) and 2
  2. Illegal Transmission of Lawfully Possessed National Defense Information, 18 U.S.C. §§ 793(d) and 2
  3. Illegal Transmission of Unlawfully Possessed National Defense Information, 18 U.S.C. §§ 793(e) and 2
  4. Unauthorized Access to a Computer To Obtain Classified Information, 18 U.S.C. §§ 1030(a)(1) and 2
  5. Theft of Government Property, 18 U.S.C. §§ 641 and 2
  6. Unauthorized Access of a Computer to Obtain Information from a Department or Agency of the United States, 18 U.S.C. §§ 1030(a)(2) and 2
  7. Causing Transmission of a Harmful Computer Program, Information, Code, or Command, 18 U.S.C. §§ 1030(a)(5) and 2
  8. Making False Statements, 18 U.S.C. §§ 1001 and 2
  9. Obstruction of Justice, 18 U.S.C. §§ 1503 and 2
  10. Receipt of Child Pornography, 18 U.S.C. §§ 2252A(a)(2)(B), (b)(1), and 2
  11. Possession of Child Pornography, 18 U.S.C. §§ 2252A(a)(5)(B), (b)(2), and 2
  12. Transportation of Child Pornography, 18 U.S.C. § 2252A(a)(1)
  13. Criminal Copyright Infringement, 17 U.S.C. § 506(a)(1)(A) and 18 U.S.C. § 2319(b)(1)

Billy the Poet -> Anarchyteez Mon, 06/18/2018 - 22:50 Permalink

So Schulte was framed for kiddie porn because he released information about how the CIA can frame innocent people for computer crime.

A Sentinel -> Billy the Poet Mon, 06/18/2018 - 22:59 Permalink

That seems very likely.

Seems like everyone has kiddy porn magically appear and get discovered after they piss off the deep state bastards.

And the best part is that it's probably just the deep state operatives' own private pedo collections that they use to frame anyone who they don't like.

A Sentinel -> CrabbyR Mon, 06/18/2018 - 23:46 Permalink

I was thinking about the advancement of the technology necessary for that. They can do perfect fake stills already.

My thought is that you will soon need to film yourself 24/7 (with timestamps, shared with a blockchain-like verifiably) so that you can disprove fake video evidence by having a filmed alibi.

CrabbyR -> A Sentinel Tue, 06/19/2018 - 00:07 Permalink

good point but creepy to think it can get that bad

peopledontwanttruth -> Anarchyteez Mon, 06/18/2018 - 22:50 Permalink

Funny how all these whistleblowers are being held for child pornography until trial.

But we have evidence of government officials and Hollyweird being involved in this perversion and they walk among us

secretargentman -> peopledontwanttruth Mon, 06/18/2018 - 22:51 Permalink

Those kiddy porn charges are extremely suspect, IMO.

chunga -> secretargentman Mon, 06/18/2018 - 23:12 Permalink

It's so utterly predictable.

The funny* thing is I believe gov, particularly upper levels, is chock full of pedophiles.

* It isn't funny, my contempt for the US gov grows practically by the hour.

A Sentinel -> chunga Mon, 06/18/2018 - 23:42 Permalink

I said pretty much the same. I further speculated that it was their own porn that they use for framing operations.

SybilDefense -> A Sentinel Tue, 06/19/2018 - 00:33 Permalink

Ironically, every single ex gov whistle blower (/pedophile) has the exact same kiddie porn data on their secret server (hidden in plane view at the apartment). Joe CIA probably has a zip drive preloaded with titled data sets like "Podesta's Greatest Hits", "Hillary's Honey bunnies" or "Willy go to the zoo". Like the mix tapes you used to make for a new gal you were trying to date. Depending upon the mood of the agent in charge, 10,000 images of Weiner's "Warm Pizza" playlist magically appear on the server in 3-2-1... Gotcha!

These false fingerprint tactics were all over the trump accusations which started the whole Russia Russia Russia ordeal. And the Russia ordeal was conceptualized in a paid report to Podesta by the Bensenson Group called the Salvage Program when it was appearant that Trump could possible win and the DNC needed ideas on how to throw the voters off at the polls. Russia is coming /Red dawn was #1 or #2 on the list of 7 recommended ploys. The final one was crazy.. If Trump appeared to win the election, imagery of Jesus and an Alien Invasion was to be projected into the skies to cause mass panic and create a demand for free zanex to be handed out to the panic stricken.

Don't forget Black Lives Matters. That was idea #4 of this Bensenson report, to create civil unrest and a race war. Notice how BLM and Antifa manically disappeared after Nov 4. All a ploy by the Dems & the deep state to remain in control of the countrys power.

Back to the topic at hand. Its a wonder he didn't get Seth Riched. Too many porn servers and we will begin to question the legitimacy. Oh wait...

You won't find any kiddie porn on Hillary's or DeNiros laptop. Oh its there. You just will never ever hear about it.

cankles' server -> holdbuysell Mon, 06/18/2018 - 22:57 Permalink

The Vault 7 release - a series of 24 documents which began to publish on March 7, 2017 - reveal that the CIA had a wide variety of tools to use against adversaries, including the ability to "spoof" its malware to appear as though it was created by a foreign intelligence agency ....

It probably can spoof child porn as well.

Is he charged with copyright infringement for pirating child porn?

BGO Mon, 06/18/2018 - 22:43 Permalink

The intel community sure has a knack for sussing out purveyors of child pornography. It's probably just a coincidence govt agencies and child pornography are inextricably linked.

Never One Roach -> BGO Mon, 06/18/2018 - 22:44 Permalink

Sounds like he may be a friend of Uncle Joe Biden whom we know is "very, very friendly" with the children.

NotBuyingIt -> BGO Mon, 06/18/2018 - 23:09 Permalink

It's very easy for a criminal spook to plant child porn on some poor slob's machine - especially when they want to keep him on the hook to sink his ass for something bigger in the future. Who knows... this guy may have done some shit but I'm willing to bet he was entirely targeted by these IC assholes. Facing 135 years in prison... yet that baggy ass cunt Hillary walks free...

DoctorFix -> BGO Mon, 06/18/2018 - 23:18 Permalink

Funny how they always seem to have a "sting" operation in progress when there's anyone the DC rats want to destroy but strangely, or not, silent as the grave when one of the special people are fingered.

MadHatt Mon, 06/18/2018 - 22:43 Permalink

Transportation of Child Pornography, 18 U.S.C. § 2252A(a)(1)

Uhh... what? He stole CIA child porn?

navy62802 -> MadHatt Mon, 06/18/2018 - 23:30 Permalink

Nah ... that's the shit they planted on him for an excuse to make an arrest.

MadHatt -> navy62802 Tue, 06/19/2018 - 00:29 Permalink

If he stole all their hacking apps, wouldn't that be enough to arrest him?

Never One Roach Mon, 06/18/2018 - 22:44 Permalink

That list of federal crimes is almost as long as Comey's list of Hillary Clinton's federal crimes.

_triplesix_ Mon, 06/18/2018 - 22:46 Permalink

Of all these things the C_A can do, it doesn't take a brain surgeon to realize that planting CP on a computer of someone you don't like would be a piece of cake, comparatively speaking.

_triplesix_ Mon, 06/18/2018 - 22:46 Permalink

Of all these things the C_A can do, it doesn't take a brain surgeon to realize that planting CP on a computer of someone you don't like would be a piece of cake, comparatively speaking.

Giant Meteor -> _triplesix_ Mon, 06/18/2018 - 22:51 Permalink

It probably comes standard now buried within systems, like a sleeper cell. Just waiting for the right infraction and trigger to be pulled ..

PigMan Mon, 06/18/2018 - 22:50 Permalink

Did he also leak that the CIA's favorite tactic is to plant kiddie porn on their targets computer?

ConnectingTheDots Mon, 06/18/2018 - 22:56 Permalink

The alphabet agencies would never hack someone's computer.

The alphabet agencies would never spy on US citizens (at least not wittingly)

The alphabet agencies would never plant physical evidence.

The alphabet agencies would never lie under oath.

The alphabet agencies would never have an agenda.

The alphabet agencies would never provide the media with false information.

/s

Chupacabra-322 Mon, 06/18/2018 - 23:14 Permalink

The "Spoofing" or Digital Finger Print & Parallel Construction tools that can be used against Governments, Individuals, enemies & adversaries are Chilling.

The CIA can not only hack into anything -- they can download any "evidence" they want onto your phone or computer. Child pornography, national secrets, you name it. Then they can blackmail you, threatening prosecution for whatever crap they have planted, then "found" on your computer. They can also "spoof" the source of such downloads -- for instance, if they want to "prove" that something on your computer (or Donald Trump's computer) came from a "Russian source" -- they can spoof the IP address of a Russian source.

The take-away: no digital evidence the CIA or NSA produces on any subject whatsoever can be trusted. No digital evidence should be acceptable in any case where the government has an interest, because they have the complete ability to fabricate and implant any evidence on any iphone or computer. And worse: they have intentionally created these digital vulnerabilities and pushed them onto the whole world via Microsoft and Google. Government has long been at war with liberty, claiming that we need to give up liberty to be secure. Now we learn that they have been deliberately sabotaging our security, in order to augment their own power. Time to shut down the CIA and all the other spy agencies. They're not keeping us free OR secure, and they're doing it deliberately. Their main function nowadays seems to be lying us into wars against countries that never attacked us, and had no plans to do so.

The Echelon Computer System Catch Everything

The Flagging goes to Notify the Appropriate Alphabet,,,...Key Words Phrases...Algorithms,...It all gets sucked up and chewed on and spat out to the surmised computed correct departments...That simple.

Effective immediately defund, Eliminate & Supeona it's Agents, Officials & Dept. Heads in regard to the Mass Surveillance, Global Espionage Spying network & monitoring of a President Elect by aforementioned Agencies & former President Obama, AG Lynch & DIA James Clapper, CIA John Breanan.

#SethRich

#Vault7

#UMBRAGE

ZIRPdiggler -> Chupacabra-322 Tue, 06/19/2018 - 00:29 Permalink

Since 911, they've been "protecting" the shit out of us. "protecting" away every last fiber of liberty. Was watching some fact-based media about the CIA's failed plan to install Yeltsin's successor via a Wallstreet banking cartel bet (see, LTCM implosion). The ultimate objectives were to rape and loot post-Soviet Russian resources and enforce regime change. It's such a tired playbook at this point. Who DOESNT know about this sort of affront? Apparently even nobel prize economists cant prevent a nation from failing lol. The ultimate in vanity; our gubmint and its' shadow controllers.

moobra Mon, 06/18/2018 - 23:45 Permalink

This is because people who are smart enough to write walware for the CIA send messages in the clear about child porn and are too dumb to encrypt images with a key that would take the lifetime of the universe to break.

Next his mother will be found to have a tax problem and his brother's credit rating zeroed out.

Meanwhile Comey will be found to have been "careless".

ZIRPdiggler Tue, 06/19/2018 - 00:05 Permalink

Yeah I don't believe for a second that this guy had anything to do with child porn. Not like Obama and his hotdogs or Clintons at pedo island, or how bout uncle pervie podesta? go after them, goons and spooks. They (intelligence agencies) falsely accuse people of exactly what they are ass-deep in. loses credibility with me when the CIA clowns or NSA fuck ups accuse anyone of child porn; especially one of their former employees who is 'disgruntled'. LOL. another spook railroad job done on a whistleblower. fuck the CIA and all 17 alphabet agencies who spy on us 24/7. Just ask, if you want to snoop on me. I may even tell you what I'm up to because I have nothing that I would hide since, I don't give a shit about you or whether you approve of what I am doing.

AGuy -> ZIRPdiggler Tue, 06/19/2018 - 00:36 Permalink

"Yeah I don't believe for a second that this guy had anything to do with child porn."

Speculation by my part: He was running a Tor server, and the porn originated from other Tor users. If that is the case ( it would be easy for law enforcement to just assume it was his) law enforcement enjoys a quick and easy case.

rgraf Tue, 06/19/2018 - 00:05 Permalink

They shouldn't be spying, and they shouldn't keep any secrets from the populace. If they weren't doing anything wrong, they have nothing to hide.

ZIRPdiggler -> rgraf Tue, 06/19/2018 - 00:09 Permalink

It really doesn't matter if someone wants to hide. That is their right. Only Nazi's like our spy agencies would use the old Gestapo line, "If you have nothing to hide then you have nothing to worry about. Or better yet, you should let me turn your life upside down if you have nothing to hide. " Bullshit! It's none of their fucking business. How bout that? Spooks and secret clowns CAN and DO frame anybody for whatever or murder whomever they wish. So why WOULDNT people be afraid when government goons start sticking their big snouts into their lives??? They can ruin your life for the sake of convenience. Zee Furor is not pleased with your attitude, comrade.

Blue Steel 309 Tue, 06/19/2018 - 00:53 Permalink

Vault 7 proves that most digital evidence should be inadmissible in court, yet I don't see anyone publishing articles about this problem.

[May 20, 2018] How to: install Windows 7 on a recent laptop/PC from a bootable USB drive

May 20, 2018 | bogdan.org.ua

12th June 2016

If you had ever seen the not-so-descriptive error message
A required CD/DVD drive device driver is missing ,
then you have been trying to install Windows 7 (possibly using a bootable flash drive) on a recent laptop or desktop.

There are two major obstacles for a somewhat-dated Windows 7 when it sees modern hardware:

Fortunately, both problems are easy to fix.
Just follow the steps below; skip steps 1 and 2 if you already have a bootable Win7 flash drive.
Read the rest of this entry "

[Apr 17, 2018] U.S., British governments warn businesses worldwide of Russian campaign to hack routers by Ellen Nakashima

Looks like US and British government does not like competition ;-)
"These network devices make "ideal targets," said Manfra, Homeland Security's assistant secretary for cybersecurity and communications." -- he knows what he is talking about...
The problem here are "very cheap" and "very old" routers and weak firewalls. Your Router's Security Stinks Here's How to Fix It For those who are into this business it might benefical to use a separate firewall unit and a "honeypot" before the router those days. You may wish to buy a low-end commercial-grade Wi-Fi/Ethernet router, which retails for about $200, rather than a consumer-friendly router that can cost as little as $20.
Apr 16, 2018 | www.washingtonpost.com

The unusual public warning from the White House, U.S. agencies and Britain's National Cyber Security Center follows a years-long effort to monitor the threat. The targets number in the millions, officials say, and include "primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors."

... ... ...

These network devices make "ideal targets," said Manfra, Homeland Security's assistant secretary for cybersecurity and communications. Most traffic within a company or between organizations traverses them. So a hacker can monitor, modify or disrupt it, she said. And they're usually not secured at the same level as a network server.

"Once you own the router, you own the traffic that's traversing the router," she said.

... ... ...

Ellen Nakashima is a national security reporter for The Washington Post. She covers cybersecurity, surveillance, counterterrorism and intelligence issues. She has also served as a Southeast Asia correspondent and covered the White House and Virginia state politics. She joined The Post in 1995. Follow @nakashimae

jedediah smytheson, 3 hours ago

It is appropriate to reveal and decry misbehavior in cyberspace. What is not appropriate is our leaders ignoring their own responsibility to secure government networks. The sad fact is that senior leaders in government do not understand the issue and are unwilling to accept any inconvenience. The Federal government has lost huge amounts of very sensitive data of AT LEAST 100 million citizens. If I remember correctly, OPM lost 23 million electronic security clearance forms (SF 86s) with personal information not only of the person being processed for a clearance, but also of the members of that person's family. That's how I came up with over 100 million. And what was the result? Well, no one was held accountable or responsible for this incredible breach of security. More importantly, the networks are still not well secured. In summary, we will be hacked continuously until someone in Government takes this seriously and puts more resources into securing the networks rather than turning the public's attention away from their own incompetence and focusing on our adversaries.

bluefrog, 4 hours ago

Haha ... the U.K. who secretly tapped the fiber optic cables running under the Atlantic Ocean to record EVERYONE's private data is now advising against hackers! A degenerate country operating on the basis of lies and deceit, I don't trust them as far as I can throw them.

hkbctkny, 4 hours ago

This is really nothing new [ https://www.us-cert.gov/ncas/alerts/TA18-106A ] - most of this has been going on forever, even skript kiddies were on it back in the day.

The only part that might be news is if there's evidence of a concerted, targeted campaign from one very organized actor. Haven't seen the evidence presented, though, and my scans are basically what they've always been: hundreds and hundreds from residential CPE and other compromised machines from all over the world.

Update your firmware - even old devices can be updated, for the most part; turn off remote mgt (!), change the password to something that YOU set.

Make it challenging, at least.
4 hours ago
Really no different from the NSA and GCHQ..........

[Mar 27, 2018] Meet the Tiny Startup That Sells IPhone and Android Zero Days To Governments

Mar 27, 2018 | it.slashdot.org

(vice.com) The story of Azimuth Security, a tiny startup in Australia, provides a rare peek inside the secretive industry that helps government hackers get around encryption . Azimuth is part of an opaque, little known corner of the intelligence world made of hackers who develop and sell expensive exploits to break into popular technologies like iOS, Chrome, Android and Tor.

[Mar 27, 2018] Facebook Gave Data About 57 Billion Friendships To Academic

Mar 27, 2018 | tech.slashdot.org

(theguardian.com) an anonymised, aggregate dataset of 57bn Facebook friendships . From a report: Facebook provided the dataset of "every friendship formed in 2011 in every country in the world at the national aggregate level" to Kogan's University of Cambridge laboratory for a study on international friendships published in Personality and Individual Differences in 2015. Two Facebook employees were named as co-authors of the study, alongside researchers from Cambridge, Harvard and the University of California, Berkeley. Kogan was publishing under the name Aleksandr Spectre at the time. A University of Cambridge press release on the study's publication noted that the paper was "the first output of ongoing research collaborations between Spectre's lab in Cambridge and Facebook." Facebook did not respond to queries about whether any other collaborations occurred. "The sheer volume of the 57bn friend pairs implies a pre-existing relationship," said Jonathan Albright, research director at the Tow Center for Digital Journalism at Columbia University. "It's not common for Facebook to share that kind of data. It suggests a trusted partnership between Aleksandr Kogan/Spectre and Facebook."

[Mar 27, 2018] Hey Microsoft, Stop Installing Apps On My PC Without Asking

Mar 27, 2018 | tech.slashdot.org

(howtogeek.com) I'm getting sick of Windows 10's auto-installing apps. Apps like Facebook are now showing up out of nowhere, and even displaying notifications begging for me to use them. I didn't install the Facebook app, I didn't give it permission to show notifications, and I've never even used it. So why is it bugging me? Windows 10 has always been a little annoying about these apps, but it wasn't always this bad. Microsoft went from "we pinned a few tiles, but the apps aren't installed until you click them" to "the apps are now automatically installed on your PC" to " the automatically installed apps are now sending you notifications ." It's ridiculous.

[Mar 27, 2018] A Hacker Has Wiped a Spyware Company's Servers -- Again

Mar 27, 2018 | it.slashdot.org

(vice.com) spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again . Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.

[Mar 27, 2018] Salon Magazine Mines Monero On Your Computer If You Use an Ad Blocker

Mar 27, 2018 | hardware.slashdot.org

(bbc.com) BeauHD on Monday February 19, 2018 @06:00AM from the crypto-cash dept. dryriver shares a report from BBC: News organizations have tried many novel ways to make readers pay -- but this idea is possibly the most audacious yet. If a reader chooses to block its advertising, U.S. publication Salon will use that person's computer to mine for Monero , a cryptocurrency similar to Bitcoin. Creating new tokens of a cryptocurrency typically requires complex calculations that use up a lot of computing power. Salon told readers: "We intend to use a small percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation." The site is making use of CoinHive, a controversial mining tool that was recently used in an attack involving government websites in the UK, U.S. and elsewhere. However, unlike that incident, where hackers took control of visitors' computers to mine cryptocurrency, Salon notifies users and requires them to agree before the tool begins mining.

[Mar 27, 2018] Flight Sim Company Embeds Malware To Steal Pirates' Passwords

Mar 27, 2018 | yro.slashdot.org

(torrentfreak.com) Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure . Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.

[Mar 27, 2018] MoviePass CEO Proudly Says App Tracks Your Location Before, After Movies

Mar 27, 2018 | yro.slashdot.org

(techcrunch.com) BeauHD on Tuesday March 06, 2018 @03:00AM from the head-held-high dept. MoviePass CEO Mitch Lowe told an audience at a Hollywood event last Friday that the app tracks moviegoers' locations before and after each show they watch . "We get an enormous amount of information," Lowe said. "We watch how you drive from home to the movies. We watch where you go afterwards." His talk at the Entertainment Finance Forum was entitled "Data is the New Oil: How will MoviePass Monetize It?" TechCrunch reports: It's no secret that MoviePass is planning on making hay out of the data collected through its service. But what I imagined, and what I think most people imagined, was that it would be interesting next-generation data about ticket sales, movie browsing, A/B testing on promotions in the app and so on. I didn't imagine that the app would be tracking your location before you even left your home, and then follow you while you drive back or head out for a drink afterwards. Did you? It sure isn't in the company's privacy policy , which in relation to location tracking discloses only a "single request" when selecting a theater, which will "only be used as a means to develop, improve, and personalize the service." Which part of development requires them to track you before and after you see the movie? A MoviePass representative said in a statement to TechCrunch: "We are exploring utilizing location-based marketing as a way to help enhance the overall experience by creating more opportunities for our subscribers to enjoy all the various elements of a good movie night. We will not be selling the data that we gather. Rather, we will use it to better inform how to market potential customer benefits including discounts on transportation, coupons for nearby restaurants, and other similar opportunities."

[Mar 27, 2018] Half of Ransomware Victims Didn't Recover Their Data After Paying the Ransom

Mar 27, 2018 | it.slashdot.org

(bleepingcomputer.com) A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand. The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files . Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery. The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents. Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications. Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors.

[Mar 27, 2018] My Cow Game Extracted Your Facebook Data

Mar 27, 2018 | tech.slashdot.org

(theatlantic.com) Already in 2010, it felt like a malicious attention market where people treated friends as latent resources to be optimized. Compulsion rather than choice devoured people's time. Apps like FarmVille sold relief for the artificial inconveniences they themselves had imposed. In response, I made a satirical social game called Cow Clicker. Players clicked a cute cow, which mooed and scored a "click." Six hours later, they could do so again. They could also invite friends' cows to their pasture, buy virtual cows with real money, compete for status, click to send a real cow to the developing world from Oxfam, outsource clicks to their toddlers with a mobile app, and much more. It became strangely popular, until eventually, I shut the whole thing down in a bovine rapture -- the "cowpocalypse." It's kind of a complicated story .

But one worth revisiting today, in the context of the scandal over Facebook's sanctioning of user-data exfiltration via its application platform. It's not just that abusing the Facebook platform for deliberately nefarious ends was easy to do (it was). But worse, in those days, it was hard to avoid extracting private data, for years even, without even trying. I did it with a silly cow game. Cow Clicker is not an impressive work of software. After all, it was a game whose sole activity was clicking on cows. I wrote the principal code in three days, much of it hunched on a friend's couch in Greenpoint, Brooklyn. I had no idea anyone would play it, although over 180,000 people did, eventually. And yet, if you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behavior. I might still be able to; all the data is still there, stored on my private server, where Cow Clicker is still running, allowing players to keep clicking where a cow once stood, before my caprice raptured them into the digital void.

[Mar 27, 2018] 'Slingshot' Malware That Hid For Six Years Spread Through Routers

Mar 27, 2018 | it.slashdot.org

BeauHD on Monday March 12, 2018 @08:10PM from the under-the-radar dept. An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers . It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

[Mar 25, 2018] Surveillance is the DNA of the Platform Economy

Creating a malware application which masks itself as some kind of pseudo scientific test and serves as the backdoor to your personal data is a very dirty trick...
Especially dirty it it used by academic researchers, who in reality are academic scum... An additional type of academic gangsters, in addition to Harvard Mafia
Notable quotes:
"... By Ivan Manokha, a departmental lecturer in the Oxford Department of International Development. He is currently working on power and obedience in the late-modern political economy, particularly in the context of the development of new technologies of surveillance. Originally published at openDemocracy ..."
"... The current social mobilization against Facebook resembles the actions of activists who, in opposition to neoliberal globalization, smash a McDonald's window during a demonstration. ..."
"... But as Christopher Wylie, a twenty-eight-year-old Canadian coder and data scientist and a former employee of Cambridge Analytica, stated in a video interview , the app could also collect all kinds of personal data from users, such as the content that they consulted, the information that they liked, and even the messages that they posted. ..."
"... All this is done in order to use data to create value in some way another (to monetize it by selling to advertisers or other firms, to increase sales, or to increase productivity). Data has become 'the new oil' of global economy, a new commodity to be bought and sold at a massive scale, and with this development, as a former Harvard Business School professor Shoshana Zuboff has argued , global capitalism has become 'surveillance capitalism'. ..."
"... What this means is that platform economy is a model of value creation which is completely dependant on continuous privacy invasions and, what is alarming is that we are gradually becoming used to this. ..."
"... In other instances, as in the case of Kogan's app, the extent of the data collected exceeds what was stated in the agreement. ..."
"... What we need is a total redefinition of the right to privacy (which was codified as a universal human right in 1948, long before the Internet), to guarantee its respect, both offline and online. ..."
"... I saw this video back in 2007. It was originally put together by a Sarah Lawrence student who was working on her paper on social media. The ties of all the original investors to IN-Q-Tel scared me off and I decided to stay away from Facebook. ..."
"... But it isn't just FB. Amazon, Twitter, Google, LinkedIn, Apple, Microsoft and many others do the same, and we are all caught up in it whether we agree to participate or not. ..."
"... Platform Capitalism is a mild description, it is manipulation based on Surveillance Capitalism, pure and simple. The Macro pattern of Corporate Power subsuming the State across every area is fascinating to watch, but a little scary. ..."
"... For his part, Aleksandr Kogan established a company, Global Science Research, that contracted with SCL, using Facebook data to map personality traits for its work in elections (Kosinski claims that Kogan essentially reverse-engineered the app that he and Stillwell had developed). Kogan's app harvested data on Facebook users who agreed to take a personality test for the purposes of academic research (though it was, in fact, to be used by SCL for non-academic ends). But according to Wylie, the app also collected data on their entire -- and nonconsenting -- network of friends. Once Cambridge Analytica and SCL had won contracts with the State Department and were pitching to the Pentagon, Wylie became alarmed that this illegally-obtained data had ended up at the heart of government, along with the contractors who might abuse it. ..."
"... This apparently bizarre intersection of research on topics like love and kindness with defense and intelligence interests is not, in fact, particularly unusual. It is typical of the kind of dual-use research that has shaped the field of social psychology in the US since World War II. ..."
"... Much of the classic, foundational research on personality, conformity, obedience, group polarization, and other such determinants of social dynamics -- while ostensibly civilian -- was funded during the cold war by the military and the CIA. ..."
"... The pioneering figures from this era -- for example, Gordon Allport on personality and Solomon Asch on belief conformity -- are still cited in NATO psy-ops literature to this day ..."
"... This is an issue which has frustrated me greatly. In spite of the fact that the country's leading psychologist (at the very least one of them -- ex-APA president Seligman) has been documented taking consulting fees from Guantanamo and Black Sites goon squads, my social science pals refuse to recognize any corruption at the core of their so-called replicated quantitative research. ..."
Mar 24, 2018 | www.nakedcapitalism.com
Yves here. Not new to anyone who has been paying attention, but a useful recap with some good observations at the end, despite deploying the cringe-making trope of businesses having DNA. That legitimates the notion that corporations are people.

By Ivan Manokha, a departmental lecturer in the Oxford Department of International Development. He is currently working on power and obedience in the late-modern political economy, particularly in the context of the development of new technologies of surveillance. Originally published at openDemocracy

The current social mobilization against Facebook resembles the actions of activists who, in opposition to neoliberal globalization, smash a McDonald's window during a demonstration.

On March 17, The Observer of London and The New York Times announced that Cambridge Analytica, the London-based political and corporate consulting group, had harvested private data from the Facebook profiles of more than 50 million users without their consent. The data was collected through a Facebook-based quiz app called thisisyourdigitallife, created by Aleksandr Kogan, a University of Cambridge psychologist who had requested and gained access to information from 270,000 Facebook members after they had agreed to use the app to undergo a personality test, for which they were paid through Kogan's company, Global Science Research.

But as Christopher Wylie, a twenty-eight-year-old Canadian coder and data scientist and a former employee of Cambridge Analytica, stated in a video interview , the app could also collect all kinds of personal data from users, such as the content that they consulted, the information that they liked, and even the messages that they posted.

In addition, the app provided access to information on the profiles of the friends of each of those users who agreed to take the test, which enabled the collection of data from more than 50 million.

All this data was then shared by Kogan with Cambridge Analytica, which was working with Donald Trump's election team and which allegedly used this data to target US voters with personalised political messages during the presidential campaign. As Wylie, told The Observer, "we built models to exploit what we knew about them and target their inner demons."

'Unacceptable Violation'

Following these revelations the Internet has been engulfed in outrage and government officials have been quick to react. On March 19, Antonio Tajani President of the European Parliament Antonio Tajani, stated in a twitter message that misuse of Facebook user data "is an unacceptable violation of our citizens' privacy rights" and promised an EU investigation. On March 22, Wylie communicated in a tweet that he accepted an invitation to testify before the US House Intelligence Committee, the US House Judiciary Committee and UK Parliament Digital Committee. On the same day Israel's Justice Ministry informed Facebook that it was opening an investigation into possible violations of Israelis' personal information by Facebook.

While such widespread condemnation of Facebook and Cambridge Analytica is totally justified, what remains largely absent from the discussion are broader questions about the role of data collection, processing and monetization that have become central in the current phase of capitalism, which may be described as 'platform capitalism', as suggested by the Canadian writer and academic Nick Srnicek in his recent book .

Over the last decade the growth of platforms has been spectacular: today, the top 4 enterprises in Forbes's list of most valuable brands are platforms, as are eleven of the top twenty. Most recent IPOs and acquisitions have involved platforms, as have most of the major successful startups. The list includes Apple, Google, Microsoft, Facebook, Twitter, Amazon, eBay, Instagram, YouTube, Twitch, Snapchat, WhatsApp, Waze, Uber, Lyft, Handy, Airbnb, Pinterest, Square, Social Finance, Kickstarter, etc. Although most platforms are US-based, they are a really global phenomenon and in fact are now playing an even more important role in developing countries which did not have developed commercial infrastructures at the time of the rise of the Internet and seized the opportunity that it presented to structure their industries around it. Thus, in China, for example, many of the most valuable enterprises are platforms such as Tencent (owner of the WeChat and QQ messaging platforms) and Baidu (China's search engine); Alibaba controls 80 percent of China's e-commerce market through its Taobao and Tmall platforms, with its Alipay platform being the largest payments platform in China.

The importance of platforms is also attested by the range of sectors in which they are now dominant and the number of users (often numbered in millions and, in some cases, even billions) regularly connecting to their various cloud-based services. Thus, to name the key industries, platforms are now central in Internet search (Google, Yahoo, Bing); social networking (Facebook, LinkedIn, Instagram, Snapchat); Internet auctions and retail (eBay, Taobao, Amazon, Alibaba); on-line financial and human resource functions (Workday, Upwork, Elance, TaskRabbit), urban transportation (Uber, Lyft, Zipcar, BlaBlaCar), tourism (Kayak, Trivago, Airbnb), mobile payment (Square Order, PayPal, Apple Pay, Google Wallet); and software development (Apple's App Store, Google Play Store, Windows App store). Platform-based solutions are also currently being adopted in more traditional sectors, such as industrial production (GE, Siemens), agriculture (John Deere, Monsanto) and even clean energy (Sungevity, SolarCity, EnerNOC).

User Profiling -- Good-Bye to Privacy

These platforms differ significantly in terms of the services that they offer: some, like eBay or Taobao simply allow exchange of products between buyers and sellers; others, like Uber or TaskRabbit, allow independent service providers to find customers; yet others, like Apple or Google allow developers to create and market apps.

However, what is common to all these platforms is the central role played by data, and not just continuous data collection, but its ever more refined analysis in order to create detailed user profiles and rankings in order to better match customers and suppliers or increase efficiency.

All this is done in order to use data to create value in some way another (to monetize it by selling to advertisers or other firms, to increase sales, or to increase productivity). Data has become 'the new oil' of global economy, a new commodity to be bought and sold at a massive scale, and with this development, as a former Harvard Business School professor Shoshana Zuboff has argued , global capitalism has become 'surveillance capitalism'.

What this means is that platform economy is a model of value creation which is completely dependant on continuous privacy invasions and, what is alarming is that we are gradually becoming used to this.

Most of the time platform providers keep track of our purchases, travels, interest, likes, etc. and use this data for targeted advertising to which we have become accustomed. We are equally not that surprised when we find out that, for example, robotic vacuum cleaners collect data about types of furniture that we have and share it with the likes of Amazon so that they can send us advertisements for pieces of furniture that we do not yet possess.

There is little public outcry when we discover that Google's ads are racially biased as, for instance, a Harvard professor Latanya Sweeney found by accident performing a search. We are equally hardly astonished that companies such as Lenddo buy access to people's social media and browsing history in exchange for a credit score. And, at least in the US, people are becoming accustomed to the use of algorithms, developed by private contractors, by the justice system to take decisions on sentencing, which often result in equally unfair and racially biased decisions .

The outrage provoked by the Cambridge Analytica is targeting only the tip of the iceberg. The problem is infinitely larger as there are countless equally significant instances of privacy invasions and data collection performed by corporations, but they have become normalized and do not lead to much public outcry.

DNA

Today surveillance is the DNA of the platform economy; its model is simply based on the possibility of continuous privacy invasions using whatever means possible. In most cases users agree, by signing the terms and conditions of service providers, so that their data may be collected, analyzed and even shared with third parties (although it is hardly possible to see this as express consent given the size and complexity of these agreements -- for instance, it took 8 hours and 59 minutes for an actor hired by the consumer group Choice to read Amazon Kindle's terms and conditions). In other instances, as in the case of Kogan's app, the extent of the data collected exceeds what was stated in the agreement.

But what is important is to understand that to prevent such scandals in the future it is not enough to force Facebook to better monitor the use of users' data in order to prevent such leaks as in the case of Cambridge Analytica. The current social mobilization against Facebook resembles the actions of activists who, in opposition to neoliberal globalization, smash a McDonald's window during a demonstration.

What we need is a total redefinition of the right to privacy (which was codified as a universal human right in 1948, long before the Internet), to guarantee its respect, both offline and online.

What we need is a body of international law that will provide regulations and oversight for the collection and use of data.

What is required is an explicit and concise formulation of terms and conditions which, in a few sentences, will specify how users' data will be used.

It is important to seize the opportunity presented by the Cambridge Analytica scandal to push for these more fundamental changes.



Arizona Slim , , March 24, 2018 at 7:38 am

I am grateful for my spidey sense. Thanks, spidey sense, for ringing the alarm bells whenever I saw one of those personality tests on Facebook. I never took one.

Steve H. , , March 24, 2018 at 8:05 am

First they came for

The most efficient strategy is to be non-viable . They may come for you eventually, but someone else gets to be the canary, and you haven't wasted energy in the meantime. TOR users didn't get that figured out.

Annieb , , March 24, 2018 at 2:02 pm

Never took the personality test either, but now I now that all of my friends who did unknowingly gave up my personal information too. I read an article somewhere about this over a year ago so it's really old news. Sent the link to a few people who didn't care. But now that they all know that Cambridge Analytical used FB data in support of the Trump campaign it's all over the mainstream and people are upset.

ChrisPacific , , March 25, 2018 at 4:07 pm

You can disable that (i.e., prevent friends from sharing your info with third parties) in the privacy options. But the controls are not easy to find and everything is enabled by default.

HotFlash , , March 24, 2018 at 3:13 pm

I haven't FB'd in years and certainly never took any such test, but if any of my friends, real or FB, did, and my info was shared, can I sue? If not, why not?

Octopii , , March 24, 2018 at 8:06 am

Everyone thought I was paranoid as I discouraged them from moving backups to the cloud, using trackers, signing up for grocery store clubs, using real names and addresses for online anything, etc. They thought I was overreacting when I said we need European-style privacy laws in this country. People at work thought my questions about privacy for our new location-based IoT plans were not team-based thinking.

And it turns out after all this that they still think I'm extreme. I guess it will have to get worse.

Samuel Conner , , March 24, 2018 at 8:16 am

In a first for me, there are surface-mount resistors in the advert at the top of today's NC links page. That is way out of the ordinary; what I usually see are books or bicycle parts; things I have recently purchased or searched.

But a couple of days ago I had a SKYPE conversation with a sibling about a PC I was scavenging for parts, and surface mount resistors (unscavengable) came up. I suspect I have been observed without my consent and am not too happy about it. As marketing, it's a bust; in the conversation I explicitly expressed no interest in such components as I can't install them. I suppose I should be glad for this indication of something I wasn't aware was happening.

Collins , , March 24, 2018 at 9:14 am

Had you used your computer keyboard previously to search for 'surface mount resistors', or was the trail linking you & resistors entirely verbal?

Samuel Conner , , March 24, 2018 at 10:15 am

No keyboard search. I never so much as think about surface mount components; the inquiry was raised by my sibling and I responded. Maybe its coincidental, but it seems quite odd.

I decided to click through to the site to generate a few pennies for NC and at least feel like I was punishing someone for snooping on me.

Abi , , March 25, 2018 at 3:24 pm

Its been happening to me a lot recently on my Instagram, I don't like pictures or anything, but whenever I have a conversation with someone on my phone, I start seeing ads of what I spoke about

ChiGal in Carolina , , March 25, 2018 at 10:12 am

I thought it came out a while ago that Skype captures and retains all the dialogue and video of convos using it.

Eureka Springs , , March 24, 2018 at 8:44 am

What we need is a total redefinition of the right to privacy (which was codified as a universal human right in 1948, long before the Internet), to guarantee its respect, both offline and online.

Are we, readers of this post, or citizens of the USA supposed to think there is anything binding in declarations? Or anything from the UN if at all inconvenient for that matter?

https://www.un.org/en/universal-declaration-human-rights/
Article 12.

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Platforms like facebook allow individuals to 'spy' on each other and people love it. When I was a kid i always marveled at how some households would leave a police scanner on 24/7. With the net we have this writ large with baby, puppy and tv dinner photos. Not to forget it's a narcissist paradise. I have friends who I've tried to gently over time inject tidbits of info like this article provides for many years and they still just refuse to try and get it. If they looked over their shoulder and saw how many people/entities are literally following them everywhere they go, they would become rabid gun owners (don't tread on me!) overnight, but the invisible hand/eye registers not at all.

Pelham , , March 24, 2018 at 9:13 am

A side note: If Facebook and other social media were to assume ANY degree of responsibility for content appearing on their platforms, they would be acknowledging their legal liability for ALL content.

Hence they would be legally responsible just as newspapers are. And major newspapers have on-staff lawyers and editors exquisitely attuned to the possibility of libelous content so they can avoid ruinous lawsuits.

If the law were applied as it should be, Facebook and its brethren wouldn't last five minutes before being sued into oblivion.

albert , , March 24, 2018 at 6:27 pm

" being sued into oblivion ." If only.

Non-liability is a product of the computer age. I remember having to agree with Microsofts policy to absolve them of -any- liability when using their software. If they had their druthers, -no- company would be liable for -anything-. It's called a 'perfect world'.

Companies that host 'social media' should not have to bear any responsibility for their users content. Newspapers employ writers and fact checkers. They are set up to monitor their staff for accuracy (Okay, in theory). So you can sue them and even their journalist employees. Being liable (and not sued) allows them to brag about how truthful they are. Reputations are a valuable commodity these days.

In the case of 'social media' providers, liability falls on the authors of their own comments, which is only fair, in my view. However, I would argue that those 'providers' should -not- be considered 'media' like newspapers, and their members should not be considered 'journalists'.

Also, those providers are private companies, and are free to edit, censor, or delete anything on their site. And of course it's automated. Some conservative Facebook members were complaining about being banned. Apparently, there a certain things you can't say on Facebook.

AFAIC, the bottom line is this: Many folks tend to believe everything they read online. They need to learn the skill of critical thinking. And realize that the Internet can be a vast wasteland; a digital garbage dump.

Why are our leaders so concerned with election meddling? Isn't our propaganda better than the Russians? We certainly pay a lot for it.
. .. . .. -- .

PlutoniumKun , , March 24, 2018 at 9:52 am

It seems even Elon Musk is now rebelling against Facebook.

Musk Takes Down the Tesla and SpaceX Facebook Pages.

Today, Musk also made fun of Sonos for not being as committed as he was to the anti-Facebook cause after the connected-speaker maker said it would pull ads from the platform -- but only for a week.

"Wow, a whole week. Risky " Musk tweeted.

saurabh , , March 24, 2018 at 11:43 am

Musk, like Trump, knows he does not need to advertise because a fawning press will dutifully report on everything he does and says, no matter how dumb.

Jim Thomson , , March 25, 2018 at 9:39 am

This is rich.

I can't resist: It takes a con to know a con.
(not the most insightful comment)

Daniel Mongan , , March 24, 2018 at 10:14 am

A thoughtful post, thanks for that. May I recommend you take a look at "All You Can Pay" (NationBooks 2015) for a more thorough treatment of the subject, together with a proposal on how to re-balance the equation. Full disclosure, I am a co-author.

JimTan , , March 24, 2018 at 11:12 am

People are starting to download copies of their Facebook data to get an understanding of how much information is being collected from them.

JCC , , March 24, 2018 at 11:29 am

A reminder: https://www.youtube.com/watch?v=iRT9On7qie8

I saw this video back in 2007. It was originally put together by a Sarah Lawrence student who was working on her paper on social media. The ties of all the original investors to IN-Q-Tel scared me off and I decided to stay away from Facebook.

But it isn't just FB. Amazon, Twitter, Google, LinkedIn, Apple, Microsoft and many others do the same, and we are all caught up in it whether we agree to participate or not.

Anyone watch the NCAA Finals and see all the ads from Google about being "The Official Cloud of the NCAA"? They were flat out bragging, more or less, about surveillance of players. for the NCAA.

Platform Capitalism is a mild description, it is manipulation based on Surveillance Capitalism, pure and simple. The Macro pattern of Corporate Power subsuming the State across every area is fascinating to watch, but a little scary.

oh , , March 24, 2018 at 1:44 pm

Caveat Emptor: If you watch YouTube, they'll only add to the information that they already have on you!

HotFlash , , March 24, 2018 at 3:27 pm

Just substitute "hook" for 'you" in the URL, you get the same video, no ads, and they claim not to track you. YMMV

Craig H. , , March 24, 2018 at 12:21 pm

Privacy no longer a social norm, says Facebook founder; Guardian; 10 January 2010

The Right to Privacy; Warren & Brandeis; Harvard Law Review; 15 December 1890

It was amusing that the top Google hit for the Brandeis article was JSTOR which requires us to surrender personal detail to access their site. To hell with that.

The part I like about the Brandeis privacy story is the motivation was some Manhattan rich dicks thought the gossip writers snooping around their wedding party should mind their own business. (Apparently whether this is actually true or just some story made up by somebody being catty at Brandeis has been the topic of gigabytes of internet flame wars but I can't ever recall seeing any of those.)

Ed , , March 24, 2018 at 2:50 pm

https://www.zerohedge.com/news/2018-03-23/digital-military-industrial-complex-exposed

" Two young psychologists are central to the Cambridge Analytica story. One is Michal Kosinski, who devised an app with a Cambridge University colleague, David Stillwell, that measures personality traits by analyzing Facebook "likes." It was then used in collaboration with the World Well-Being Project, a group at the University of Pennsylvania's Positive Psychology Center that specializes in the use of big data to measure health and happiness in order to improve well-being. The other is Aleksandr Kogan, who also works in the field of positive psychology and has written papers on happiness, kindness, and love (according to his résumé, an early paper was called "Down the Rabbit Hole: A Unified Theory of Love"). He ran the Prosociality and Well-being Laboratory, under the auspices of Cambridge University's Well-Being Institute.

Despite its prominence in research on well-being, Kosinski's work, Cadwalladr points out, drew a great deal of interest from British and American intelligence agencies and defense contractors, including overtures from the private company running an intelligence project nicknamed "Operation KitKat" because a correlation had been found between anti-Israeli sentiments and liking Nikes and KitKats. Several of Kosinski's co-authored papers list the US government's Defense Advanced Research Projects Agency, or DARPA, as a funding source. His résumé boasts of meetings with senior figures at two of the world's largest defense contractors, Boeing and Microsoft, both companies that have sponsored his research. He ran a workshop on digital footprints and psychological assessment for the Singaporean Ministry of Defense.

For his part, Aleksandr Kogan established a company, Global Science Research, that contracted with SCL, using Facebook data to map personality traits for its work in elections (Kosinski claims that Kogan essentially reverse-engineered the app that he and Stillwell had developed). Kogan's app harvested data on Facebook users who agreed to take a personality test for the purposes of academic research (though it was, in fact, to be used by SCL for non-academic ends). But according to Wylie, the app also collected data on their entire -- and nonconsenting -- network of friends. Once Cambridge Analytica and SCL had won contracts with the State Department and were pitching to the Pentagon, Wylie became alarmed that this illegally-obtained data had ended up at the heart of government, along with the contractors who might abuse it.

This apparently bizarre intersection of research on topics like love and kindness with defense and intelligence interests is not, in fact, particularly unusual. It is typical of the kind of dual-use research that has shaped the field of social psychology in the US since World War II.

Much of the classic, foundational research on personality, conformity, obedience, group polarization, and other such determinants of social dynamics -- while ostensibly civilian -- was funded during the cold war by the military and the CIA. The cold war was an ideological battle, so, naturally, research on techniques for controlling belief was considered a national security priority. This psychological research laid the groundwork for propaganda wars and for experiments in individual "mind control."

The pioneering figures from this era -- for example, Gordon Allport on personality and Solomon Asch on belief conformity -- are still cited in NATO psy-ops literature to this day .."

Craig H. , , March 24, 2018 at 3:42 pm

This is an issue which has frustrated me greatly. In spite of the fact that the country's leading psychologist (at the very least one of them -- ex-APA president Seligman) has been documented taking consulting fees from Guantanamo and Black Sites goon squads, my social science pals refuse to recognize any corruption at the core of their so-called replicated quantitative research.

I have asked more than five people to point at the best critical work on the Big 5 Personality theory and they all have told me some variant of "it is the only way to get consistent numbers". Not one has ever retreated one step or been receptive to the suggestion that this might indicate some fallacy in trying to assign numbers to these properties.

They eat their own dog food all the way and they seem to be suffering from a terrible malnutrition. At least the anthropologists have Price . (Most of that book can be read for free in installments at Counterpunch.)

[Mar 23, 2018] Was Destructive 'Slingshot' Malware Deployed by the Pentagon

The rule No.1: do not buy cheap routers. Do not use routers which are supplied for free by your ISP. Buy only from proven companies with good security record. To use your own firewall (a small linux server is OK) is a must in the current circumstances
There is no special value in Kaspersky anti-virus software. all such products can be used as a backdoor in your computer (for example via update mechanism). Using complex and opaque software actually makes Windows less secure not more secure. Periodic (say, daily) reinstallation from trusted image is probably a better way, especially if Windows is really minimized and does not contain third party software that has it's own update mechanisms or such mechanism are blocked.
But attacks on routers is a new fashion and should be taken very seriously as most people pay no attention to this crucial part of their business or home network. In any case a separate firmware is needed after Internet router which now is not that expensive (a decent box can be bought for around $300. For those who know Unix/Linux see for example Firewall Micro Appliance or QOTOM (both can be used of pfSense or your custom Linux solution) For those who don't see, for example, Zyxel [USG40] ZyWALL (USG) UTM Firewall
Notable quotes:
"... Further findings suggest that Slingshot had common code with only two other known pieces of software, both malwares, which were attributed to the NSA and CIA, respectively, by analysts. Though various U.S. agencies are all denying comment, things are clearly pointing uncomfortably in their direction. ..."
"... Malware is not a precision munition, it hits wide targets and spreads out to bystanders. This is particularly disturbing to note if, as some reports are indicating, this malware was Pentagon in origin. ..."
Mar 23, 2018 | www.theamericanconservative.com
Slingshot . The malware targeted Latvian-made Internet routers popular in the Middle East, Africa, and Southeast Asia.

Kaspersky's reports reveal that the malware had been active since at least 2012, and speculates that it was government-made, owing to its sophistication and its use of novel techniques rarely seen elsewhere.

Those investigating the matter further have drawn the conclusion that Slingshot was developed by the U.S. government, with some reports quoting former officials as connecting it to the Pentagon's JSOC special forces. For those following the cyber security and malware sphere, this is a huge revelation, putting the U.S. government in the hot seat for deploying cyber attacks that harm a much greater range of innocent users beyond their intended targets.

Kaspersky's own findings note that the code was written in English, using a driver flaw to allow the implanting of various types of spyware. Among those mentioned by Moscow-based Kaspersky was an implant named "GOLLUM," which notably was mentioned in one of the leaked Edward Snowden documents .

Further findings suggest that Slingshot had common code with only two other known pieces of software, both malwares, which were attributed to the NSA and CIA, respectively, by analysts. Though various U.S. agencies are all denying comment, things are clearly pointing uncomfortably in their direction.

Cyberscoop , one of the first news outlets to break the story, reported a mixed reaction among officials. Some noted that Kaspersky Labs was simply doing what a security company is supposed to do. Others, however, were less agreeable, suggesting it was an intentional attempt by Kaspersky to undermine U.S. security.

The argument, as far as it goes, is that given the ostensible target areas -- the Middle East, North Africa, Afghanistan -- Kaspersky should have concluded it was related to the War on Terror and sat on their findings. The Trump administration already views Kaspersky as a sort of hostile actor -- banning the use of Kaspersky products by any government or civilian federal contractor in December, citing Kremlin influence (a charge that has been vehemently denied by the company). This just gives them more justification for seeing Kaspersky as an adversary in the space.

Unfortunately for the Russian company, some American retailers have even followed suit, pulling the software from the shelves on the grounds that it's Russian, and that therefore suspect.

There has been no clear evidence that Kaspersky's software was serving as a backdoor for Russian intelligence, though it was reported last fall that sensitive documents were stolen from a National Security Agency (NSA) contractor's laptop via its Kaspersky-made antivirus software . In a statement at the time, the company said, "Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts." Turns out that Israeli spies, spying on the Russian spies, disclosed the intrusion to U.S. officials.

Kaspersky has consistently ranked near the top of antivirus ratings from virtually all third-party reviewers. The company has sold its products to nearly 400 million users worldwide, with 60 percent in the U.S. and Western Europe. Until now, Kaspersky was being used by several major agencies in the federal government, including the State Department and Department of Defense.

Ironically, this new Slingshot issue itself appears just to be a testament to how well the company's security works at digging up extremely dangerous malware. It also underscores the uneasy reality that the U.S. has been engaging in its own brand of cyber warfare all along.

Any claims that a specific piece of U.S. malware -- in this case, Slingshot -- was targeting only al-Qaeda or ISIS bad guys is disingenuous as well. The exploit on routers is hitting an entire region, infecting an untold number of innocent people . Internet cafés are said to have been hit in this, meaning everyone going into the cafes is at risk.

Malware is not a precision munition, it hits wide targets and spreads out to bystanders. This is particularly disturbing to note if, as some reports are indicating, this malware was Pentagon in origin.

U.S. civilian government surveillance is already doing great harm to general Internet security, and does so by remaining in denial about the balance of good to harm that is being done. The U.S. military, by contrast, has shown its willingness to inflict major harm on innocents in pursuit of any war goal. As they start hitting regions with malware, all bets are off on how far it will spread.

Security companies like Kaspersky Labs only afford the private user limited protection from all of this malware, because they're constantly playing catch-up, finding new variants and new exploits that the various pieces of software are using. Slingshot, for instance, went undetected for six solid years .

The discovery means fixes can finally be implemented for the routers and the computers. Novel exploits like this are rarely a one-time fix, however, as a slew of similar exploits from other sources tend to crop up after one gets taken out. It's a never-ending battle.

In August, President Trump made U.S. Cyber Command a formal military command , reflecting the growing view of the Internet as a military objective. Much as America's other battlefields result in collateral damage on the ground, the cyberwar is going to have a deleterious impact on day-to-day life in cyberspace. The big questions are how bad things will get, and how quickly.

Jason Ditz is news editor at Antiwar.com , a nonprofit organization dedicated to the cause of non-interventionism. In addition to TAC, his work has appeared in Forbes, Toronto Star, Minneapolis Star-Tribune, Providence Journal, Daily Caller, Washington Times and Detroit Free Press.

[Mar 21, 2018] Never attribute to malice that which can be attributed to a bug in the software

Mar 21, 2018 | consortiumnews.com

JWalters , March 19, 2018 at 10:46 pm

In a casual conversation at a party a computer science researcher from a leading university commented that the vast majority of "denial of service" attacks in this country are done by the federal government. That would probably be the CIA covert ops in service to the bankster oligarchy. The Israelis are also known to have cyber warfare capabilities, and are a central part of the oligarchy, judging by their clear control of the MSM.

It makes complete sense that the oligarchy would do everything it could to harass and slow down the opposition, even if just to frustrate them to the point of giving up. I'm glad you are reporting your experiences here; it will help the site administrators deal with the problem.

A few years ago there was a Zionist mole(s) at Disqus who deleted posts that were too informative about Israel, especially those with links to highly informative articles. After an open discussion of the problem it eventually disappeared.

backwardsevolution , March 19, 2018 at 4:29 pm

Realist -- occasionally this happens to me and, yes, it is most frustrating. What I am doing more often now (but sometimes I still forget) is copying my text before hitting "Post Comment". If it disappears, at least you still have it and can try again. If this occurs, I go completely off the site, and then come back on and post again. Does this just happen on posts that took you a long time to get finished? I ask this because I've found that if I type some words, go away and start making dinner (or whatever), and my comment is not posted for several hours, then sometimes it does this.

I sure hope you get it figured out because your posts are always wonderful to read.

Realist , March 19, 2018 at 4:47 pm

This has been happening systematically to anything I post today. Both long and short entries. I copy the text, then post it. When I see it appear or even see it under moderation, I have assumed it would stand and so delete the copy rather than save it -- that space goes to the next composition. So, everything "disappeared" today is gone. Most of the stuff disappeared has to do with our supposed rights of free speech and the intrusion of the intelligence agencies into our lives and our liberties. Guess who I suspect of sabotaging these calls to be vigilant against attacks on our freedoms? Good gravy, they are becoming relentless in trying to control every jot and tittle of the narrative. The entire MSM is not enough for them, even web sites with a microscopic audience are now in their sights. I don't know what else to make of a problem that has become routine, not just sporadic.

backwardsevolution , March 19, 2018 at 6:18 pm

You're just too good, Realist! You make too much sense! If there is a "they" out there who are censoring, of course they'd go after someone like you. Take a break, kick back, then see what happens tomorrow. If it continues, then maybe you could make a few calls.

Skip Scott , March 19, 2018 at 7:29 pm

Sorry to hear of your difficulties, Realist. Don't give up yet. Your posts are a very valuable part of this website. I do suspect outside interference. This site and ICH are both under attack, and probably others as well. I hope Nat and Tom Feeley can afford some good techies to mount a good defense.

robjira , March 19, 2018 at 9:58 pm

I agree with be and Skip, Realist. The same thing happened to me (and I'm not even a frequent commentator here); sometimes it takes days for a post(s) to appear. This sometime can be triggered by multiple links, extensive text formatting, etc. (you probably already know all this).

Anyway, be has it right; take a breather for a while. If something more nefarious is really happening, wear it like a medal; if your comments are disappeared, that as good as confirms you're on target. Your commentary is really insightful, and nothing freaks them out more than an informed opinion.
Peace.

Paul E. Merrell, J.D. , March 19, 2018 at 9:59 pm

To paraphrase someone: "Never attribute to malice that which can be attributed to a bug in the software."

backwardsevolution , March 19, 2018 at 10:15 pm

Paul E. Merrell -- "Never attribute to malice that which can be attributed to a bug in the software."

Quite true. I was having trouble going on Paul Craig Roberts' site for about a month (and another site, but I can't remember which one). I said to my son, "What the heck? Are they shutting down access to this site?" My son came onto my computer and within about two minutes he had me set right again. He said it had to do with my Internet security company. Who knew? Certainly not me! Thank goodness for tech-literate children.

Litchfield , March 20, 2018 at 9:09 am

" even web sites with a microscopic audience are now in their sights."

Maybe "microscopic," but with the potential to be magnified and multiplied. I have been puzzled as to why some posts have shown up as being in moderation and others not. But have not systematically followed up to see what happened. I assume comments at this site are moderated in some way, but why would that result in the patchy appearance of an actual "under moderation" signal?

freedom lover , March 20, 2018 at 3:39 pm

Not just this website but very common if you try to post anything on RT.

Sam F , March 19, 2018 at 8:47 pm

I also noticed several comments here that had been deleted after I refreshed the screen. They appeared to have attracted the "anti-semitism" accusation, so perhaps other hackers are involved.

Sam F , March 19, 2018 at 8:40 pm

While at first skeptical of the hacking hypothesis, I realized its similarity to what I have seen for two months on RT.

RT is apparently being copied to "mirror sites" likely controlled by US agencies, so that they can run spy scripts when the stories are viewed. My PC runs far slower after checking any story on RT, and the browser must be restarted to regain normal speed. No other website has this problem, and certainly RT would not want to annoy their viewers by doing that themselves.

Most likely the secret agency scripts are sending files and browsing information to government spies.

It may be that CN is now being copied into hacked "mirror sites" by those who control the web DNS service that identifies the web server address for named websites. That would be a US secret agency. I have wondered whether such agencies are responsible for the trolls who have annoyed commenters here for several months. It may be that they are controlling the commentary now as well, to make political dossiers.

Litchfield , March 20, 2018 at 9:12 am

"My PC runs far slower after checking any story on RT, and the browser must be restarted to regain normal speed. "

I have noticed this as well. I don't check RT all that often, but one time I wanted to see what Peter Lavelle had been up to lately with CrossTalk, so went to RT. This was awhile ago so I can't recall the exact details, but I think my browser generally froze up and I had to reboot my laptop. Of course it made me a bit paranoid and I wondered what was going on at RT.

Realist , March 20, 2018 at 5:01 pm

I've often noticed a great delay in RT loading. I'll have to focus on the effect you described. Sometimes I get a "service not available" notice for CN which usually resolves within no more than a half hour.

Inthebyte , March 20, 2018 at 11:27 am

I agree about RT. When I log on there everything slows to a crawl, or flat doesn't navigate. Thanks for the comment. Now I know I'm being gas lighted. Another site with all of these problems is Information Clearing House who are hacked repeatedly.

Zachary Smith , March 20, 2018 at 12:51 pm

My PC runs far slower after checking any story on RT, and the browser must be restarted to regain normal speed. No other website has this problem, and certainly RT would not want to annoy their viewers by doing that themselves.

I'm running three script-blocker addons as I type this, and a fourth will be enabled again after making this post. The latter one does something to the CN site, and unless disabled any comment goes to the bottom of the page. My Firefox browser (which I'm using now) has the cache set to "0", and also to "never remember history". This slows it somewhat, but I figure the trade-off is worthwhile.

I review four "Russian" sites and have noticed they're chock-full of annoying ads and scripts. One of them I suspect is being run for income, for there is no coherent "message" along with most of the headlines being clickbait material. But I return there because sometimes they have a story worth more investigation.

Sam F , March 19, 2018 at 8:42 pm

While at first skeptical of the hacking hypothesis, I should note what I have seen for two months on RT.

RT is apparently being copied to "mirror sites" likely controlled by US agencies, so that they can run spy scripts when the stories are viewed. My PC runs far slower after checking any story on RT, and the browser must be restarted to regain normal speed. No other website has this problem, and certainly RT would not want to annoy their viewers by doing that themselves.

Most likely the secret agency scripts are sending files and browsing information to government spies.

It may be that CN is now being copied into hacked "mirror sites" by those who control the web DNS service that identifies the web server address for named websites. That would be a US secret agency. I have wondered whether such agencies are responsible for the trolls who have annoyed commenters here for several months. It may be that they are controlling the commentary now as well, to make political dossiers.

geeyp , March 20, 2018 at 12:28 am

Nothing much secret regarding the secret agencies. Didn't I read that Google and Face. (same company with Y.T.) have fairly recently hired 10,000 new employees for just this purpose? I ,too, have had plenty of issues with the RT.com site. It is not RT causing the issues. Truth hurts these evil P.O.S. And, also I have wondered regarding the ISP involvement. On the article topic, I was quite angered when I read his Tweet over the weekend; that punk has got nerve and needs to wear an orange jumpsuit.

Litchfield , March 20, 2018 at 9:13 am

What is the ISP movement?

Sam F , March 20, 2018 at 11:50 am

The ISP may or may not be involved, but the DNS is involved in creating fake (or real) "mirror sites." DNS (distributed name service) has its own servers all over, which translate text URLs (xxx.com ) to numeric internet (IP) addresses. So when you request the site, your local DNS server gives you the address based upon its updates from other sources, including the "mirror" sites used for heavily-used websites.

I do not yet know the processes used to update DNS servers which would be tampered to create fake mirror sites, or exactly how this would be controlled, except that secret agencies would know this and would have such control. Others might be able to do this as well.

Skeptigal , March 20, 2018 at 4:26 am

Sorry, I know you're frustrated but I couldn't help but giggle at your indignant replies. They are hilarious. Your comments may have ended up in the spam folder. If you contact them they will restore your comments. Good luck! :)

Realist , March 20, 2018 at 11:23 pm

Using the British standard, I'm going to assume you are responsible for all the trouble unless you prove otherwise.

[Mar 19, 2018] How to reset a Windows password with Linux by Archit Modi

clonezilla has chntpw on the CD/DVD.
Mar 16, 2018 | www.linuxtoday.com
12 comments If you (or someone you know) ever forget your Windows password, you'll be glad to know about chntpw , a neat Linux utility that you can use to reset a Windows password. For this how-to, I created a Windows virtual machine and set the password to pass123 on my user account, Archit-PC . I also created a Live USB with Fedora 27 using the Fedora Media Writer application.

Here are the steps, along with screenshots, to guide you through the quick and super easy process of resetting your Windows password with chntpw .

1. Attach the Live USB to your PC and restart from the login screen, as shown below:

2. Boot from the Live USB and click on Try Fedora :

3. Log out from live-user and log into root . This step is not necessary, but I prefer to use the root user to bypass any permission issues:

4. Install the chntpw utility with the following command (you'll need a live internet connection for this):

sudo dnf install -y chntpw

5. Check which partition should be mounted by sfdisk -l ...:

and mount that partition (e.g., /dev/sda2 ) with the following command:

sudo mount /dev/sda2 /mnt/Microsoft/

Change the current directory to the config directory:

cd /mnt/Microsoft/Windows/System32/config/

Also, check the user records in the Security Account Manager (SAM) database:

passwordreset_mount-3.png Checking SAM database

6. Edit the SAM database with the command:

sudo chntpw -i SAM

Then type 1 (for Edit user data and passwords ):

passwordreset_username-1.png Select 1 for Edit user data and passwords

And type your user account name (i.e., Archit-PC in this example) for the username:

passwordreset_username-2.png Enter your username

7. Type 1 to clear the user password or 2 to set a new password for the Archit-PC user, then quit and save the changes:

passwordreset_clear-1.png Edit user menu
passwordreset_clear-2.png Confirmation that password was cleared

8. Reboot to Windows. If you selected 1 above, you'll see there's no password required to log in. Just click Sign in and you will be logged in:

That's all there is to it! I hope this will be helpful if you ever need to reset a Windows password.

[Mar 07, 2018] By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware.

Mar 07, 2018 | www.thegatewaypundit.com

Paul Tibbets a day ago

Brennan is a scum bag, he over saw the CIA as they sought to become the premier Gov. Agency.

https://wikileaks.org/ciav7p1/

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force -- its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

[Feb 20, 2018] US-UK Accuse Russia of "NotPetya" Cyberattack, Offer Zero Evidence Global Research - Centre for Research on Globalization

Notable quotes:
"... The US and European press have both published stories accusing the Russian government, and in particular, the Russian military, of the so-called "NotPetya" cyberattack which targeted information technology infrastructure in Ukraine. ..."
"... Ulson Gunnar is a New York-based geopolitical analyst and writer especially for the online magazine " New Eastern Outlook ". ..."
"... All images in this article are from the author. ..."
Feb 20, 2018 | www.globalresearch.ca

US-UK Accuse Russia of "NotPetya" Cyberattack, Offer Zero Evidence By Ulson Gunnar Global Research, February 19, 2018 Region: Europe , Russia and FSU , USA Theme: Intelligence , Media Disinformation

The US and European press have both published stories accusing the Russian government, and in particular, the Russian military, of the so-called "NotPetya" cyberattack which targeted information technology infrastructure in Ukraine.

The Washington Post in an article titled, " UK blames Russian military for 'malicious' cyberattack ," would report:

Britain and the United States blamed the Russian government on Thursday for a cyberattack that hit businesses across Europe last year, with London accusing Moscow of "weaponizing information" in a new kind of warfare. Foreign Minister Tariq Ahmad said "the U.K. government judges that the Russian government, specifically the Russian military, was responsible for the destructive NotPetya cyberattack of June 2017." The fast-spreading outbreak of data-scrambling software centered on Ukraine, which is embroiled in a conflict with Moscow-backed separatists in the country's east. It spread to companies that do business with Ukraine, including U.S. pharmaceutical company Merck, Danish shipping firm A.P. Moller-Maersk and FedEx subsidiary TNT.

British state media, the BBC, would report in its article, " UK and US blame Russia for 'malicious' NotPetya cyber-attack ," that:

The Russian military was directly behind a "malicious" cyber-attack on Ukraine that spread globally last year, the US and Britain have said.

The BBC also added that:

On Thursday the UK government took the unusual step of publicly accusing the Russia military of being behind the attack. "The UK and its allies will not tolerate malicious cyber activity," the foreign office said in a statement. Later, the White House also pointed the finger at Russia.

Yet despite this "unusual step of publicly accusing the Russian military of being behind the attack," neither the US nor the British media provided the public with any evidence, at all, justifying the accusations. The official statement released by the British government would claim:

The UK's National Cyber Security Centre assesses that the Russian military was almost certainly responsible for the destructive NotPetya cyber-attack of June 2017. Given the high confidence assessment and the broader context, the UK government has made the judgement that the Russian government – the Kremlin – was responsible for this cyber-attack.

Claiming that the Russian military was "almost certainly responsible," is not the same as being certain the Russian military was responsible. And such phrases as "almost certainly" have been used in the past by the United States and its allies to launch baseless accusations ahead of what would otherwise be entirely unprovoked aggression against targeted states, in this case, Russia. The White House would also release a statement claiming:

In June 2017, the Russian military launched the most destructive and costly cyber-attack in history. The attack, dubbed "NotPetya," quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.

Considering claims that this is the "most destructive and costly cyber-attack in history, " it would seem imperative to establish evidence beyond doubt of who was responsible. No Evidence From Governments Confirmed to Possess the Means to Fabricate Attribution Yet, so far, this has not been done. Claims that Russia's military was behind the attacks seems to be built solely upon private analysts who have suggested the attacks appear to have originated in Russia.

However, as it was revealed by Wikileaks in its Vault 7 release , exposing cyber hacking tools used by the US Central Intelligence Agency (CIA), the origin of attacks can be forged. USA Today in an article titled, " WikiLeaks: CIA hacking group 'UMBRAGE' stockpiled techniques from other hackers ," would admit:

A division of the Central Intelligence Agency stockpiled hacking techniques culled from other hackers, giving the agency the ability to leave behind the "fingerprints" of the outside hackers when it broke into electronic devices, the anti-secrecy group WikiLeaks alleges as it released thousands of documents Tuesday.

The article continues by pointing out:

The documents also suggest that one of the agency's divisions – the Remote Development Branch's UMBRAGE Group – may have been cataloguing hacking methods from outside hackers, including in Russia, that would have allowed the agency to mask their identity by employing the method during espionage. "With UMBRAGE and related projects the CIA cannot only increase its total number of attack types, but also misdirect attribution by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen from," Wikileaks said in a statement.

Not only does this ability allow the CIA to carry out espionage that if discovered would be attributed to other parties, it also allows the CIA to conduct attacks the US government and its allies can then blame on foreign states for the purpose of politically maligning them, and even justifying otherwise indefensible acts of aggression, either militarily, or in the realm of cyberspace.

Evidence provided by the UK and US governments would have to establish Russia's role in the "NotPetya" cyberattack beyond mere attribution, since this is now confirmed to be possible to forge. The UK and US governments have failed to provide any evidence at all, likely because all it can offer is mere attribution which skeptics could easily point out might have been forged. NATO Had Been Preparing "Offensive" Cyber Weapons

As previously reported , NATO had been in the process of creating and preparing to deploy what it called an "offensive defense" regarding cyber warfare. Reuters in an article titled, " NATO mulls 'offensive defense' with cyber warfare rules ," would state:

A group of NATO allies are considering a more muscular response to state-sponsored computer hackers that could involve using cyber attacks to bring down enemy networks, officials said.

Reuters would also report:

The doctrine could shift NATO's approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology.

It has been repeatedly pointed out how the US, UK and other NATO members have repeatedly used false pretexts to justify military aggression carried out with conventional military power. Examples include fabricated evidence of supposed "weapons of mass destruction (WMD)" preceding the 2003 US invasion of Iraq and the so-called "humanitarian war" launched against Libya in 2011 built on fabricated accounts from US and European rights advocates.

With UMBRAGE, the US and its allies now possess the ability to fabricate evidence in cyberspace, enabling them to accuse targeted nations of cyber attacks they never carried out, to justify the deployment of "offensive" cyber weapons NATO admits it has prepared ahead of time. While the US and European media have warned the world of a "cyber-911″ it appears instead we are faced with "cyber-WMD claims" rolled out to justify a likewise "cyber-Iraq War" using cyber weapons the US and its NATO allies have been preparing and seeking to use for years. Were Russia to really be behind the "NotPetya" cyberattack, the US and its allies have only themselves to blame for decades spent undermining their own credibility with serial instances of fabricating evidence to justify its serial military aggression. Establishing that Russia was behind the "NotPetya" cyberattack, however, will require more evidence than mere "attribution" the CIA can easily forge.

*

Ulson Gunnar is a New York-based geopolitical analyst and writer especially for the online magazine " New Eastern Outlook ".

All images in this article are from the author.

[Feb 19, 2018] The White House on Thursday blamed Russia for the devastating 'NotPetya' cyber attack last year , joining the British government in condemning Moscow for unleashing a virus

Notable quotes:
"... Poor Russia cant get a break, neither can Americans get a break from this USA 'get Russia' monkey circus. The monkeys now reach back a year ago to get Russia on a cyber attack. ..."
Feb 19, 2018 | www.unz.com

renfro, February 19, 2018 at 7:38 am GMT

Poor Russia cant get a break, neither can Americans get a break from this USA 'get Russia' monkey circus. The monkeys now reach back a year ago to get Russia on a cyber attack.

White House blames Russia for 'reckless' NotPetya cyber attack

https://www.reuters.com/ russia /white-house-blames-russia-for-reckless-notpetya-c&#8230 ;

3 days ago -- WASHINGTON/LONDON (Reuters) -- The White House on Thursday blamed Russia for the devastating 'NotPetya' cyber attack last year , joining the British government in condemning Moscow for unleashing a virus that crippled parts of Ukraine's infrastructure and damaged computers in countries across the

Best advice for Americans believe nothing, trust nothing that issues from a government.

The experts:

John McAfee, founder of an anti-virus firm, said: "When the FBI or when any other agency says the Russians did it or the Chinese did something or the Iranians did something -- that's a fallacy," said McAfee.

"Any hacker capable of breaking into something is extraordinarily capable of hiding their tracks. If I were the Chinese and I wanted to make it look like the Russians did it I would use Russian language within the code. "I would use Russian techniques of breaking into organisations so there is simply no way to assign a source for any attack -- this is a fallacy."

I can promise you -- if it looks like the Russians did it, then I can guarantee you it was not the Russians."

Wikileaks has released a number of CIA cyber tools it had obtained. These included software specifically designed to create false attributions.

[Feb 16, 2018] White House: Iraq Has Anthrax Virus Russia Launched NotPetya

Notable quotes:
"... Washington Post ..."
Feb 16, 2018 | www.moonofalabama.org

Late last night the White House accused the Russian military of having launched the destructive "NotPetya" malware which in June 2017 hit many global companies:

Statement from the Press Secretary

In June 2017, the Russian military launched the most destructive and costly cyber-attack in history.

The attack, dubbed "NotPetya," quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.

The statement has the same quality as earlier statements about Spain sinking the Maine or about Saddam's Weapons of Mass Destruction had.

Neither the U.S. nor anyone else has presented ANY evidence of ANY Russian involvement in the creation or distribution of the NotPetya malware. The U.S. is simply asserting this while presenting nothing to back it up.

There is, in general, no attribution possible for any such cyber attack. As John McAfee, founder of an anti-virus firm, said :

"When the FBI or when any other agency says the Russians did it or the Chinese did something or the Iranians did something – that's a fallacy," said McAfee.
...
" Any hacker capable of breaking into something is extraordinarily capable of hiding their tracks. If I were the Chinese and I wanted to make it look like the Russians did it I would use Russian language within the code. "I would use Russian techniques of breaking into organisations so there is simply no way to assign a source for any attack – this is a fallacy."
...
I can promise you – if it looks like the Russians did it, then I can guarantee you it was not the Russians ."

I agree with McAfee's statement. The CIA must likewise agree. Wikileaks has released a number of CIA cyber tools it had obtained. These included software specifically designed to create false attributions:

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

Nearly all "attributes" used for attributing a cyber attack can be easily faked to accuse a party not involved in the attack.

The British National Cyber Security Center, part of the British computer spying organisation GCHQ, also claims that the Russian military is " almost certainly " responsible for the NotPetya attack. Canada and the Australians also chipped in .

But note - these are NOT independent sources. They are, together with New Zealand, part of the of the " Five Eyes " spying alliance. From NSA files released by Edward Snowden we know that the Five Eyes are practically led by the U.S. National Security Agency:

One internal document quotes the head of the NSA, Lieutenant General Keith Alexander, on a visit to Menwith Hill in June 2008, asking: "Why can't we collect all the signals all the time? Sounds like a good summer project for Menwith."

Menwith Hill is a Royal Airforce spying station and part of the GCHQ infrastructure. That the head of the NSA can assign "summer projects" to it shows where the real power lies.

The Russian government strongly rejects the accusations.

NotPetya was a destructive virus that masked as ransomware. It was based on attacking tools which originally had been developed by the NSA but were later anonymously published by someone calling himself Shadow-Broker. One of several attack vectors NotPetya used was the update mechanism of some tax accounting software which is common in Ukraine and Russia. But the attack soon spread globally :

The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl's radiation monitoring system, and other machines in the country. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others.

The biggest damaged through NotPetya occurred at the Danish shipping company Maersk which had to completely reboot its entire infrastructure and lost some $250-300 million due to the attack.

The question one must always ask when such accusations are made is: Why would the accused do this?

In January the U.S. attribution claims about the NotPetya malware were prelaunched through the Washington Post :

The CIA has attributed to Russian military hackers a cyberattack that crippled computers in Ukraine last year, an effort to disrupt that country's financial system amid its ongoing war with separatists loyal to the Kremlin.
...
The GRU military spy agency created NotPetya, the CIA concluded with "high confidence" in November, according to classified reports cited by U.S. intelligence officials.
...
The hackers worked for the military spy service's GTsST, or Main Center for Special Technology, the CIA reported. That unit is highly involved in the GRU's cyberattack program, including the enabling of influence operations.

What could have been the motive of the "Russian military" to release a (badly written) malware that destroys computer-files of random companies all over the world including at the all important Russian oil-giant Rosneft . To assume that Ukraine's financial system was the target is almost certainly wrong. There is also no evidence that this was the case. Ukraine's Central Bank was just one of thousands of victims of the attack.

Only some 50% of the affected companies were in Ukraine. Most of them were not financial firms. The attack was initiated through an update mechanism of an accounting software that is also used in Russia. That original attack vector was probably chosen simply because it was easy to use. The accounting software company had a lousy security protection. The first infected computers then applied a different mechanism to spread the malware to other machines. The attack was launched on a Ukrainian national holiday which is not optimal if one wants to spread it as wide as possible throughout the Ukraine.

That the Ukraine and Russia were hit first by the malware was also likely just a time-of-day question. The timeline shows that the U.S. and most of western-Europe were still asleep when the virus started to proliferate. The anti-virus organizations, the Russian company Kaspersky among them , took only a few hours to diagnose the attacking software. A solution to prevent further damage was found within some twelve hours. By the time the U.S. working day started anti-virus companies were already releasing advise and protective code against it. If the attack had not been stopped by protective software it would have effected many more computers. Most of these would not have been in the Ukraine.

The U.S. attribution of the NotPetya attack to some Russian organization is extremely doubtful. In general a certain attribution of any such cyber attack is impossible. It is easy for any sophisticated virus writer to modify the code so that it looks as if it was written by some third party. The CIA even develops tools to do exactly that.

The attacking software seemed to be of relatively low quality. It was a badly designed mishmash created from earlier known malware and spy tools. It was not confined to a certain country or target. It can at best be described as an act of random vandalism on a global scale. There is no discernible motive for any Russian state organizations to release such nonsense.

In 2009 Russia offered an international treaty to prohibit cyber attacks. It was the U.S. under Obama which rejected it as "unnecessary" while it was expanding its own attack capabilities.

The U.S. government has launched a Cold War 2.0 against Russia. The motive for that seems to be mostly monetary. Hunting a few 'terrorists' does not justify big military budgets, opposing a nuclear power does.

The now released accusations against Russia have as much foundation in reality as the claims of alleged Iraqi WMDs. We can only hope that these new accusations will have less severe consequences.

Posted by b on February 16, 2018 at 04:30 AM | Permalink

Comments


uncle tungsten , Feb 16, 2018 4:53:27 AM | 1

Trump has made a fool of himself by agreeing to be the mouth for some looney security briefing. Why the White House releasing this? why not the NSA or some slightly distant body so the president can be kept clear of blowback if the accusation is proven to be wrong (as it has and was at the time of its spread). A gullible fool is spouting at the behest of the five anuses. They certainly aren't eyes with that sh!t coming out.
igybundy , Feb 16, 2018 5:44:44 AM | 2
Some of the smartest hackers I seen are Russians, although a lot of kids will just do it for kicks, professionals would have a target rather than random targets that can back fire aka how the US does things as we seen off their Iranian attack.

Kaspersky being the best of the best, Kremlin would know and would make great effort to make sure they stay as far away from them as possible. To give it a fighting chance. That Kaspersky found it so fast shows it was not Russian. Since you want them to be last on the list to know about it. Kaspersky for some strange reason also works with their partners in the US/UK etc sharing information. So Russians themselves would work to defeat a Russian attack even if its made. Which any smart cookie would say is self defeating and they would not waste the effort to try.


Jen , Feb 16, 2018 5:55:09 AM | 3
Could the attack have been co-ordinated by parties in different countries but in the same time zone or in neighbouring time zones, with one or two of these being the same time zones that European Russia is in?

It seems possible that at least one of these parties might be based in Ukraine. For Ukrainian-based pro-Maidan cyber-hackers to release the virus on a Ukrainian public holiday, when most major public and private institutions and businesses are closed, but Russian ones are not, would make sense. Another party could be based in a different country with sophisticated cyber-technology and experience in creating and spreading cyber-viruses that is in the same time zone as Ukraine. Israel comes to mind.

Ian , Feb 16, 2018 6:11:01 AM | 4
I don't believe anything will come of it. I see these accusations as petty attempts to get under Russia's skin. Frankly, I can't see anybody believing the crap that comes out of Washington's mouth, especially after what Snowden/Wikileaks has revealed to the public.
Me , Feb 16, 2018 6:30:32 AM | 5
These Russians are so badass!
I'm beginning to wish to be a Russian. :)
Partisan , Feb 16, 2018 6:35:18 AM | 6
"Some of the smartest hackers I seen are Russians, ....."

I am curious where have you seen them?

Second thing which I've never understood about hacking is, why all this noise about it. It is like a pc and network infrastructures are like holly grail and untouchable. The fetishization of this particular technology which comes from the west is unbearable, it is like the life on earth depend on it. Than can not be further from the truth. The US behaves as the owner and guardian of the IT sector, and they handsomely profited from it.

If someone leave its nodes exposed or on the Internet than it is their fault, why not hack it. To hell with them. If someone leave sensitive documents on server than again that's the owner problem, and so on. It is not a bigger crime than "regular" spying activity.

The Russian hacking is beyond the point. Two big powers, capitalist countries with almost identical political structure are competing in the world arena. One of them in decline big time, the second one resurgent but stagnant in development and to gain wider influence. The USA is clearly unable to bribe (as used to) Russia although countries such North Korea still suffer from their collusion in the Security council.

Hacking someone's IT infrastructure is mature skill and there is nothing new in it so just like everything else everything the US and its organs are saying is plain lie. Now, the problem is that after a lie follow some kind of coercion. It that doesn't work - if you are small and defenseless country - than they will kill you.

Red Ryder , Feb 16, 2018 6:49:23 AM | 7
There are at least two tactics in cyberwarfare (which this is).
First, to attack and destroy infrastructure of an enemy or opponent or resistant vassal.
Second, to place blame on others for the use of cyber as a weapon.

The US is at cyber war with Russia and China. This is not Cold War.
Neither was Stuxnet. That was cyber war on Iran. It got out beyond Iran because its careless design sought Seimens equipment everywhere on the Internet. It went to many other countries far beyond Iran and attacked the equipment there.

This malware was not well-designed either. It may have been meant for Russian targets. Rosneft is a huge economic target.

But this campaign using NotPetya had the value of being a Tactic #1 attack + #2 failure against Russia. The CIA got to blame Russia even though the intended damage was quickly reversed by Kaspersky. The irony is they attacked a nation with the best resources to combat and defend against the weapon they used.

But make no mistake, the CyperWars are well underway. The US is sloppy, just like all their Hegemon efforts are seriously flawed in classic terms of execution. The Russians are far more elegant with cyber, as anyone who knows their software experts or products over the years.

Partisan , Feb 16, 2018 7:01:48 AM | 8
"But make no mistake, the CyperWars are well underway."

I doubt, I doubt very much. If there is a one than it is manufactured.

No vital and nationally sensitive or strategic IT nodes are exposed to the public net. All this is bizarre and narrative created by the Deep State for idiots. Probably ~60% of drugs infested Amerikkans do no care. The rest: https://medium.com/incerto/the-intellectual-yet-idiot-13211e2d0577 are somewhat interested. We can argue whether for domestic (in the light of another shooting, if true) or international purposes (Syria, Iraq, Iran), or both.

Partisan , Feb 16, 2018 7:14:33 AM | 9
The Class War is the Marx's term that is taboo and forbidden in capitalist's world everywhere and in particular in the US where is social oppression and inequality is the greatest in the world by far.

Maintain all kind of spins and propaganda along with political oppression i.e. help of political police the American version of the Nazi's Gestapo is crucial for the ruling class and regime.

While the looting of the drugged and non-drugged Americans continue unabated.

Partisan , Feb 16, 2018 7:33:59 AM | 10
I would say that only 10% of the Amerikkans have clue what's hacking about, and very small percentage understand in technical terms and details. Sadly, it is NOT important and even more important those question should not be asked! Questioning the highest authority is no, no. The more convoluted the better.

Now when the statement is out of the WH we might except refined follow up by the National Security organs, TNYT, TWP, etc. An intended audience are https://en.wikipedia.org/wiki/Little_Eichmanns

It is very good that you posted that photo of Collin Powell in the context of the article. It says it a lot, if not all.

integer , Feb 16, 2018 8:02:09 AM | 11
In a Euromaidan Press article dated November 2nd, 2016, the hackers state enthusiastically "Ukrainian hackers have a rather high level of work. So the help of the USA I don't know, why would we need it? We have all the talent and special means for this. And I don't think that the USA or any NATO country would make such sharp movements in international politics."

From: Untying PropOrNot: Who They Are and a Look at 2017's Biggest Fake News Story

Christian Chuba , Feb 16, 2018 8:15:13 AM | 12
On the Tucker Carlson Show an FBI agent defended the fact that they could not identify the school shooter, prior to the event, even after he was reported, because his one post did not identify himself explicitly. Also, the threat was not enough to open an investigation.

So now the same group of people claim the ability to discover that people are 'Russian Trolls' from a specific building in St. Petersburg simply based on the content of purely political posts to facebook and twitter.

Partisan , Feb 16, 2018 8:23:03 AM | 13
By following, little bit, the US National Security operation called Cryptocurrency (ies), allegedly based in South Korea and Japan I noticed numbers of hacking of the companies' web sites that are in this, let-call-it-business.

The most famous hacking was one of Mt.Gox (Japan based) one, where the French nationals was the business' principal. A money never was recovered, and hacker is still unknown!? I guess the place of business and the CEO meant (all US' client states) to give legitimacy to cryptocurrency and lure fools into buying the "fog". But where did "investors" money goes? Not to brilliant Russians...and how could that be? There is a lot of money in game, real money.

Is the National Security State agencies has transfered looting from the domestic soil to international one with help of the virtual reality. No trace of hackers, none!?

Partisan , Feb 16, 2018 9:06:43 AM | 14
I use the term The US National Security State (or Deep State) and its apparatus as synonymous to the Nazi Reich Main Security Office. Both of them, while differ in the methods and size, the goals and objectives are the same.
integer , Feb 16, 2018 9:12:50 AM | 15
Having just had a quick look into the NotPetya attack, it appears to have began on the morning of the day before Ukraine's Constitution Day, and originated from the update server of a Ukrainian tax accounting program called MeDoc. I expect this was another Ukrainian false flag; a cyber warfare version of MH17. Sharp movements in international politics indeed.
Partisan , Feb 16, 2018 9:23:02 AM | 16
integer | Feb 16, 2018 9:12:50 AM | 15

Meaning what? A client state was forced into this in order (to blame Russkies) to get another tranches of loan from the IMF?

susetta , Feb 16, 2018 9:53:35 AM | 17
Well that may mean that, under the new dictact (now the Unites States will not just use its nuclear weapons as a response if the other party used them; now the United States has declared that it will use nuclear weapons if, say, there should be a virus attack on its networks), that the United States is about to declare war on Russia and proceed to nuke it.
AriusArmenian , Feb 16, 2018 11:59:07 AM | 20
"We can only hope that these new accusations will have less severe consequences."

The russophobic fake news push is not letting up and now the Trump administration has jumped on board. And on top of targeting Iran has also ramped up targeting China.

This is how the last Cold War ramped up. The public was softened up by the media to fear the USSR. It's a symptom of a disease in its psyche spreading throughout the West.

We see through this nonsense but I fear we underestimate the danger. This Cold War v2 is already much hotter then v1. The West is approaching the throat of the East (Russia, China, Iran, and others), and unfortunately for the world the West feels (it has limited capability to think) it must prevail over the East or faces extinction. And what does that suggest might happen?

Petri Krohn , Feb 16, 2018 12:01:35 PM | 21
CrowdStrike said Russians known as Fancy Bear hacked the DNC. U.S. Department of Homeland Security identified one of the "Russian" malware tools used and named it "Grizzly Steppe" or "PAS tool PHP web kit". Later it was also found to attack U.S. power utilities.

I tracked down the creator of the malware and found out that he was a 23-year old Ukrainian university student at the Poltava National Technical University.

Did a Ukrainian University Student Create Grizzly Steppe?

3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address...

Almost a year later the New York Times reported the same story, but did not name the Ukrainian hacker.

In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking

But while Profexer's online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. "He was a freelancer and now he is a valuable witness," Mr. Gerashchenko said.

"Fancy Bear" is not the Russian military intelligence agency GRU or any other Russian government agency. It is simply a collection of hacking tools available online on Runet , the Russian language part of the Internet and the Russian language darknet.

james , Feb 16, 2018 12:04:41 PM | 22
thanks b.. more of the same bullshit.. "The U.S. is simply asserting this while presenting nothing to back it up."

from b's post - "In 2009 Russia offered an international treaty to prohibit cyber attacks. It was the U.S. under Obama which rejected it as "unnecessary" while it was expanding its own attack capabilities."

this from the link in the above quote..

"The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law-enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say."

5 eyes is doing such a great job of being like some stupid chorus line in a bad movie... all of them are beholden to the usa and the usa, as noted above - doesn't need any proof... what does that say about the usa?

willful blindness...

Shakesvshav , Feb 16, 2018 12:13:40 PM | 24
A small cause for celebration here in the UK: https://www.hackread.com/british-hacker-lauri-love-will-not-be-extradited-to-usa/
james , Feb 16, 2018 12:18:58 PM | 25
@24 shakesvshav - it's a good thing they weren't caught up in some allegation based in sweden which the swedes wanted to drop, but the uk/usa discouraged them from doing... i am thinking of julian assange here - stuck in the eqaudor embassy in the uk.. craig murray did a couple of articles on this the past few days which kind of makes one want to puke especially if one lives in the uk...

nice to see an opportunity for celebration come your way!

https://www.craigmurray.org.uk/

J Swift , Feb 16, 2018 12:22:15 PM | 26
@integer 15 " I expect this was another Ukrainian false flag; a cyber warfare version of MH17"

Not as crazy as it sounds. Hell, the CIA and SBU literally share a building! And this code apparently does not have the hallmark elegance of Russian hackers. Why not get a good swipe at Russian businesses, while destroying enough data (evidence) in Ukraine to cover a multitude of sins (just like at least one of the ammo dump explosions is strongly suspected as having been intentionally set to cover up missing inventory which now no doubt resides in Syria). And then the icing on the cake is to get to blame Russia and try to bolster rapidly failing support for sanctions. A lot more plausible than a half-baked Russian attack.

[Feb 16, 2018] The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.

Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.
Notable quotes:
"... And the USA has indeed thoroughly developed means to falsely laying blame for cyber attacks it actually performs itself (next to it's proven credentials of falsely laying blame with chemical and terrorist attacks). ..."
"... And the USA has indeed thoroughly developed means to falsely laying blame for cyber attacks it actually performs itself (next to it's proven credentials of falsely laying blame with chemical and terrorist attacks). ..."
Feb 16, 2018 | www.moonofalabama.org

xor | Feb 16, 2018 2:54:51 PM | 33

There indeed doesn't seem to be a motive to why the Russian authorities would launch a cyber attack that economically disrupts both itself, allies and other countries. Either the virus writers didn't care for a solution, hoped that a solution that never works might panic the victims even more so they make more cash transfers or enjoyed reaping money while seeing their victims suffer of something where there is no solution for. The last 2 reasons are short term because news that there is no solution for the ransomware will stop victims from making cash transfers. More convincing would be a cyber attack initiated by USA authorities that would hit already crumbling Ukraine businesses even further and create even more mistrust between Ukraine and Russia.

And the USA has indeed thoroughly developed means to falsely laying blame for cyber attacks it actually performs itself (next to it's proven credentials of falsely laying blame with chemical and terrorist attacks). On 31 March 2017:

WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.

Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.

The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.

...

The White House has condemned the revelations made by Wikileaks, saying that those responsible for leaking classified information from the agency should be held accountable by the law.

WikiLeaks Reveals 'Marble' Source Code that CIA Used to Frame Russia and China

There indeed doesn't seem to be a motive to why the Russian authorities would launch a cyber attack that economically disrupts both itself, allies and other countries. Either the virus writers didn't care for a solution, hoped that a solution that never works might panic the victims even more so they make more cash transfers or enjoyed reaping money while seeing their victims suffer of something where there is no solution for. The last 2 reasons are short term because news that there is no solution for the ransomware will stop victims from making cash transfers. More convincing would be a cyber attack initiated by USA authorities that would hit already crumbling Ukraine businesses even further and create even more mistrust between Ukraine and Russia.

And the USA has indeed thoroughly developed means to falsely laying blame for cyber attacks it actually performs itself (next to it's proven credentials of falsely laying blame with chemical and terrorist attacks). On 31 March 2017:

WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.

Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.

The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.

...

The White House has condemned the revelations made by Wikileaks, saying that those responsible for leaking classified information from the agency should be held accountable by the law.

WikiLeaks Reveals 'Marble' Source Code that CIA Used to Frame Russia and China div

Source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.

WikiLeaks: Marble Framework

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.

WikiLeaks: Marble Framework

When the White House (doesn't matter who's ostensibly in charge) claims leaker's like Julian Assange should be accountable by the law, it of course means the malleable arbitrary law which none of the serpents in the White House, Langley, ... are accountable to.

[Jan 15, 2018] WikiLeaks reveals that literally every router in America has been compromised

failedevolution.blogspot.gr
The latest Wikileaks Vault7 release reveals details of the CIA's alleged Cherry Blossom project, a scheme that uses wireless devices to access users' internet activity.

globinfo freexchange

As cyber security expert John McAfee told to RT and Natasha Sweatte:

Virtually, every router that's in use in the American home are accessible to hackers, to the CIA, that they can take over the control of the router, they can monitor all of the traffic, and worse, they can download malware into any device that is connected to that router.

I personally, never connect to any Wi-Fi system, I use the LTE on my phone. That's the only way that I can be secure because every router in America has been compromised.

We've been warning about it for years, nobody pays attention until something like WikiLeaks comes up and says 'look, this is what's happening'. And it is devastating in terms of the impact on American privacy because once the router is compromised and it infects the cell phones that are attached, your laptop, your desktop computer, your tablet, then they become compromised and [someone] can watch the data, start listening to conversations, start watching through the cameras on these devices.

We are in a situation with our government where they know everything about us and we know nothing about what the government is doing. They have the right to privacy and secrecy, but the individual does not, anymore.

[Jan 03, 2018] Nation-State Hacking 2017 in Review by Eva Galperin

Jan 03, 2018 | www.truth-out.org

WannaCry and Petya both owe their effectiveness to a Microsoft Windows security vulnerability that had been found by the NSA and code named EternalBlue, which was stolen and released by a group calling themselves the Shadow Brokers. US agencies losing control of their hacking tools has been a recurring theme in 2017. First companies, hospitals, and government agencies find themselves targeted by re-purposed NSA exploits that we all rushed to patch , then Wikileaks published Vault 7 , a collection of CIA hacking tools that had been leaked to them, following it up with the publication of source code for tools in Vault 8.

...In December, Citizen Lab published a report documenting the Ethiopian government's ongoing efforts to spy on journalists and dissidents, this time with the help of software provided by Cyberbit, an Israeli company. The report also tracked Cyberbit as their salespeople demonstrated their surveillance product to governments including France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Other perennial bad actors also made a splash this year, including Vietnam, whose government was linked to Ocean Lotus, or APT 32 in a report from FireEye . The earliest known samples from this actor were found by EFF in 2014 , when they were used to target our activists and researchers.

Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world.

[Nov 18, 2017] Largest FREE Microsoft eBook Giveaway! I'm Giving Away MILLIONS of FREE Microsoft eBooks again, including Windows 10, Office

Nov 18, 2017 | msdn.microsoft.com

Before we get to this year's list of FREE eBooks, a few answers to common questions I receive during my FREE EBOOK GIVEAWAY:

  1. How many can you download?
    • ANSWER: As many as you want! This is a FREE eBook giveaway, so please download as many as interest you.
  2. Wow, there are a LOT listed here. Is there a way to download all of them at once?
    • ANSWER: Yes, please see the note below on how to do this.
  3. Can I share a link to your post to let others know about this giveaway?
    • ANSWER: Yes, please do share the good news with anyone you feel could benefit from this.
  4. I know you said they are "Free," but what's the catch?
    • ANSWER: There is no catch. They really are FREE . This consider it a, "Thank you," for being a reader of my blog and a customer or partner of Microsoft.
  5. Ok, so if they are free and you're encouraging us to share this with others, can I post a link to your post here on sites like Reddit, FatWallet, and other deal share sites to let them know, or is that asking too much?
    • ANSWER: Please do. In fact, I would encourage you to share a link to this post on any deal site you feel their users could benefit from the FREE eBooks and resources included below. Again, I WANT to give away MILLIONS of FREE eBooks!
  6. Are these "time-bombed" versions of the eBooks that stop working after a certain amount of time or reads?
    • ANSWER: No, these are the full resources for you to use.

Ok, ready for some FREE eBooks? Below is the collection I am posting this year (which includes a ton of new eBooks & resources, as well as some of the favorites from previous years):

... ... ...

PowerShell Microsoft Dynamics GP 2015 R2 PowerShell Users Guide PDF
PowerShell PowerShell Integrated Scripting Environment 3.0 PDF
PowerShell Simplify Group Policy administration with Windows PowerShell PDF
PowerShell Windows PowerShell 3.0 Examples PDF
PowerShell Windows PowerShell 3.0 Language Quick Reference PDF
PowerShell WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE PDF
PowerShell Windows PowerShell 4.0 Language Reference Examples PDF
PowerShell Windows PowerShell Command Builder User's Guide PDF
PowerShell Windows PowerShell Desired State Configuration Quick Reference PDF
PowerShell WINDOWS POWERSHELL INTEGRATED SCRIPTING ENVIRONMENT 4.0 PDF
PowerShell Windows PowerShell Web Access PDF
PowerShell WMI in PowerShell 3.0 PDF
PowerShell WMI in Windows PowerShell 4.0 PDF

[Nov 17, 2017] The Windows PowerShell Debugger

Nov 17, 2017 | technet.microsoft.com
The Windows PowerShell Debugger The information in this article was written against the Community Technology Preview (CTP) of Windows PowerShell 2.0. This information is subject to change in future releases of Windows PowerShell 2.0.

The PowerShell Debugger Setting Breakpoints Responding to Breakpoints Listing Breakpoints Enabling and Disabling Breakpoints Removing Breakpoints

The PowerShell Debugger

In Windows PowerShell 2.0 (the November 2007 Community Technology Preview release) the PowerShell team has taken an interesting approach to script debugging. As you know, PowerShell doesn't require a specialized script editor or development environment. Instead, PowerShell users can, and do, use any and all text editors (from Notepad on up) to write their scripts. Because of that, the PowerShell team decided to build their debugging tools into Windows PowerShell itself; in turn, that means that you can use the new debugging cmdlets to debug any script from the console window itself.

Pretty cool, huh?

But don't just take our word for that; let's show you how some of these cmdlets work. In particular, let's take a brief look at the following new PowerShell 2.0 cmdlets:

Top of page Setting Breakpoints

Windows PowerShell's new debugging features are built around the notion of "breakpoints." A breakpoint is simply a designated spot in a script where you would like execution to pause. For example, suppose you have a script that copies a file from one location to another, and then deletes the original file. (OK, admittedly, you'd be better off writing a script that simply moved the file, but that wouldn't help us make our point.) Let's further suppose that your script looks like this:

cls
Write-Host "Copying folder."
Copy-Item D:\Logfiles -destination D:\Backup
Write-Host "Deleting folder."
Remove-Item D:\Logfiles

As you might expect, this script hinges on one key line of code: the line where the Copy-Item cmdlet copies the folder D:\Logfiles to D:\Backup. What makes this line so crucial? Well, suppose this line fails but the script continues to run. Let's further suppose that the last line of code, the one where the Remove-Item cmdlet deletes the original folder, succeeds. What would that mean? That would mean that the script failed to copy D:\Logfiles to the backup location, but succeeded in deleting D:\Logfiles (even though no backup copy exists). And that would mean that the folder D:\Logfiles, and everything in it, would be gone without a trace.

Probably not what you had in mind.

So what can you do about that? How can you test this script risk-free, or at least as close to risk-free as you can get?

Well, one thing you can do is set a breakpoint on line 4 (Write-Host "Deleting folder.").That enables you to run the script and execute lines 1, 2, and 3. When you get to line 4, however, the script will pause and wait for further instructions. (What kind of instructions? We'll discuss that in a minute.) That, in turn, gives you a chance to verify that D:\Logfiles has been successfully copied to D:\Backup. If it has then you can continue to run the script. If it hasn't, then you can type {break} to stop execution of the script before the folder is deleted. And once the script has successfully – and safely – been stopped, you can begin debugging lines 1 through 3 to try and determine why the folder didn't get copied over.

That sounds pretty handy, doesn't it? OK, so then how do you set a breakpoint on line 4? Why, by doing this, of course:

New-PSBreakpoint -script C:\Scripts\Test.ps1 -line 4

That was easy, wasn't it? As you can see, all we had to do was call the New-PSBreakpoint cmdlet, passing New-PSBreakpoint two parameters:

So what happens now? Well, now we simply run the script; when the script reaches line 4 it will pause and prompt us for further instructions. That scenario will play out something similar to this:

Copying folder.
DEBUG: Hit breakpoint(s) on 'C:\Scripts\Test.ps1:4'
DEBUG:  Line breakpoint on 'C:\Scripts\Test.ps1:4'
PS C:\scripts>>>{break}
PS C:\scripts>

Notice at the prompt that we typed {break} to terminate the script.

Important . As you might know (but probably didn't), breakpoints are tied to the current PowerShell session and not to the script. That means that any breakpoints you set will disappear as soon as you exit PowerShell. Keep in mind, too, that the breakpoints work only in the PowerShell session where they were set. Suppose you create a new breakpoint in one PowerShell session and then open a second PowerShell session. That breakpoint will not be available in the second PowerShell session, you'll need to reset any breakpoints you want in this second session.

Admittedly, setting a breakpoint on line 4 was pretty cool. But you ain't seen nothin' yet. Sure, it's easy to set a breakpoint on a particular line in a script. (And yes, you can set as many breakpoints on a script as you want. On top of that, you can set breakpoints on as many different scripts as you want.) But PowerShell doesn't limit you to setting breakpoints only on lines. Instead, you can also set breakpoints on such things as:

Variables . When you set a breakpoint on a variable the script will (by default) pause any time the value of that variable changes. To set a breakpoint on a variable, simply use the –variables parameter followed by the name (or names) of the variable of interest. (Just make sure to leave the $ off when specifying the variable name.) For example, this command sets a breakpoint on the variable $a:

New-PSBreakpoint -script C:\Scripts\Test.ps1 -variables a

As we noted, by default breakpoints are triggered any time the value of a variable changes ( WriteMode ). Alternatively, you could have a breakpoint triggered any time a variable value is read ( Read ); this includes each and every time that the value of this variable is displayed onscreen or used in a calculation. Or, set the breakpoint to ReadWriteMode and have the breakpoint triggered any time the variable is referenced.

Oh, good question. Here's how you set the mode for a variable breakpoint:

Copy
New-PSBreakpoint -script C:\Scripts\Test.ps1 -variables a -Read

Commands . You can also set a breakpoint any time a particular command is used in a script. For example, the following command sets a breakpoint on the Get-Content command:

Copy
New-PSBreakpoint -script C:\Scripts\Test.ps1 -commands "Get-Content"

You c an even get more specific than that. For example, this command sets a breakpoint on Get-Content, but only when the cmdlet is used to open the file C:\Scripts\Test.txt:

Copy
New-PSBreakpoint -script C:\Scripts\Test.ps1 -commands "Get-Content C:\Scripts\Test.txt"

Functions . Set a breakpoint any time a function is called? Hey, why not? Here's a command that sets a breakpoint any time the function ConvertDate is called:

Copy
New-PSBreakpoint -script C:\Scripts\Test.ps1 -function ConvertDate

Before we move on, here's one last note about the New-PSBreakpoint cmdlet. By default, the script simply pauses and waits for further instructions any time it encounters a breakpoint. If you want to, however, you can execute a specific command (or set of commands) when a breakpoint is encountered. To do that, simply add the –action parameter followed by the command or commands to be run. (Technically these commands need to be passed as a script block, which means they must be enclosed in curly braces.) For example, this command displays the value of the variable $a any time the specified breakpoint is triggered:

Copy
New-PSBreakpoint -script C:\Scripts\Test.ps1 -variables a -action {Write-Host $a}

One action you might want to specify is this: {break} . This will automatically terminate the script when a breakpoint is reached.

Top of page Responding to Breakpoints

Unless you use the –action parameter, any time you a hit a breakpoint the script will pause and present you with a nested command prompt. When that happens, PowerShell will simply sit patiently and wait for you to tell it what to do.

That's great, except for one thing: what exactly can you tell it to do? To be honest, you can tell it pretty much anything you want to tell it. As we've already seen, you can simply type the keyword {break} and press ENTER; that will cause the script to terminate. Alternatively, you might want to run a full-fledged PowerShell command. For example, suppose your script is supposed to create a text file named C:\Scripts\Test.txt and then hit a breakpoint. At that point, you could use the Get-Content cmdlet to read the contents of that file:

Copy
Get-Content C:\Scripts\Test.txt

That's pretty cool. However, more often than not you'll end up executing one of the following new cmdlets any time you encounter a breakpoint:

Step-Into . The Step-Into cmdlet enables you to execute the next line of code in the script. Just type Step-Into at the command prompt and press ENTER; in response, PowerShell will execute the next line of code. At that point the script will stop and wait for further instructions, even if no breakpoint has been set on that particular line of code.

In other words, Step-Into allows you to run a script line-by-line.

Step-Out . When you call the Step-Out cmdlet your script will begin to run again, not stopping until it reaches the next breakpoint (or until it runs out of lines to execute). Unlike Step-Into, Step-Out does not run a script line-by-line. Instead, it runs until it reaches a breakpoint; pauses; runs until it reaches the next breakpoint; pauses; then – well, you get the idea.

To use this cmdlet, type Step-Out at the command prompt and then press ENTER; in response, PowerShell will execute the next line of code, and then continue to execute lines of code, without stopping, until the next breakpoint is encountered.

Important note. If you are inside a function when you call the Step-Out cmdlet, the debugger will exit the function and step to the statement immediately following the function call; from there the script will continue to run until the next breakpoint is encountered.

What does that mean? Well, suppose we are halfway through function A when we call Step-Out. Let's further suppose that there are no more breakpoints in the script. In a case like that, the debugger will exit the function (without running any additional lines of code in that function), and then – because there are no more breakpoints –will run the rest of the script. What if there was another breakpoint? Then the script would stop at that breakpoint and await further instructions.

Step-Over . The Step-Over cmdlet is roughly similar to Step-Into: it's designed to execute code line-by-line. However, there is an exception or two. (Which there should be; otherwise Step-Over would be Step-Into.) If the next line of code to be executed happens to be a function call, Step-Over will, well, "step over" that call. What does that mean? That means that Step-Over will execute the entire function without stopping; you will not step into the individual lines of code within that function. For example, suppose we hit a breakpoint at this point in a script:

Copy
Set-Location C:\Scripts
ConvertDate
Get-ChildItem

If we use the Step-Over cmdlet with these lines of code, the script will run line 1, the line that calls the Set-Location cmdlet, and then pause. If we use the Step-Over cmdlet again, the script will then run line 2, which calls a function named ConvertDate. At that point, all the lines of code within the Convert-Date function will execute, without stopping. The script will not pause until after the function has finished executing. If we call Step-Over a third time the script will then "step into" line 3, meaning it will pause on this line and await further instructions.

By the way, you can use any or all of these cmdlets during a single debugging session. That enables you to, say, step through a particular section line-by-line, and then step over or step out of the next section in the script.

Top of page Listing Breakpoints

On the one hand, it's pretty cool to have breakpoints tied to the PowerShell environment rather than an individual script; on the other hand, that makes it harder to figure out which breakpoints, if any, have been placed on a script. (Why? Because you can't just open up the script in a script editor or debugger and view the breakpoints.)That's where the Get-PSBreakpoint cmdlet comes in. Called without any additional parameters Get-PSBreakpoint returns information similar to the following for all the breakpoints in the current PowerShell session:

Copy
Get-PSBreakpoint

Do that and you'll get back information similar to this for each breakpoint set during the current session:

Function: ConvertDate
Action:
Enabled: True
HitCount: 1
Id: 0
Script: C:\Scripts
ScriptName: C:\Scripts\Test.ps1
Alternatively, you can specify a breakpoint ID and get back information only for the specified breakpoint:
Get-PSBreakpoint -ID 7

The –id parameter is the only parameter available to Get-PSBreakpoint. However, by piping the information retrieved by Get-PSBreakpoint to the Where-Object cmdlet you can retrieve a collection of breakpoints that fit some other criteria. For example, this command retrieves all the breakpoints associated with the script C:\Scripts\Test.ps1:

Get-PSBreakpoint | Where-Object (ScriptName - eq "C:\Scripts\Test.ps1")

      Enabling and Disabling Breakpoints 

By using the Enable-PSBreakpoint and Disable-PSBreakpoint cmdlets you can selectively enable and disable breakpoints during a Windows PowerShell session. To disable a breakpoint all you need to do is call the Disable-PSBreakpoint cmdlet, specifying the ID of the breakpoint to be disabled:

Disable-PSBreakpoint -ID 7

To enable that particular breakpoint, just use the Enable-Breakpoint cmdlet:

Enable-PSBreakpoint -ID 7

To disable (or enable) all the breakpoints in a PowerShell session, use Get-PSBreakpoint to retrieve a collection of breakpoints 
      and then pipe that collection to the appropriate cmdlet. For example, this command disables all the breakpoints in the current 
      session:
Get-PSBreakpoint | Disable-PSBreakpoint

Or, again, use a command like this to disable all the breakpoints associated with the script C:\Scripts\Test.ps1:
(Get-PSBreakpoint | Where-Object (ScriptName - eq "C:\Scripts\Test.ps1"))
| Disable-PSBreakpoint


      Removing Breakpoints 

As an alternative to disabling a breakpoint you can simply delete that breakpoint. Want to delete the breakpoint with the ID 7? Then simply call the Remove-PSBreakpoint cmdlet, specifying the breakpoint to be removed:

Remove-PSBreakpoint -ID 7

To delete all the breakpoints in the current PowerShell session us Get-PSBreakpoint to retrieve a collection of breakpoints and then pipe that collection to the Remove-PSBreakpoint cmdlet:

Get-PSBreakpoint | Remove-PSBreakpoint

And this command – oh, you guessed it. Yes, this command does remove all the breakpoints associated with the script C:\Scripts\Test.ps1:

Copy
(Get-PSBreakpoint | Where-Object (ScriptName - eq "C:\Scripts\Test.ps1"))
| Removeakpoint

[Nov 05, 2017] Bad Rabbit Ten things you need to know about the latest ransomware outbreak ZDNet

Nov 05, 2017 | www.zdnet.com
It spreads via a fake Flash update on compromised websites

The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites -- some of which have been compromised since June -- are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

eset-flash-update-bad-rabbit.png

A compromised website asking a user to install a fake Flash update which distributes Bad Rabbit.

Image: ESET

Infected websites -- mostly based in Russia, Bulgaria, and Turkey -- are compromised by having JavaScript injected in their HTML body or in one of their .js files.

[Nov 05, 2017] Bad Rabbit ransomware - Securelist

Nov 05, 2017 | securelist.com

What is Bad Rabbit?

Bad Rabbit is a previously unknown ransomware family.

How is Bad Rabbit distributed?

The ransomware dropper was distributed with the help of drive-by attacks . While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor's infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr.

We've detected a number of compromised websites, all of which were news or media websites.

Whom does it target?

Most of the targets are located in Russia. Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics.

Since when does Kaspersky Lab detect the threat?

We have been proactively detecting the original vector attack since it began on the morning of October 24. The attack lasted until midday, although ongoing attacks were detected at 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed went down in the evening (Moscow time).

How is it different to ExPetr? Or it is the same malware?

Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack . What's more, the code analysis showed a notable similarity between the code of ExPetr and Bad Rabbit binaries.

Technical details

According to our telemetry, the ransomware is spread via a drive-by attack.

The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php

[Nov 01, 2017] Don't feed the beast. Duckduckgo is a good alternative to Google. And Facebook and Twitter's revenues are advertisement based

To abandon Amazon is unrealistic, but to control what you are buying (in view that all purchases goes into your Dossier) is probably the necessary precaution.
Google as a search engine deteriorated (Any search engine based on advertizing revenue is promoting spyware. and Google is especially bad in this respect due to its dominant position-- those guy pay Google and push themselves to the top of searches) , and alternative are not much worse, if not batter. It might make sense to change engine periodically, not to stick to a single one.
Facebook is intelligence collection company that masquerade itself as social site. So anybody who use Facebook is actually making creation of a comprehensive dossier on him/her much easier. You contacts are especially important. Same is true for Gmail and hotmail.
Notable quotes:
"... From the beginning of Zuckerberg's empire, I thought Facebook was an idiotic excuse to get people involved in trivia, even the name turned me off. ..."
Nov 01, 2017 | consortiumnews.com

geeyp, November 1, 2017 at 7:18 am

I would like to posit that we stop with the Googling on the internet. I have never "Googled" ever. Oh sure, Google is involved with connecting you when you might click on some links. That you seemingly can't avoid. I also don't Face or Twitter. If everyone could avoid doing that now, perhaps we could show our disdain with these entities acquiescing to Feinstein, et. al. I am so fed up with the Clinton crime family getting away with almost as much as the George H.W. crime family.

Skip Scott , November 1, 2017 at 8:46 am

geeyp-

That is a very good suggestion. Don't feed the beast. Duckduckgo is a good alternative to google. And facebook and twitter's revenues are add based, so don't go there either, as they have been shown to be caving to TPTB. Amazon is also one to avoid for Bezo's links to the CIA.

Jessica K , November 1, 2017 at 9:55 am

From the beginning of Zuckerberg's empire, I thought Facebook was an idiotic excuse to get people involved in trivia, even the name turned me off.

Now, Twitter is planning extending tweets to 280 characters, as if 140 is not bad enough. Unfortunately, Twitter can work to tell lies as well as push back on lies, same for Facebook and Google.

Seriously, this society has become unglued and as Lois says, "It ain't a pretty sight". Bad choices are leading to the American empire's downfall.

There's an interesting article from a week ago on Zero Hedge, "China's Rise, America's Fall", about China's launch of the petroyuan and other countries' desire to get off of dollar dominance.

Has a graph showing empire dominance from Portugal in 15th century, then Netherlands followed by Spain, then France, Great Britain, and finally the American empire, poised to be replaced by China.

[Oct 19, 2017] What is a better file copy alternative than the Windows default - Stack Overflow

Oct 19, 2017 | stackoverflow.com

Michael Stum , Aug 4, 2008 at 15:28

How about good old Command-Line Xcopy? With S: being the source and T: the target:
xcopy /K /R /E /I /S /C /H /G /X /Y s:\*.* t:\

/K Copies attributes. Normal Xcopy will reset read-only attributes.

/R Overwrites read-only files.

/E Copies directories and subdirectories, including empty ones.

/I If destination does not exist and copying more than one file, assumes that destination must be a directory.

/S Copies directories and subdirectories except empty ones.

/C Continues copying even if errors occur.

/H Copies hidden and system files also.

/Y Suppresses prompting to confirm you want to overwrite an existing destination file.

/G Allows the copying of encrypted files to destination that does not support encryption.

/X Copies file audit settings (implies /O).

(Edit: Added /G and /X which are new since a few years)

Miles , Oct 15, 2008 at 16:55

this works alot better than the regular windows copy. We had to copy a document server from one partition to another one time. I think we tried the windows copy first (said it was gonna take 20something hours). When we tried X-copy, it took less than 10 (and kept the windows permissions intact). – Miles Oct 15 '08 at 16:55

Oliver Zendel , Mar 11, 2014 at 9:29

xcopy has a serious bug if the path of a single file while copying has more than 256 characters. xcopy will abort the whole operation with an 'insufficient memory' error -> don't use xcopy! As an alternative, this will do pretty much what xcopy does without the bugs:

robocopy c:\srcdir d:\dstdir /XJ /SL /B /E /S /R:1 /W:1 /NFL /NS /NC /MT > mylog.txt 2>&1

Oliver Zendel Mar 11 '14 at 9:29

huseyint , Aug 4, 2008 at 15:21

Use Robocopy (Robust File Copy) .

NOTE:

In Windows Vista and Server 2008 when you type:

xcopy /?

you get:

NOTE: Xcopy is now deprecated, please use Robocopy.

So start getting used to robocopy :)

Gordon Bell , Oct 3, 2008 at 5:40

The primary complaint I've always had with XCOPY is that it always re-copies the files even if the destination file already exists with the same file size and modification date. – Gordon Bell Oct 3 '08 at 5:40

[Oct 16, 2017] Windows 10 setup and configuration tips Don't settle for default settings ZDNet

Oct 16, 2017 | www.zdnet.com

javascript:void(0)

The tips in this category are all about setting up Windows 10 the right way, and then configuring it the way you want it to work.

I assume that you've already done a clean install of Windows 10 or upgraded from a previous edition. (For answers to all your questions on Windows 10 installation issues, see my FAQ: "How to install, reinstall, upgrade and activate Windows 10" .)

And if you've heard that Microsoft is no longer offering free Windows 10 upgrades, I have a pleasant surprise for you: See "Here's how you can still get a free Windows 10 upgrade."

After you've got Windows 10 up and running, you're ready for the tips in this category.

Temporarily delay the Fall Creators Update

Each time Microsoft rolls out a major upgrade to Windows 10, you have the option to wait a few months before you install it on PCs running Windows 10 Pro or Enterprise. But you have to act quickly.

Find any Windows 10 setting in seconds

One confusing aspect of Windows 10 is the way it keeps some options in the old-style Control Panel and others in the new Settings app. The good news is you don't have to guess where to look, once you learn these two search secrets.

See also:

Turn off Cortana completely

Microsoft has removed Cortana's on-off switch. But the option to disable Cortana is still available, if you know where to look. Use this tweak to make Windows search strictly local.

See also:

Shut down OneDrive completely

In Windows 10, OneDrive is built in. The connections are so tight, in fact, that OneDrive has its own node in File Explorer, with no obvious way to remove it. But the options to disconnect OneDrive are there if you know where to look. Here are the full instructions.

See also:

Switch back to a local account from a Microsoft account

During Setup, Windows 10 encourages you to use a Microsoft account. But if you prefer to use a local account, the option is there. Here's how to switch back easily.

See also:

Find your PC's original product key

If you've purchased a new PC with Windows pre-installed in the past few years, chances are it has a product key embedded in its BIOS. With a little PowerShell wizardry, you can find that well-hidden key and learn more about your current licensing status.

More Windows 10 tips in this category:

[Oct 11, 2017] Elite Hackers Stealing NSA Secrets Is 'Child's Play'

What a great waste of taxpayers dollars. After Stuxnet any government that cares about secrecy does not use open, connected to internet networks for sensitive information. Some switched to typewriters, at least for highly sensitive operations, which is probably overkill. but good, old DOS can still be used to above NSA spook pretty much like typewriter; and communication via parallel port is not that easy to hack; UUCP is also pretty much available for serial port communication ;-)
But the effect on undermining the US software and hardware sales is overwhelming. Why anybody in foreign government would buy the US hardware or software, when it is clear that NSA can put a backdoor into both "before arrival". In this sense the game is over and net beneficiary might be Taiwanese and other East Asia firms as China is suspect too.
To say nothing about the effects of the US consumers and business when those tools are incorporated by criminal hacking groups into commercial malware. And this is a real dnager of NSA activities. Boomerang tends to return. And the security culture in most US companies (including government security contractors) is simply rudimentary or non existent. In no way they can withstand the attack of NSA tools. The sordid take of Hillary shadow IT and "bathroom server" is actually not an exception. Creation of "Shadow IT" is pretty common in fossilized and over-bureaucratized US enterprise It world.
Moreover operations like "Its operations that violate sovereignty of other nations, like digging into China's networks , developing the tools British spies used to break into Belgium's largest telecom, and hacking sections of the Mexican government " are clearly criminal, and are possible only due to the status of the USA as a sole of superpower. But they can result is some shipment of arms to anti-USA factions as a state-to-state retaliation. Moreover "There is no honor among thieves" and sharing of this information should be assumed is always larger then intended.
Like drone strikes they inflame anti-Americanism and has constrained U.S. foreign policy options in ways that civilian and military planners neither imagined nor anticipated.
Oct 11, 2017 | www.msn.com

The NSA's hackers have a problem.

Last week, multiple outlets reported that the NSA's elite Tailored Access Operations unit -- tasked with breaking into foreign networks -- suffered another serious data breach. The theft of computer code and other material by an employee in 2015 allowed the Russian government to more easily detect U.S. cyber operations, according to the Washington Post. It's potentially the fourth large scale incident at the NSA to be revealed in the last five years.

Now, multiple sources with direct knowledge of TAO's security procedures in the recent past tell The Daily Beast just how porous some of the defenses were to keep workers from stealing sensitive information -- either digitally or by simply walking out of the front door with it.

One source described removing data from a TAO facility as "child's play." The Daily Beast granted the sources anonymity to talk candidly about the NSA's security practices.

TAO is not your average band of hackers. Its operations have included digging into China's networks , developing the tools British spies used to break into Belgium's largest telecom, and hacking sections of the Mexican government . While other parts of the NSA may focus on tapping undersea cables or prying data from Silicon Valley giants, TAO is the tip of the NSA's offensive hacking spear, and could have access to much more sensitive information ripped from adversaries' closed networks. The unit deploys and creates sophisticated exploits that rely on vulnerabilities in routers, operating systems, and computer hardware the general population uses -- the sort of tools that could wreak havoc if they fell into the wrong hands.

That doesn't mean those tools are locked down, though. "TAO specifically had a huge amount of latitude to move data between networks," the first source, who worked at the unit after Edward Snowden's mega-leak, said. The former employee said TAO limited the number of USB drives -- which could be used to steal data -- after that 2013 breach, but he still had used several while working at TAO.

"Most operators knew how they could get anything they wanted out of the classified nets and onto the internet if they wanted to, even without the USB drives," the former TAO employee said.

A second source, who also worked at TAO, told The Daily Beast, "most of the security was your co-workers checking to see that you had your badge on you at all times."

The NSA -- and recently TAO in particular -- have suffered a series of catastrophic data breaches. On top of the Snowden incident and this newly-scrutinized 2015 breach, NSA contractor Hal Martin allegedly hoarded a trove of computer code and documents from the NSA and other agencies in the U.S. Intelligence Community. Martin worked with TAO, and he ended up storing the material in his car and residence, according to prosecutors. Like Snowden, Martin was a contractor and not an employee of the NSA, as was Reality Winner, who allegedly leaked a top-secret report about Russian interference in the U.S. election to news site The Intercept.

Then there's the incident now in the news. Israeli operatives broke into the systems of the Russian cybersecurity firm Kaspersky Lab, officials told The Washington Post. On those systems were samples of sophisticated NSA hacking tools; a TAO employee had brought them home and placed them on his home computer. That machine was running Kasperky software, which allegedly sent the NSA tools back to Moscow.

It's not totally clear how the breach overlaps with any others, but in 2016, a group called The Shadow Brokers started publishing full NSA exploit and tool code. Various hackers went on to incorporate a number of the dumped exploits in their own campaigns, including some designed to break into computers and mine digital currency, as well as the WannaCry ransomware, which crippled tens of thousands of computers around the world. (A handful of other, smaller NSA-related disclosures, including a catalogue of TAO hacking gear from 2007 and 2008, as well as intelligence intercepts, were not attributed to the Snowden documents, and the public details around where that information came from are muddy.)

Although not a data breach per se, in 2015 Kaspersky publicly revealed details on the history and tools of the so-called Equation Group, which is widely believed to be part of the NSA. A third source, who worked directly with TAO, said the fallout from that exposure meant the hacking unit entered a "significant shutdown," and "ran on minimum ops for months."

Nevertheless, a report by the Defense Department's inspector general completed in 2016 found that the NSA's "Secure the Net" project -- which aimed to restrict access to its most sensitive data after the Snowden breach -- fell short of its stated aims. The NSA did introduce some improvements, but it didn't effectively reduce the number of user accounts with 'privileged' access, which provide more avenues into sensitive data than normal users, nor fully implement technology to oversee these accounts' activities, the report reads.

Physical security wasn't much better, at least at one TAO operator's facility. He told The Daily Beast that there were "no bag checks or anything" as employees and contractors left work for the day -- meaning, it was easy smuggle things home. Metal detectors were present, including before Snowden, but "nobody cared what came out," the second source added. The third source, who visited TAO facilities, said bag checks were random and weak.

"If you have a thumb drive in your pocket, it's going to get out," they said.

Unsurprisingly, workers need to swipe keycards to access certain rooms. But, "in most cases, it's pretty easy to get into those rooms without swipe access if you just knock and say who you're trying to see," the third source added.

To be clear, The Daily Beast's sources described the state of security up to 2015 -- not today. Things may have improved since then. And, of course, the NSA and TAO do of course have an array of security protections in place. TAO operators are screened and people on campus are already going to have a high level clearance, some of the sources stressed. The part of the NSA network that TAO uses, and which contains the unit's tools, can only be accessed by those with a designated account, according to the source who worked with TAO. Two of the sources believed in the NSA's ability to track down where a file came from after a breach.

Indeed, the system TAO members use to download their hacking tools for operations has become more heavily audited over the years too, although the network did have a known security issue, in which users could make their own account and automatically gain access to additional information, the source who worked with TAO said.

"The NSA operates in one of the most complicated IT environments in the world," an NSA spokesperson told The Daily Beast in a statement. "Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies."

"We do not rely on only one initiative. Instead, we have undertaken a comprehensive and layered set of defensive measures to further safeguard operations and advance best practices," the spokesperson added.

The problem of securing this data from the inside is not an easy one to solve. If the NSA was to lock down TAO systems more ferociously, that could hamper TAO's ability to effectively build tools and capabilities in the first place, and two of the sources emphasised that excessive searches would likely create a recruiting problem for the agency. "It's not prison," one of the former TAO employees said.

"The security is all predicated on you having a clearance and being trusted," the source who has worked with TAO said.

"The system is just not setup to protect against someone with a clearance who is determined to go rogue," they added.

[Oct 11, 2017] Spy Spin Fuels Anti-Kaspersky Campaign

Indiscriminate spying is a costly and not very efficient operation. The problem of drinking form a fire hose arise. So a lot of money spend by US, GB and other countries on installation of such software are wasted. If the user of such computers uses steganography this does not even allow to detect the targeted activities.
It in not that elimination of Kaspersky software from the US market (due to current anti-Russia witch hunt) is a big loss. The efficiency of AV program against new threats was always problematic. But this hysteria points to a larger problem: threat from regular hackers to your data, especially financial data and access to financial sites. I would say that the person who does not use two separate computers for browsing and for his financial and other confidential operations and data is reckless indeed. Now anybody with important financial data can afford two laptops. A good used, enterprise class, Dell laptop is around $400.
In Windows each antivirus is simultaneously a backdoor. That's given. So usage by the US government agencies of foreign AV software was an oversight; and the US government is doing the right thing to prohibit such usage. Similarly it would be highly irresponsible for, say Russian government, to use MacAfee software on government computers. Even with large transnational companies there are some tricky problems about which AV software to use. And that was the problem already understood long ago, say in 1996.
For governments any large AV company represents tremendous asset as for surveillance. Also intelligence community probably has close understanding of signature updaters and their vulnerabilities and probably have agents in each of major AV company. And for government AV signature updates are the best way to install malware on your computer. And much simpler then hijacking OS updates.
So it is only natural that AV companies are primary target of intelligence agencies. I remember being very surprised the McAfee was bought by Intel. Now I know why ;-). In the past some mass deployed AV companies software (Symantec) as well as Google software (Google bar) were spyware even without intelligence agencies interference. In a way they were pioneers of mass surveillance.
In no way linux is a panacea. This is another monstrously complex OS with multiple backdoors, especially on application level (Apache is one recent example). But it will be much less attacked by non-government hackers. This is true. Security via obscurity does work. Still if you need security against exfiltration of your data MS DOS and Windows 3.1 are also useful option (any non-networked computer actually would work; you can exchange data via parallel port too. for example Total Commander has such an option ).
Notable quotes:
"... The British spy agency regarded the Kaspersky software in particular as a hindrance to its hacking operations and sought a way to neutralize it. ..."
"... An NSA slide describing "Project CAMBERDADA" lists at least 23 antivirus and security firms that were in that spy agency's sights . They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos ..."
"... That the NSA and the British GCHQ did not list U.S. and British made anti-virus products on their "to do" list lets one assume that these packages can already be controlled by them. ..."
"... The Kaspersky anti-virus software, which the NSA employee had installed, identified parts of these tools as malware and uploaded them for analysis to the Kapersky's central detection database. The Kaspersky software behaved exactly as it should . Any other anti-virus software behaves similar if it detects a possibly new virus. ..."
"... The only person in the tale who did something illegal was the NSA employee. The case also demonstrates that the NSA continues to have a massive insider security problem. There is no hint in the story to any evidence for its core claim of "Russian hackers". ..."
"... Meanwhile its a well reported established fact that american virus/antimalware corps have allowed the FBI and other agencies to compromize their software with silent signatures - as with Magic Lantern for example (and imagine how far its gone since then) ..."
"... In the network security world there is this concept of a honeypot where you entice/allow the world to attack/invade your honeypot so you can study the tools they use and insure the trail back to them is useful. ..."
Oct 11, 2017 | www.moonofalabama.org
... ... ...

U.S. and British spies systematically target all anti-virus products and companies :

The British spy agency regarded the Kaspersky software in particular as a hindrance to its hacking operations and sought a way to neutralize it.
...
An NSA slide describing "Project CAMBERDADA" lists at least 23 antivirus and security firms that were in that spy agency's sights . They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos

That the NSA and the British GCHQ did not list U.S. and British made anti-virus products on their "to do" list lets one assume that these packages can already be controlled by them.

In February 2015 Kaspersky announced that it found U.S. and UK government spying and sabotage software infecting computers in various foreign countries. Later that year the CIA and FBI tried to recruit Kaspersky employees but were warned off. In June 2015 Kaspersky Lab detected a breach in its own systems by an Israeli government malware. It published an extensive autopsy of the breach and the malware programs used in it.

That the U.S. government now attempts to damage Kaspersky is likely a sign that Kaspersky products continue to be a hard-target that the NSA and GCHQ find difficult to breach.

To justify the campaign against Kaspersky, which began in May, U.S. officials recently started to provide a series of cover stories. A diligent reading of these stories reveals inconsistencies and a lack of logic. On October 5 the Wall Street Journal reported: Russian Hackers Stole NSA Data on U.S. Cyber Defense :

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

A NSA employee copied code of top-secret NSA spy tools and put it on his private computer. ("It's just that he was trying to complete the mission, and he needed the tools to do it." said 'one person familiar with the case' to WaPo.)

The Kaspersky anti-virus software, which the NSA employee had installed, identified parts of these tools as malware and uploaded them for analysis to the Kapersky's central detection database. The Kaspersky software behaved exactly as it should . Any other anti-virus software behaves similar if it detects a possibly new virus.

The "multiple people with knowledge of the matter" talking to the WSJ seem to allege that this was a "Russian hacker" breach of NSA code. But nothing was hacked. If the story is correct, the Kaspersky tool was legally installed and worked as it should. The only person in the tale who did something illegal was the NSA employee. The case also demonstrates that the NSA continues to have a massive insider security problem. There is no hint in the story to any evidence for its core claim of "Russian hackers".

... ... ...

Further down the WSJ story says :
The incident occurred in 2015 but wasn't discovered until spring of last year , said the people familiar with the matter."

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

If the last sentence is true the employee must have had top access to multiple NSA programs.

A new story in the New York Times today builds on the WSJ tale above. It makes the claims therein even more suspicious. The headline - How Israel Caught Russian Hackers Scouring the World for U.S. Secrets :

It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

What gave the Russian hacking, detected more than two years ago , such global reach was its improvised search tool -- antivirus software made by a Russian company, Kaspersky Lab, ...

The Israeli officials who had hacked into Kaspersky's own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer.

The Washington Post version of the story is remarkable different. Unlike the NYT it does not claim any Russian government involvement in Kaspersky systems:

In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm : hacking tools that could only have come from the National Security Agency.

Israel notified the NSA, where alarmed officials immediately began a hunt for the breach, according to people familiar with the matter, who said an investigation by the agency revealed that the tools were in the possession of the Russian government

Israeli spies had found the hacking material on the network of Kaspersky Lab ...

While the NYT asserts that the Russian government had access to the Kaspersky systems, the Washington Post does not assert that at all.

The NYT claims that the Israelis alerted the NSA of Russian government knowledge of its tools while WaPo says that it was the NSA itself that found this out. That Israel alerts the NSA when it has its hands on a valuable source that reveals NSA tools is not believable. There is no love lost between Israeli and U.S. spy agencies. They spy on each other whenever they can with even deadly consequences .

The NYT story is based on "current and former government officials", not on the usual " U.S. officials". It might well be that Israeli spies are spinning the NYT tale.

We already knew that the Israeli government had in 2015 breached some Kaspersky systems. Kaspersky Lab itself alarmed the public about it and provided an extensive forensic report.

There are several important questions that the above quote stories do not ask:

If the Israelis detected NSA malware in the hand of the Russian government "more than two years ago" (NYT) how come that the NSA hole was only found in 2016 (WSJ)? Did the Israelis use their claimed knowledge for a year without alarming their "allies" at the NSA? Why?

And why would the detection of alleged Russian government intrusion into Kaspersky products lead to a ban of these products only in fall 2017?

If the story were true the NSA should have reacted immediately. All Kaspersky products should have been banned from U.S. government systems as soon as the problem was known. The NSA allowed the Russian government, for more than a year, to sniff through all systems of the more than two dozen American government agencies (including the military) which use the Kaspersky products? That does not make sense.

These recently provided stories stink. There is no evidence provided for the assertions therein. They make the false claim that the NSA employees computer was "hacked". Their timelines make no sense. If not complete fantasies they are likely to be heavily spun to achieve a specific goal: to justify the banning of Kaspersky products from U.S. markets.

I regard these stories as part of "blame Russia" campaign that is used by the military-industrial complex to justify new defense spending. They may also be useful in removing a good security product that the NSA failed to breach from the "western" markets.

Oilman2 | Oct 11, 2017 10:29:02 AM | 10

Computers are dirt cheap these days. My first Mac cost me $3000 and the first clone PC I built cost me $1500. Today, I can buy a super-duper-anti-pooper PC device for $500. Hell folks, that is cheaper than an Iphone...

Use one computer for your critical work that has no internet connection, or use an old PC that has no network card. The OS may be uncool by today's standards, but the dang business software has hardly changed - just gotten more bloated with features.

Have one computer for exposure to wild viruses and all that crap, and another you can rely on. Move files one-way using cheap, new memory sticks.

My old PC runs the last version of Windows NT - and never crashes or locks up. It uses MS Office from that period, and the files are still readable by newer products.

My outward looking computer is either a Mac or a Linux box. I only transfer sensitive files one-way - from isolated to unisolated. Periodically, I toss the hard drive and pop in a new one. My 'sensitive' stuff is miniscule, as I don't work in the military or spook world. It's patent stuff.

And run Kaspersky - it works and the other's don't. Unless you are working on sensitive government crap, do you really even care if Russians can fish a few of your files? Do most people have PLC devices hung off their computers that stuxnet things can access?

If you have Alexa and other IoT crap - get rid of it because they are gadgets that have more downside than upside. Do you TRULY need a talking fridge? A washer you can turn on with your phone? A talking link to Google?

I don't care if the alphabet guys get my files - because they aren't of use to them. Most of the guys working at the alphabet agencies are spending their time on porno anyway or looking for blackmail files and images - which is why they can't seem to ever do anything useful except maybe foul a keyboard irretrievably.

It's hilarious to me that so much effort is put into all this when the old school ways of passing notes and talking are such simple workarounds, IF you are truly wanting privacy and fear for your precious files.

Robert Browning | Oct 11, 2017 10:43:32 AM | 11
Kaspersky uncovered the Stuxnet virus.
sejomoje | Oct 11, 2017 11:59:05 AM | 13
Yep this is payback for revealing who was behind Stuxnet, among other things. Every day, a little more USSA.
LXV | Oct 11, 2017 12:27:49 PM | 14
Isn't it to little to late for a payback, since it's been 5+ years since Kaspersky Labs discovered and revealed who is behind Stuxnet and Flame? Nah, this one smells more of a good ole-fashioned fascist market protectionism where you simply ban "those vile Russians" from a large portion of the market. Of course, all in context of the Empire's ongoing Blame Russia! campaign.
c1ue | Oct 11, 2017 3:12:28 PM | 19
Linux doesn't have many viruses - instead it has all manner of extremely dangerous 0-day bugs that can be exploited, plus a multitude of open source library vulnerabilities and channel attacks.
I was at a presentation by Paul Vixie - one of the 2 people who first proclaimed open source as the best way to product good and secure products 10 years ago. He's Internet Hall of Fame, ICANN Security Board, etc.
He no longer believes that for this reason: 10 years ago, there were 50 million lines of open source code, and you could rely that it was reviewed regularly and reasonably widely.
Today there are 50 billion lines of open source code, and the majority is never reviewed by anybody.
If you really want to go secure: don't use email. Don't use the internet. Just use your computer with no outside connection. Of course, you can't read Moon of Alabama, either - a fantastic way to nail all you paranoid types would be to watering hole attack this site.
As for the story: it is believable that one or more spy agencies hacked into Kaspersky's systems.
What again is not being said is whether Kaspersky was actively participating or abetting this activity.
While banning Kaspersky from US government and military isn't completely nonsensical, the reality is that *all* AV and other type of security products - any ones which auto update include FireEye, Palo Alto, Symantec, Microsoft and so forth all have the same vulnerability: The ability to access all data on a computer is an inherent ability to spy.
c1ue | Oct 11, 2017 3:13:26 PM | 20
And just FYI: Apache - you know, the source of the Struts vulnerability that lead to the Equifax breach, among others? It is Linux.
Thominus | Oct 11, 2017 3:24:35 PM | 21
Meanwhile its a well reported established fact that american virus/antimalware corps have allowed the FBI and other agencies to compromize their software with silent signatures - as with Magic Lantern for example (and imagine how far its gone since then)

With such subservience by the corporations anything is possible with whats been buried in these closed source systems.

I'm pretty sure the US establishment never accuses anyone of something if they aren't already themselves doing the same in the extreme.

Steve | Oct 11, 2017 3:27:13 PM | 22
@19 & 20

What you say may be correct in the most part. However, is it better to run an OS where there is a possibility of someone reviewing the code to improve it or run an OS where the vulnerabilities are intentionally left in the OS at the behest of the three-lettered agencies ? Only one choice gives the possibility of security even if it is remote.

The greater problem is the lack of maturity in so much of the software on Linux.

c1ue | Oct 11, 2017 3:37:19 PM | 23
@Steve #11
I guess you didn't read far enough into Vixie's comment: No one is reviewing the code - there is just too much.
Apache is an enormously widely used Linux platform with presumably an optimal reviewer population - it has millions of installs worldwide and is used from huge corporations to individuals, yet the Struts bug was also enormous (allows someone to remotely run code on any Apache server via a command line in a browser).

From my view as a security professional: I'd rather have a platform where there are thousands to tens of thousands of people actively trying to improve its security as opposed to one where there might be a few hundred.

The reality is that iOS, for example, is far more secure than Android.

iOS is not open source, Android is.

But the relative security has nothing to do with open sourcedness - it has to do with the architects of iOS continuously adding capabilities to make it more secure. iOS was the first widespread OS to use signed firmware updates - which is why jailbreaking an iPhone is so much harder than it used to be.

Despite that, there are still vulns which the 3 letter agencies likely know about and use.

That doesn't change the overall fact that iOS is more secure than Android and will be for the foreseeable future, because Android simply doesn't do all the things iOS can (and does) do.

If your concern is 3 letter agencies, then you need to create your own OS.

If your concern is overall security except for the 3 letter agencies, open source is *not* the way.

And lest you think I'm an Apple fanboi - I am not. I don't use iOS/iPhone/OSX or any of the Apple products for reasons outside of security. It doesn't mean I do not recognize the reality, however.

blues | Oct 11, 2017 4:39:24 PM | 28
Well sure if the NSA or some super-hacker specifically targets your machine, you will get owned (unless you invest in some kind of cyber Fort Knox, and are very lucky as well). These people who rant that Linus is "unsafe" are 100% full of it. In the end NOTHING is "safe". But Linux has astonishing advantages! Pay no heed to those naysayers!

I could write a book about how colossally dreadful Microsoft Windows is.

The BSD systems were clunky as hell so far.

So that leaves Linux. Big Problem: 98% of the Linuxes out there have been coerced into adopting "systemd" (yikes!). This is an allegedly open source (so it might be "audited" for trap doors and such) giant blob of 500,000+ lines of code (!) that has sneakily been infiltrated into 98% of the Linux distributions (distros) by the Red Hat Corporation and their NSA buddies. Obviously no one is ever going to "audit" it!

This Windows-like monster infests all of the Ubuntu and Linux Mint brand distros. The real question becomes "how many teams are you going to trust?"

Presumably the easiest distro to install and use "designed for home computer users" is Devuan based, systemd-free "Refracta Linux":
https://sourceforge.net/projects/refracta/files/isohybrid/
(I suggest ONLY the "refracta8.3_xfce_amd64-20170305_0250.iso" version for modern machines.)

You can "unlock" the upper panel, and move it to the bottom with the mouse.

You have to launch Konqueror five seconds before Firefox or it will crash :(

My very best alternative is the systemd-free "Void Linux":
https://repo.voidlinux.eu/live/current/
(I suggest ONLY the "void-live-x86_64-20171007-xfce.iso" version for most modern machines.)

I think Void Linux is just as nice as Refracta Linux, and they have different available programs (but they can work together) but it requires a bit more Linux chops to install. I needed to get the "live DVD file" GParted, which is a free partition editor DVD that you can burn yourself for free:
http://linux.softpedia.com/get/System/System-Administration/GParted-3725.shtml

Look up "Troubleshooters.Com®" -- Quick and Reliable Void Linux Installation:
http://www.troubleshooters.com/linux/void/quickinst.htm

I had to create a "MS-DOS"-style primary ext4 partition (could be between 80 to 200 GiB) with "boot" flag set, and a 20 GiB "Linux swap partition" with GParted before the install (may have to fiddle with the "BIOS" first). Then insert the Void DVD, open the "command window" and type "void-install". At some point the options look hopeless, but continue, and when it starts to repeat go back and back and continue on to completion. It's a BEAUTIFUL system! Have TWO passwords ready to use before starting (any Linux install) -- they might be of the form: "hermitcabbagetorus

I would get a book(s) about Linux. Maybe "Linux Cookbook" from Alibris. This will all prove to be VERY MUCH WORTH THE THE TROUBLE as time goes on!

psychohistorian | Oct 11, 2017 4:39:53 PM | 29
In the network security world there is this concept of a honeypot where you entice/allow the world to attack/invade your honeypot so you can study the tools they use and insure the trail back to them is useful.

If I were a security vendor I would set up a honeypot that looked like my business as simply one of many best practices. It is a great way to learn what others are doing while honing your skills at staying secure and invisible to potential perps.

If I had to wade into the "which OS is more secure" discussion I would just note that, IMO, in the long run open source is going to win the war world wide for most stuff but there will always be room for proprietary OS's and application software.

[Oct 08, 2017] Create and Use a Virtual Hard Disk on Windows 7

Notable quotes:
"... Windows 7 Resource Kit ..."
Oct 08, 2017 | technet.microsoft.com

Virtual hard disks (VHDs) are a file type that acts like a hard disk. In previous versions of Windows, VHDs were used by virtual machines, such as those created by Microsoft Virtual Server 2005 or Microsoft Virtual PC. Additionally, Complete PC Backup in Windows Vista created a copy of the computer's hard disk as a VHD disk image.

Follow Our Daily Tips RSS | Twitter | Blog | Facebook

Tell Us Your Tips Share your tips and tweaks .

Beginning with Windows 7, you can now mount VHDs exactly like a physical disk. By mounting a VHD, you can easily copy files to and from the virtual disk. Additionally, Windows 7 can be configured to boot from a VHD.

You can create a VHD from either the Disk Management snap-in or the command line. After you create the VHD, you must attach it and then format it before you can use it, just like a physical partition.

From the Disk Management console, follow these steps:
1. Right-click Disk Management and then click Create VHD. Follow the prompts that appear.
2. Right-click the new disk and then click Initialize Disk. Click OK.
3. Right-click the new disk and then click New Simple Volume (or select a different volume type, if available). Follow the prompts that appear.

The new virtual disk is ready to be used, just like any other disk.

From the DiskPart command-line tool at an elevated command prompt, run the create vdisk command and specify the file (to name the file) and maximum (to set the maximum size in megabytes) parameters. The following code demonstrates how to create a VHD file at C:\vdisks\disk1.vdh with a maximum file size of 16 GB (or 16,000 MB).

Copy

DiskPart 
Microsoft DiskPart version 6.1.7100 
Copyright (C) 1999-2008 Microsoft Corporation. 
On computer: WIN7 
DISKPART> create vdisk file="C:\vdisks\disk1.vhd" maximum=16000 

Volume ###      Ltr     Label           Fs      Type            Size    Status          Info    
----------      ---     -----------     -----   ----------      ------- ---------       -------- 
Volume 0        F       New Volume      NTFS    Simple          20 GB   Healthy 
Volume 1        E       New Volume      NTFS    Simple          40 GB   Healthy 
Volume 2        R                               DVD-ROM         0 B     No Media 
Volume 3        C                       NTFS    Partition       75 GB   Healthy         System 
Volume 4        D       New Volume      NTFS    Partition       52 GB   Healthy 
DISKPART> select volume 0
 
Volume 0 is the selected volume. 
DISKPART> delete volume 

DiskPart successfully deleted the volume.
For additional options, run the command help create vdisk at the DiskPart command prompt. After you create a VHD, you must attach it, create a partition, assign it a drive letter, and format it before it can be used. The following script (which must be run within a DiskPart session) demonstrates how to do this.

Copy

create vdisk file="C:\vdisks\disk1.vhd" maximum=16000 
attach vdisk 
create partition primary 
assign letter=g 
format
From the Microsoft Press book Windows 7 Resource Kit by Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 team. Looking for More Tips?

For more tips on Windows 7 and other Microsoft technologies, visit the TechNet Magazine Tips library .

[Oct 05, 2017] Russian Hackers Stole NSA Data on U.S. Cyber Defense by Gordon Lubold, Shane Harris

The irony of stealing data from agency with which rational for existence is stealing data from foreign governments (and as Snowden reveled not only foreign governments) was missed by the authors of this propaganda peace.
While WSJ authors are probably just following talking point as for exaggerating Russian cyber threat (as Trump correctly defined it this is a "witch hunt" which is a part of color revolution launched to depose him) , the truth is that any antivirus software is a backdoor to your computer. Be it Microsoft, MacAfee, Semantic (in the past this was especially spying prone company with personal product being real spyware), or Kaspersky. So exfiltrating files from your computer via anti-virus software is not only possible, but quite probable vector of attack. All all major three letter agencies probably have dedicated teams which probe weaknesses in the way major anti-virus program communicate with the "mothership" to exploit those weaknesses for their own purposes.
The same is true about million of various updaters (such as Adobe -- a pretty nasty one, but generally one per each major commercial application installed) which are also backdoors into your system. So it is reasonable to view Windows as a "system that open user data to malicious third parties". Actually to any more or less professional intruder. Thinking otherwise is just stupid.
From security standpoints the terms "networked Windows computer" and "protection of personal information" are incompatible.
Notable quotes:
"... Mr. Trump denies any impropriety and has called the matter a "witch hunt." ..."
"... Write to Gordon Lubold at Gordon.Lubold@wsj.com and Shane Harris at shane.harris@wsj.com ..."
Oct 05, 2017 | www.msn.com

The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.

The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government. The company, which sells its antivirus products in the U.S., had revenue of more than half a billion dollars in Western Europe and the Americas in 2016, according to International Data Corp. By Kaspersky's own account it has more than 400 million users world-wide.

The revelation comes as concern over Russian infiltration of American computer networks and social media platforms is growing amid a U.S. special counsel's investigation into whether Donald Trump's presidential campaign sought or received assistance from the Russian government. Mr. Trump denies any impropriety and has called the matter a "witch hunt."

Intelligence officials have concluded that a campaign authorized by the highest levels of the Russian government hacked into state election-board systems and the email networks of political organizations to damage the candidacy of Democratic presidential nominee Hillary Clinton.

A spokesman for the NSA didn't comment on the security breach. "Whether the information is credible or not, NSA's policy is never to comment on affiliate or personnel matters," he said. He noted that the Defense Department, of which the NSA is a part, has a contract for antivirus software with another company, not Kaspersky.

In a statement, Kaspersky Lab said it "has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation."

Kremlin spokesman Dmitry Peskov in a statement didn't address whether the Russian government stole materials from the NSA using Kaspersky software. But he criticized the U.S. government's decision to ban the software from use by U.S. agencies as "undermining the competitive positions of Russian companies on the world arena."

The Kaspersky incident is the third publicly known breach at the NSA involving a contractor's access to a huge trove of highly classified materials. It prompted an official letter of reprimand to the agency's director, Adm. Michael Rogers, by his superiors, people familiar with the situation said.

Adm. Rogers came into his post in 2014 promising to staunch leaks after the disclosure that NSA contractor Edward Snowden the year before gave classified documents to journalists that revealed surveillance programs run by the U.S. and allied nations.

The Kaspersky-linked incident predates the arrest last year of another NSA contractor, Harold Martin, who allegedly removed massive amounts of classified information from the agency's headquarters and kept it at his home, but wasn't thought to have shared the data.

Mr. Martin pleaded not guilty to charges that include stealing classified information. His lawyer has said he took the information home only to get better at his job and never intended to reveal secrets.

The name of the NSA contractor in the Kaspersky-related incident and the company he worked for aren't publicly known. People familiar with the matter said he is thought to have purposely taken home numerous documents and other materials from NSA headquarters, possibly to continue working beyond his normal office hours.

The man isn't believed to have wittingly worked for a foreign government, but knew that removing classified information without authorization is a violation of NSA policies and potentially a criminal act, said people with knowledge of the breach.

It is unclear whether he has been dismissed from his job or faces charges. The incident remains under federal investigation, said people familiar with the matter.

Kaspersky software once was authorized for use by nearly two dozen U.S. government agencies, including the Army, Navy and Air Force, and the departments of Defense, State, Homeland Security, Energy, Veterans Affairs, Justice and Treasury.

NSA employees and contractors never had been authorized to use Kaspersky software at work. While there was no prohibition against these employees or contractors using it at home, they were advised not to before the 2015 incident, said people with knowledge of the guidance the agency gave.

For years, U.S. national security officials have suspected that Kaspersky Lab, founded by a computer scientist who was trained at a KGB-sponsored technical school, is a proxy of the Russian government, which under Russian law can compel the company's assistance in intercepting communications as they move through Russian computer networks.

Kaspersky said in its statement: "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."

Suspicions about the company prompted the Department of Homeland Security last month to take the extraordinary step of banning all U.S. government departments and agencies from using Kaspersky products and services. Officials determined that "malicious cyber actors" could use the company's antivirus software to gain access to a computer's files, said people familiar with the matter.

The government's decision came after months of intensive discussions inside the intelligence community, as well as a study of how the software works and the company's suspected connections to the Russian government, said people familiar with the events. They said intelligence officials also were concerned that given the prevalence of Kaspersky on the commercial market, countless people could be targeted, including family members of senior government officials, or that Russia could use the software to steal information for competitive economic advantage.

"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," the DHS said Sept. 13 in announcing the government ban.

All antivirus software scans computers looking for malicious code, comparing what is on the machine to a master list housed at the software company. But that scanning also gives makers of the software an inventory of what is on the computer, experts say.

"It's basically the equivalent of digital dumpster diving," said Blake Darché, a former NSA employee who worked in the agency's elite hacking group that targets foreign computer systems.

Kaspersky is "aggressive" in its methods of hunting for malware, Mr. Darché said, "in that they will make copies of files on a computer, anything that they think is interesting." He said the product's user license agreement, which few customers probably read, allows this.

"You're basically surrendering your right to privacy by using Kaspersky software," said Mr. Darché, who is chief security officer for Area 1, a computer security company.

"We aggressively detect and mitigate malware infections no matter the source and we have been proudly doing it for 20 years," the company said in its statement. "We make no apologies for being aggressive in the battle against malware and cybercriminals."

U.S. investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky's software provided of what files were suspected on the contractor's computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The breach illustrates the chronic problem the NSA has had with keeping highly classified secrets from spilling out, former intelligence personnel say. They say they were rarely searched while entering or leaving their workplaces to see if they were carrying classified documents or removable storage media, such as a thumb drive.

The incident was considered so serious that it was given a classified code name and set off alarms among top national security officials because it demonstrated how the software could be used for spying. Members of Congress also were informed, said people familiar with the matter.

Then-Defense Secretary Ash Carter and then-Director of National Intelligence James Clapper pushed President Barack Obama to remove Adm. Rogers as NSA head, due in part to the number of data breaches on his watch, according to several officials familiar with the matter.

The NSA director had fallen out of White House favor when he traveled to Bedminster, N.J., last November to meet with president-elect Donald Trump about taking a job in his administration, said people familiar with the matter. Adm. Rogers didn't notify his superiors, an extraordinary step for a senior military officer, U.S. officials said.

Adm. Rogers wasn't fired for a number of reasons, including a pending restructuring of the NSA that would have been further complicated by his departure, according to people with knowledge of internal deliberations. An NSA spokesman didn't comment on efforts to remove Adm. Rogers.

Write to Gordon Lubold at Gordon.Lubold@wsj.com and Shane Harris at shane.harris@wsj.com

[Oct 01, 2017] Are you being watched FinFisher government spy tool found hiding as WhatsApp and Skype

Notable quotes:
"... When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found. ..."
"... The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software. ..."
Oct 01, 2017 | www.ibtimes.co.uk

Legitimate downloads of popular software including WhatsApp, Skype and VLC Player are allegedly being hacked at an internet service provider (ISP) level to spread an advanced form of surveillance software known as "FinFisher", cybersecurity researchers warn.

FinFisher is sold to global governments and intelligence agencies and can be used to snoop on webcam feeds, keystrokes, microphones and web browsing. Documents, previously published by WikiLeaks, indicate that one tool called "FinFly ISP" may be linked to the case.

The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE). In March this year, the company attended a security conference sponsored by the UK Home Office.

This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – packaging real downloads with spyware.

Companies hit included WhatsApp, Skype, Avast, VLC Player and WinRAR, it said, adding that "virtually any application could be misused in this way."

When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool. The stealthy infection process was described as being "invisible to the naked eye." The seven countries were not named for security reasons, Eset said. WhatsApp and VLC Player did not respond to request for comment by the time of publication. A Microsoft spokesperson, referencing the Skype infections, told IBTimes UK : "Windows Defender antivirus cloud protection already automatically identifies and blocks the malware. "For non-cloud customers, we've deployed signatures to protect against this in our free antivirus software," the statement added.

An Avast spokesperson said: "Attackers will always focus on the most prominent targets. "Wrapping official installers of legitimate apps with malware is not a new concept and we aren't surprised to see the PC apps mentioned in this report. "What's new is that this seems to be happening at a higher level. "We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."

The latest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as "tactical improvements." Some tricks, it added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools. One such application was Threema, a secure messaging service.

"The geographical dispersion of Eset's detections of FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option," the team said. "One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn't hard to implement from a technical perspective," Filip Kafka, a malware researcher at Eset, told IBTimes UK. "Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilised in the monitoring of citizens in the affected countries."

Breaking encryption has become a major talking point of governments around the world, many of which conduct bulk communications collection. Politicians argue, often without evidence, that software from companies such as WhatsApp has become a burden on terror probes .

Whatsapp, Skype and VLC all targeted by FinFisher spyware.

One WikiLeaks document on FinFly ISP touted its ability to conduct surveillance at an ISP level. The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software. " It added that it "can be installed on an internet service provider's network" and listed one use case when it was previously deployed by an unnamed intelligence agency. Eset found that all affected targets within one of the countries were using the same ISP.

[Sep 25, 2017] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

Notable quotes:
"... Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017.[12] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine) ..."
Jun 04, 2017 | turcopolier.typepad.com
Gordon Wilson , 31 May 2017 at 09:39 PM
Colonel I have refrained from any posting anywhere for any reason for months, but since the discussion seems to turn to decryption so often I thought you might be interested in knowing about network management systems built into Intel and AMD based machines for years, https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
Hardware-based management does not depend on the presence of an OS or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.[6] AMT is not intended to be used by itself; it is intended to be used with a software management application.[1] It gives a management application (and thus, the system administrator who uses it) access to the PC down the wire, in order to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.[1][3][7]
...
Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017.[12] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine) .[13][14]
I think our second O in OODA is getting fuzzed if we don't consider some of the observations found in "Powershift" by Toffler as well.

The point being is that many Intel and AMD based computers can and have been owned by various governments and groups for years, and at this level have access to any information on these machines before the encryption software is launched to encrypt any communications.

If this known software management tool is already on board, then extrapolation Toffler's chipping warning to unannounced or unauthorized by various actors, one begins to see where various nation states have gone back to typewriters for highly sensitive information, or are building their own chip foundries, and writing their own operating systems and TCP/IP protocols, and since these things are known knowns, one would not be too far fetched in assuming the nation state level players are communicating over something entirely different than you and I are using. How that impacts the current news cycle, and your interpretation of those events, I leave to your good judgment.

I would urge all of my fellow Americans, especially those with a megaphone, to also take care that we are not the subject of the idiom divide and conquer instead of its' master. To that end I think the concept of information overload induced by the internet may in fact be part of the increasing polarization and information bubbles we see forming with liberals and conservatives. This too fuzzes the second O in OODA and warps the D and thus the A, IMHO.

[Sep 24, 2017] Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments

Sep 24, 2017 | apple.slashdot.org

(macrumors.com) Posted by BeauHD on Friday September 22, 2017 @10:05PM from the remote-control dept. AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on , and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.

[Sep 24, 2017] Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss

Sep 24, 2017 | tech.slashdot.org

(theguardian.com) 66 Posted by msmash on Friday September 22, 2017 @02:41PM from the up-next dept. Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years" , a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

[Sep 24, 2017] Popular Chrome Extension Embedded A CPU-Draining Cryptocurrency Miner

Sep 24, 2017 | slashdot.org

(bleepingcomputer.com) Posted by EditorDavid on Saturday September 23, 2017 @02:34PM from the yours-and-mining dept. An anonymous reader writes: SafeBrowse, a Chrome extension with more than 140,000 users, contains an embedded JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent. The additional code drives CPU usage through the roof, making users' computers sluggish and hard to use. Looking at the SafeBrowse extension's source code, anyone can easily spot the embedded Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented with as an alternative to showing ads on its site. The extension's author claims he was "hacked" and the code added without his knowledge.

[Sep 22, 2017] U.S. ban on Russian software may stoke mistrust of cyber firms

Notable quotes:
"... But whether Russia retaliates or not, mistrust of the cybersecurity field has risen, and U.S. adversaries are likely to avoid U.S.-built software, believing that U.S. intelligence agencies may have special access ..."
"... "If you're China, if you're Russia, do you want to run American-built stuff? Probably not," Clark said at a presentation hosted by the Center for Cyber & Homeland Security at The George Washington University. ..."
McClatchy Washington Bureau
The Trump administration's ban on the use of a Russian cybersecurity firm's software is heightening suspicion worldwide that private internet firms might be in league with their home governments, an industry leader said Wednesday.

The Trump administration last week told U.S. government agencies to remove Kaspersky Lab products from their networks, citing alleged ties between officials at Moscow-based Kaspersky and Russian intelligence. Non-government entities and individuals may still use Kaspersky products.

But whether Russia retaliates or not, mistrust of the cybersecurity field has risen, and U.S. adversaries are likely to avoid U.S.-built software, believing that U.S. intelligence agencies may have special access , Greg Clark, chief executive of Symantec , said Wednesday.

"If you're China, if you're Russia, do you want to run American-built stuff? Probably not," Clark said at a presentation hosted by the Center for Cyber & Homeland Security at The George Washington University.

[Sep 19, 2017] CCleaner hack affects 2.27 million computers ! here's what to do

Sep 19, 2017 | www.msn.com

Computer-optimization software is supposed to keep your computer running smoothly. Well, in this case, maybe not so much. Monday, the company that makes CCleaner, Avast's Piriform, announced that their free software was infected with malware . If you use CCleaner, here's what you need to know.

What does the malware do?

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server. Your credit card numbers, social security number and the like seem to be safe.

"Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done," said the company in the announcement .

Who was infected?

According to Piriform, around 3 percent -- roughly 2.27 million computers -- used the infected software. Specifically, computers running 32-bit Windows 10. If that applies to you, don't panic. The company believes that they were able to disarm the malware before any harm was done.

How do I know if I have the corrupted version?

The versions that were affected are CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 for 32-bit Windows PCs. The Android version for phones doesn't seem to be affected.

If you've updated your software since September 12, you should be okay. This is when the new, uncorrupted version was released. Also, if you have the Cloud version, it should have automatically updated itself by now to the clean version.

I don't use the cloud version. What should I do?

CCleaner v5.33.6162 does not update on its own, so if you use the non-cloud version you may have the corrupted software. Piriform recommends deleting your current version and downloading a clean version from their website .

After you have your new software downloaded, run a check on your system using malware protection software to be sure that CCleaner didn't leave any nasty invader behind.

[Sep 16, 2017] ShadowBrokers Releases NSA UNITEDRAKE Manual That Targets Windows Machines

Notable quotes:
"... "Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. ..."
"... The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed. ..."
Sep 16, 2017 | yro.slashdot.org

(schneier.com)

Posted by BeauHD on Monday September 11, 2017

AmiMoJo shares a report from Schneier on Security:

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines :

"Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.

UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device .

The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."

[Sep 16, 2017] BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices

Notable quotes:
"... Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. ..."
Sep 16, 2017 | mobile.slashdot.org

(bleepingcomputer.com) BeauHD on Tuesday September 12, 2017

An anonymous reader quotes a report from Bleeping Computer:

Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device.

They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux , impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately.

When a pat oid App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).ch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Andr

[Sep 16, 2017] Equifax Lobbied For Easier Regulation Before Data Breach

Notable quotes:
"... Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. ..."
"... The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. ..."
Sep 16, 2017 | politics.slashdot.org

(wsj.com) Posted by msmash on Tuesday September 12, 2017

WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017 , according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies.

That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans.

Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures.

The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities.

While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

[Aug 30, 2017] How to Install and Use the Linux Bash Shell on Windows 10

Aug 30, 2017 | www.howtogeek.com
Windows 10's Anniversary Update offers a big new feature for developers: A full, Ubuntu-based Bash shell that can run Linux software directly on Windows. This is made possible by the new "Windows Subsystem for Linux" Microsoft is adding to Windows 10.

What You Need to Know About Windows 10's Bash Shell

RELATED ARTICLE Everything You Can Do With Windows 10's New Bash Shell

This isn't a virtual machine , a container, or Linux software compiled for Windows (like Cygwin ). Instead, Windows 10 gains a Windows Subsystem for Linux, which is based on Microsoft's abandoned Project Astoria work for running Android apps on Windows.

Think of it as the opposite of Wine . While Wine allows you to run Windows applications directly on Linux, the Windows Subsystem for Linux allows you to run Linux applications directly on Windows.

Microsoft has worked with Canonical to offer a full Ubuntu-based Bash shell that runs atop this subsystem. Technically, this isn't Linux at all. Linux is the underlying operating system kernel, and that isn't available here. Instead, this allows you to run the Bash shell and the exact same binaries you'd normally run on Ubuntu Linux. Free-software purists often argue the average Linux operating system should be called "GNU/Linux" because it's really a lot of GNU software running on the Linux kernel. The Bash shell you'll get is really just all those GNU utilities and other software.

There are some limitations here. This won't work with server software, and it won't work with graphical software. It's intended for developers who want to run Linux command-line utilities on Windows. These applications get access to the Windows file system, but you can't use Bash commands to automate normal Windows programs, or launch Bash commands from the standard Windows command-line. They get access to the same Windows file system, but that's it. Not every command-line application will work, either, as this feature is still in beta.

How to Install Bash on Windows 10

RELATED ARTICLE What's New in Windows 10's Anniversary Update

To get started, ensure you've installed the Windows 10 Anniversary Update. This only works on 64-bit builds of Windows 10, so it's time to switch to the 64-bit version of Windows 10 if you're still using the 32-bit version.

Once you're sure you're using the correct version of Windows 10, open the Settings app and head to Update & Security > For Developers. Activate the "Developer Mode" switch here to enable Developer Mode.

[Aug 30, 2017] Install the Linux Subsystem on Windows 10

Aug 30, 2017 | msdn.microsoft.com
For Windows Insiders: Install Linux distribution of choice

This section is for Windows Insiders (build 16215 or later). Follow these steps to Check your build . For earlier versions of Windows 10, follow these instructions using lxrun .

  1. Open the Windows Store and choose your favorite Linux distribution.
    Here are links directly to the store installers:
  2. Select "Get"

    Troubleshooting: Installation failed with error 0x80070003
    The Windows Subsystem for Linux only runs on your system drive (usually this is your C: drive). Make sure that new apps are stored on your system drive.
    Open Settings -> Storage -> More Storage Settings: Change where new content is saved

  3. Once the download has completed, select "Launch".
    This will open a console window. Wait for installation to complete then you will be prompted to create your UNIX user account.

    Troubleshooting: Installation failed with error 0x8007007e
    This error occurs when your system doesn't support Linux from the store. Make sure that:

  4. Create your UNIX username and password. This user account can be different from, and has no relationship to, your Windows username and password. Read more .

You're done! Now you can use your Linux environment.

For Anniversary Update and Creators Update: Install using lxrun

lxrun installs Ubuntu user-mode by default on top of the Windows subsystem for Linux.

Since moving to the store, we have stopped keeping this user-mode image up to date. When you're done, run apt-get update.

  1. Turn on Developer Mode

    Open Settings -> Update and Security -> For developers

    Select the Developer Mode radio button

  2. Open a command prompt. Run bash

    After you have accepted the License, the Ubuntu user-mode image will be downloaded and extracted. A "Bash on Ubuntu on Windows" shortcut will be added to your start menu.

  3. Launch a new Ubuntu shell by either:
    • Running bash from a command-prompt
    • Clicking the start menu shortcut
  4. Create a UNIX user

    The first time you install the Windows subsystem for Linux, you will be prompted to create a UNIX username and password.

    This UNIX username and password can be different from, and has no relationship to, your Windows username and password. Learn more about your UNIX account. .

After installation your Linux distribution will be located at: %localappdata%\lxss\ .

Avoid creating and/or modifying files in %localappdata%\lxss\ using Windows tools and apps! If you do, it is likely that your Linux files will be corrupted and data loss may occur. Avoid this issue by using a directory located under /mnt/.
Read this blog post for more information.

You're done! Go use your new Linux environment!

[Aug 30, 2017] Windows 10 Anniversary Update in August 2016 included Bash for Windows, or Windows Subsystem for Linux

Iether Ubuntu utilities or OpenSuse utilities including bash can be installed. That essentially makes Cygwin redundant.
Aug 30, 2017 | www.theregister.co.uk

Back in the desktop world, Windows 10 will now run SUSE Linux. Windows 10 Anniversary Update in August 2016 included Bash for Windows, or Windows Subsystem for Linux, to run Ubuntu Linux apps natively.

Now, however, SUSE Linux has updated the Windows Subsystem to work with its shell. You can install openSUSE Leap 42.2 or SUSE Linux Enterprise Server 12 SP2.

Instructions are here .

[Aug 28, 2017] As Prosecutors Submit Evidence, WannaCry Hero's Legal Fund Returns All Donations

Aug 28, 2017 | yro.slashdot.org

(buzzfeed.com) 128 Posted by EditorDavid on Monday August 28, 2017 @06:30AM from the fraudulent-funding dept. An anonymous reader quote BuzzFeed: The vast majority of money raised to pay for the legal defense of beloved British cybersecurity researcher Marcus Hutchins was donated with stolen or fake credit card numbers , and all donations, including legitimate ones, will be returned, the manager of the defense fund says. Lawyer Tor Ekeland, who managed the fund, said at least $150,000 of the money collected came from fraudulent sources, and that the prevalence of fraudulent donations effectively voided the entire fundraiser. He said he'd been able to identify only about $4,900 in legitimate donations, but that he couldn't be certain even of those. "I don't want to take the risk, so I just refunded everything," he said. Two days later, Hutchins posted the following on Twitter . "When sellouts are talking shit about the 'infosec community' remember that someone I'd never met flew to Vegas to pay $30K cash for my bail." Hutchins is facing up to 40 years in prison, and at first was only allowed to leave his residence for four hours each week. Thursday a judge lifted some restrictions so that Hutchins is now allowed to travel to Milwaukee, where his employer is located. According to Bloomberg, government prosecutors complain Hutchins now " has too much freedom while awaiting trial and may skip the country." Clickthrough for a list of the evidence government prosecutors submitted to the court this week.

[Jul 11, 2017] Author of Original Petya Ransomware Publishes Master Decryption Key

Jul 08, 2017 | yro.slashdot.org

(bleepingcomputer.com)

An anonymous reader writes: The author of the original Petya ransomware -- a person/group going by the name of Janus Cybercrime Solutions -- has released the master decryption key of all past Petya versions . This key can decrypt all ransomware families part of the Petya family except NotPetya,

Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data. Experts believe that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation to avoid further scrutiny, or being accused of launching NotPetya.

[Jul 08, 2017] Russia Behind Cyber-attack, Says Ukraines Security Service

Slashdot degenerated to primitive anti-Russian propaganda site
Jul 03, 2017 | politics.slashdot.org

tinkerton ( 199273 ) , Monday July 03, 2017 @05:19PM ( #54738011 )

Re:The Russians ate my homework... ( Score: 4 , Insightful)

The article's central message is plausible: Russia running a cyberwar against Ukraine and at the same time trying to build up knowhow. But at the same time the author knows that he can write anything about Russia and it will be believed. At the same time the story is part of a large anti-Russia and anti Trump campaign.

I don't keep track so I don't have a lot of links ready but I know the news about a russian cyberattack on US powerplant was bogus. Russian hacking of DNC was bogus.Russian-Trump links are bogus. Russian hacking of french elections was bogus. But these debunkings only come through very slowly. On the other side there is a barrage of claims that is so overwhelming nobody can begin to debunk them.

And I see good reasons why the democrats and the military industrical complex prefer to have high tensions with Russia and why they want to blame Russia for the failed elections. And I see why the press goes along with it.

And I think that whatever Russia is doing(a lot less than claimed, but certainly a lot of business as usual nasty stuff) it's a good idea to improve the ties with them rather than deteriorate them. That is my opinion about policy. That it's in the west's interest. I also think they're open for chances for improvement , at least as long as Putin is there.

But look at this thread. It's almost unanimous against Russia. Any outsider looking here without any knowledge of the situation would know, this is bad. It means no good thinking will come out of it.(there's more reasons for that though). It also means propaganda is still very effective here and now.

So the article of the topic here may have a good degree of truth, but it's all part of an anti-russian frenzy which I think is a very bad idea.

Here's a new link about a lot of the hacking stories. It covers quite some ground. I'd have to dig for the rest. The ones I mentioned are some I'm pretty certain of although one can debate how convincing the proof is. https://consortiumnews.com/201... [consortiumnews.com]

I didn't discuss Trump. I'd like to get rid of him but I'm convinced the current campaign to link him to Russia is extremely dishonest. He's right about that. Maybe he'll go down because in his efforts to stop them he'll do something very illegal. Or maybe he'll stay in power because he made the right friends. The Saudis and the weapons manufacturers for instance. Then all that the anti Russia campaign will have achieved is to give us the worst of both worlds. Thanks for cooperating everyone.

bogaboga ( 793279 ) , Monday July 03, 2017 @01:17PM ( #54736005 )
Wow...wait a moment... ( Score: 2 )
Russia Behind Cyber-attack, Says Ukraine's Security Service

I think it's premature to jump to such conclusions since we know that our very own CIA has also been implicated...

Vault 7 [wikileaks.org] and more. [wired.com]

atomlib ( 2618043 ) writes: on Monday July 03, 2017 @01:05PM ( #54735925 ) Homepage
Russian companies were hit by that Petya thing ( Score: 1 , Troll)

Whatever it was, that Petya thing hit bunch of Russian companies as well. For example, it hit Russia's top oil providers Rosneft and Bashneft. Some of them suffered quite a bit. Invitro, a nationwide network of private medical laboratories, temporarily ceased samples collection due to the cyberattack.

qaz123 ( 2841887 ) writes: on Monday July 03, 2017 @02:42PM ( #54736649 )
Ukraine says... ( Score: 1 )

Of course Ukraine would say that. No matter it's true or not. Because that hurts Russia and that what Ukraine wants now

Re:The only true security is renewables ( Score: 2 ) by tinkerton ( 199273 ) writes: on Monday July 03, 2017 @05:24PM ( #54738061 )

Because we don't fear the bear.

Exactly.When we're enthusiastically demonizing some party it means we're not scared of them. There have been exceptions, but that's long ago.

[Jul 04, 2017] Foisting Blame for Cyber-Hacking on Russia by Gareth Porter

Notable quotes:
"... Recent hearings by the Senate and House Intelligence Committees reflected the rising tide of Russian-election-hacking hysteria and contributed further to it. Both Democrats and Republicans on the two committees appeared to share the alarmist assumptions about Russian hacking, and the officials who testified did nothing to discourage the politicians. ..."
"... The Department of Homeland Security (DHS) has a record of spreading false stories about alleged Russian hacking into US infrastructure , such as the tale of a Russian intrusion into the Burlington, Vermont electrical utility in December 2016 that DHS later admitted was untrue. There was another bogus DHS story about Russia hacking into a Springfield, Illinois water pump in November 2011. ..."
"... So, there's a pattern here. Plus, investigators, assessing the notion that Russia hacked into state electoral databases, rejected that suspicion as false months ago. Last September, Assistant Secretary of DHS for Cybersecurity Andy Ozment and state officials explained that the intrusions were not carried out by Russian intelligence but by criminal hackers seeking personal information to sell on the Internet. ..."
"... Illinois is the one state where hackers succeeded in breaking into a voter registration database last summer. The crucial fact about the Illinois hacking, however, was that the hackers extracted personal information on roughly 90,000 registered voters, and that none of the information was expunged or altered. ..."
"... "Any time you more carefully monitor a system you're going to see more bad guys poking and prodding at it," he observed, " because they're always poking and prodding." [Emphasis added] ..."
"... Reagan further revealed that she had learned from the FBI that hackers had gotten a user name and password for their electoral database, and that it was being sold on the "dark web" – an encrypted network used by cyber criminals to buy and sell their wares. In fact, she said, the FBI told her that the probe of Arizona's database was the work of a "known hacker" who had been closely monitored "frequently." ..."
"... The sequence of events indicates that the main person behind the narrative of Russian hacking state election databases from the beginning was former FBI Director James Comey. In testimony to the House Judiciary Committee on Sept. 28, Comey suggested that the Russian government was behind efforts to penetrate voter databases, but never said so directly. ..."
"... The media then suddenly found unnamed sources ready to accuse Russia of hacking election data even while admitting that they lacked evidence. The day after Comey's testimony ABC headlined , "Russia Hacking Targeted Nearly Half of States' Voter Registration Systems, Successfully Infiltrating 4." The story itself revealed, however, that it was merely a suspicion held by "knowledgeable" sources. ..."
"... But that claim of a "likely" link between the hackers and Russia was not only speculative but highly suspect. The authors of the DHS-ODNI report claimed the link was "supported by technical indicators from the US intelligence community, DHS, FBI, the private sector and other entities." They cited a list of hundreds of I.P. addresses and other such "indicators" used by hackers they called "Grizzly Steppe" who were supposedly linked to Russian intelligence. ..."
"... But the highly classified NSA report made no reference to any evidence supporting such an attribution. The absence of any hint of signals intelligence supporting its conclusion makes it clear that the NSA report was based on nothing more than the same kind of inconclusive "indicators" that had been used to establish the original narrative of Russians hacking electoral databases. ..."
"... Russian intelligence certainly has an interest in acquiring intelligence related to the likely outcome of American elections, but it would make no sense for Russia's spies to acquire personal voting information about 90,000 registered voters in Illinois. ..."
Jul 04, 2017 | original.antiwar.com
Cyber-criminal efforts to hack into U.S. government databases are epidemic, but this ugly reality is now being exploited to foist blame on Russia and fuel the New Cold War hysteria

Recent hearings by the Senate and House Intelligence Committees reflected the rising tide of Russian-election-hacking hysteria and contributed further to it. Both Democrats and Republicans on the two committees appeared to share the alarmist assumptions about Russian hacking, and the officials who testified did nothing to discourage the politicians.

On June 21, Samuel Liles, acting director of the Intelligence and Analysis Office's Cyber Division at the Department of Homeland Security, and Jeanette Manfra, acting deputy under secretary for cyber-security and communications, provided the main story line for the day in testimony before the Senate committee - that efforts to hack into election databases had been found in 21 states.

Former DHS Secretary Jeh Johnson and FBI counterintelligence chief Bill Priestap also endorsed the narrative of Russian government responsibility for the intrusions on voter registration databases.

But none of those who testified offered any evidence to support this suspicion nor were they pushed to do so. And beneath the seemingly unanimous embrace of that narrative lies a very different story.

The Department of Homeland Security (DHS) has a record of spreading false stories about alleged Russian hacking into US infrastructure , such as the tale of a Russian intrusion into the Burlington, Vermont electrical utility in December 2016 that DHS later admitted was untrue. There was another bogus DHS story about Russia hacking into a Springfield, Illinois water pump in November 2011.

So, there's a pattern here. Plus, investigators, assessing the notion that Russia hacked into state electoral databases, rejected that suspicion as false months ago. Last September, Assistant Secretary of DHS for Cybersecurity Andy Ozment and state officials explained that the intrusions were not carried out by Russian intelligence but by criminal hackers seeking personal information to sell on the Internet.

Both Ozment and state officials responsible for the state databases revealed that those databases have been the object of attempted intrusions for years. The FBI provided information to at least one state official indicating that the culprits in the hacking of the state's voter registration database were cyber-criminals.

Illinois is the one state where hackers succeeded in breaking into a voter registration database last summer. The crucial fact about the Illinois hacking, however, was that the hackers extracted personal information on roughly 90,000 registered voters, and that none of the information was expunged or altered.

The Actions of Cybercriminals

That was an obvious clue to the motive behind the hack. Assistant DHS Secretary Ozment testified before the House Subcommittee on Information Technology on Sept. 28 ( at 01:02.30 of the video ) that the apparent interest of the hackers in copying the data suggested that the hacking was "possibly for the purpose of selling personal information."

Ozment 's testimony provides the only credible motive for the large number of states found to have experienced what the intelligence community has called "scanning and probing" of computers to gain access to their electoral databases: the personal information involved – even e-mail addresses – is commercially valuable to the cybercriminal underworld.

That same testimony also explains why so many more states reported evidence of attempts to hack their electoral databases last summer and fall. After hackers had gone after the Illinois and Arizona databases, Ozment said, DHS had provided assistance to many states in detecting attempts to hack their voter registration and other databases.

"Any time you more carefully monitor a system you're going to see more bad guys poking and prodding at it," he observed, " because they're always poking and prodding." [Emphasis added]

State election officials have confirmed Ozment's observation. Ken Menzel, the general counsel for the Illinois Secretary of State, told this writer, "What's new about what happened last year is not that someone tried to get into our system but that they finally succeeded in getting in." Menzel said hackers "have been trying constantly to get into it since 2006."

And it's not just state voter registration databases that cybercriminals are after, according to Menzel. "Every governmental data base – driver's licenses, health care, you name it – has people trying to get into it," he said.

Arizona Secretary of State Michele Reagan told Mother Jones that her I.T. specialists had detected 193,000 distinct attempts to get into the state's website in September 2016 alone and 11,000 appeared to be trying to "do harm."

Reagan further revealed that she had learned from the FBI that hackers had gotten a user name and password for their electoral database, and that it was being sold on the "dark web" – an encrypted network used by cyber criminals to buy and sell their wares. In fact, she said, the FBI told her that the probe of Arizona's database was the work of a "known hacker" who had been closely monitored "frequently."

James Comey's Role

The sequence of events indicates that the main person behind the narrative of Russian hacking state election databases from the beginning was former FBI Director James Comey. In testimony to the House Judiciary Committee on Sept. 28, Comey suggested that the Russian government was behind efforts to penetrate voter databases, but never said so directly.

Comey told the committee that FBI Counterintelligence was working to "understand just what mischief Russia is up to with regard to our elections." Then he referred to "a variety of scanning activities" and "attempted intrusions" into election-related computers "beyond what we knew about in July and August," encouraging the inference that it had been done by Russian agents.

The media then suddenly found unnamed sources ready to accuse Russia of hacking election data even while admitting that they lacked evidence. The day after Comey's testimony ABC headlined , "Russia Hacking Targeted Nearly Half of States' Voter Registration Systems, Successfully Infiltrating 4." The story itself revealed, however, that it was merely a suspicion held by "knowledgeable" sources.

Similarly, NBC News headline announced, "Russians Hacked Two US Voter Databases, Officials Say." But those who actually read the story closely learned that in fact none of the unnamed sources it cited were actually attributing the hacking to the Russians.

It didn't take long for Democrats to turn the Comey teaser - and these anonymously sourced stories with misleading headlines about Russian database hacking - into an established fact. A few days later, the ranking Democrat on the House Intelligence Committee, Rep. Adam Schiff declared that there was "no doubt" Russia was behind the hacks on state electoral databases.

On Oct. 7, DHS and the Office of the Director of National Intelligence issued a joint statement that they were "not in a position to attribute this activity to the Russian government." But only a few weeks later, DHS participated with FBI in issuing a "Joint Analysis Report" on "Russian malicious cyber activity" that did not refer directly to scanning and spearphishing aimed of state electoral databases but attributed all hacks related to the election to "actors likely associated with RIS [Russian Intelligence Services]."

Suspect Claims

But that claim of a "likely" link between the hackers and Russia was not only speculative but highly suspect. The authors of the DHS-ODNI report claimed the link was "supported by technical indicators from the US intelligence community, DHS, FBI, the private sector and other entities." They cited a list of hundreds of I.P. addresses and other such "indicators" used by hackers they called "Grizzly Steppe" who were supposedly linked to Russian intelligence.

But as I reported last January, the staff of Dragos Security, whose CEO Rob Lee, had been the architect of a US government system for defense against cyber attack, pointed out that the vast majority of those indicators would certainly have produced "false positives."

Then, on Jan. 6 came the "intelligence community assessment" – produced by selected analysts from CIA, FBI and National Security Agency and devoted almost entirely to the hacking of e-mail of the Democratic National Committee and Hillary Clinton's campaign chairman John Podesta. But it included a statement that "Russian intelligence obtained and maintained access to elements of multiple state or local election boards." Still, no evidence was evinced on this alleged link between the hackers and Russian intelligence.

Over the following months, the narrative of hacked voter registration databases receded into the background as the drumbeat of media accounts about contacts between figures associated with the Trump campaign and Russians built to a crescendo, albeit without any actual evidence of collusion regarding the e-mail disclosures.

But a June 5 story brought the voter-data story back into the headlines. The story, published by The Intercept, accepted at face value an NSA report dated May 5, 2017 , that asserted Russia's military intelligence agency, the GRU, had carried out a spear-phishing attack on a US company providing election-related software and had sent e-mails with a malware-carrying word document to 122 addresses believed to be local government organizations.

But the highly classified NSA report made no reference to any evidence supporting such an attribution. The absence of any hint of signals intelligence supporting its conclusion makes it clear that the NSA report was based on nothing more than the same kind of inconclusive "indicators" that had been used to establish the original narrative of Russians hacking electoral databases.

A Checkered History

So, the history of the US government's claim that Russian intelligence hacked into election databases reveals it to be a clear case of politically motivated analysis by the DHS and the Intelligence Community. Not only was the claim based on nothing more than inherently inconclusive technical indicators but no credible motive for Russian intelligence wanting personal information on registered voters was ever suggested.

Russian intelligence certainly has an interest in acquiring intelligence related to the likely outcome of American elections, but it would make no sense for Russia's spies to acquire personal voting information about 90,000 registered voters in Illinois.

When FBI Counterintelligence chief Priestap was asked at the June 21 hearing how Moscow might use such personal data, his tortured effort at an explanation clearly indicated that he was totally unprepared to answer the question.

"They took the data to understand what it consisted of," said Priestap, "so they can affect better understanding and plan accordingly in regards to possibly impacting future election by knowing what is there and studying it."

In contrast to that befuddled non-explanation, there is highly credible evidence that the FBI was well aware that the actual hackers in the cases of both Illinois and Arizona were motivated by the hope of personal gain.

Gareth Porter, an investigative historian and journalist specializing in US national security policy, received the UK-based Gellhorn Prize for journalism for 2011 for articles on the U.S. war in Afghanistan. His new book is Manufactured Crisis: the Untold Story of the Iran Nuclear Scare . He can be contacted at porter.gareth50@gmail.com . Reprinted from Consortium News with the author's permission.

Read more by Gareth Porter Why Afghanistan? Fighting a War for the War System Itself – June 13th, 2017 The Kissinger Backchannel to Moscow – June 4th, 2017 Will Trump Agree to the Pentagon's Permanent War in Iraq, Afghanistan and Syria? – May 14th, 2017 US 'Deep State' Sold Out Counter-Terrorism To Keep Itself in Business – April 23rd, 2017 New Revelations Belie Trump Claims on Syria Chemical Attack – April 14th, 2017

View all posts by Gareth Porter

[Jul 01, 2017] Hacks Raise Fear Over N.S.A.s Hold on Cyberweapons

We should introduce pretty harsh penalty for lying about hacking by government officials... Because this became their favorite pasture. NYT presstitutes, of course, try to push "Putin-did-it" meme. What else you can expect from neocon stooges...
Notable quotes:
"... The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. ..."
"... But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands. ..."
"... On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul . Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely ..."
"... "When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have - and the greatest fear is one of miscalculation, that something unintended can happen," Mr. Panetta said. ..."
Jul 01, 2017 | www.nytimes.com

Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States - Britain and Ukraine .

The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons.

But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.

On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul . Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

Though the original targets of Tuesday's attacks appear to have been government agencies and businesses in Ukraine, the attacks inflicted enormous collateral damage, taking down some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted for FedEx stock.

"When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have - and the greatest fear is one of miscalculation, that something unintended can happen," Mr. Panetta said.

[Jun 30, 2017] The worlds most reprehensible newspaper, The New York Times, is quick to blame the ransomeware attack which crippled computers in Ukraine on Russia.

Notable quotes:
"... The New York Times ..."
"... Washington Post ..."
Jun 30, 2017 | marknesop.wordpress.com
marknesop , June 28, 2017 at 10:57 pm
The world's most reprehensible newspaper, The New York Times , is quick to blame the ransomeware attack which crippled computers in Ukraine on Russia . Never mind the evidence; Ukrainians say Russia did it, and Ukrainians never lie. Moreover, they say it was Russia because just a couple of days ago a senior government official was blown up in a car bomb attack, and that was Russia, so they probably did this, too. QED.

Curiously enough, another Times story from just a little over a month ago reported a near-identical attack, which it said was executed using malicious software 'stolen' from the NSA's tickle trunk .

Uh huh. Sure it was. And Cisco Systems is right there in Kiev, 'helping' Ukraine pin down the origin of the attack.

For what it's worth, one of our favouritest authors, Molly McKew – at the Washington Post , the world's second-most-reprehensible newspaper – quickly makes the connection between Shapoval's murder and Russia , which she says is the wide assumption of experts.

[Jun 30, 2017] the first target of the attack: MEDoc, a Ukrainian company that develops tax accounting software and malware initially spead through a system updater process

Jun 30, 2017 | www.msn.com

While there are still plenty of unknowns regarding Petya, security researchers have pinpointed what they believe to be the first target of the attack: M.E.Doc, a Ukrainian company that develops tax accounting software.

The initial attack took aim the software supply chain of the tax software MEDoc, which then spread through a system updater process that carried malicious code to thousands of machines, including those who do business in Ukraine.

[Jun 28, 2017] New computer virus spreads from Ukraine to disrupt world business

Small sum of money demanded might suggest Ukranian origin as $300 is big money in this country empioverished by Maydan coup detat.
Jun 28, 2017 | www.msn.com

U.S. delivery firm FedEx Corp said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China's Cofco.

The malicious code locked machines and demanded victims post a ransom worth $300 in bitcoins or lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware attack in May.

More than 30 victims paid up but security experts are questioning whether extortion was the goal, given the relatively small sum demanded, or whether the hackers were driven by destructive motives rather than financial gain.

Hackers asked victims to notify them by email when ransoms had been paid but German email provider Posteo quickly shut down the address, a German government cyber security official said.

While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not as virulent as May's WannaCry attack.

Security researchers said Tuesday's virus could leap from computer to computer once unleashed within an organisation but, unlike WannaCry, it could not randomly trawl the internet for its next victims, limiting its scope to infect.

Bushiness that installed Microsoft's latest security patches from earlier this year and turned off Windows file-sharing features appeared to be largely unaffected. A number of the international firms hit have operations in Ukraine, and the virus is believed to have spread within global corporate networks after gaining traction within the country. ... ... ...

Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide, has a logistics unit in Ukraine.

Other large firms affected, such as French construction materials company Saint Gobain and Mondelez International Inc, which owns chocolate brand Cadbury, also have operations in the country.

Maersk was one of the first global firms to be taken down by the cyber attack and its operations at major ports such as Mumbai in India, Rotterdam in the Netherlands and Los Angeles on the U.S. west coast were disrupted.

Other companies to succumb included BNP Paribas Real Estate , a part of the French bank that provides property and investment management services.

"The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack," the bank said on Wednesday.

Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down.

Russia's Rosneft, one of the world's biggest crude producers by volume, said on Tuesday its systems had suffered "serious consequences" but oil production had not been affected because it switched to backup systems. (Additional reporting by Helen Reid in London, Teis Jensen in Copenhagen, Maya Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John O'Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv and Noor Zainab Hussain in Bangalore; writing by Eric Auchard and David Clarke; editing by David Clarke)

[Jun 28, 2017] Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World

Notable quotes:
"... ( a non-paywalled source ) ..."
Jun 28, 2017 | it.slashdot.org

(vice.com) 97

Posted by msmash on Tuesday June 27, 2017

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world.

From a report:

A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations ( a non-paywalled source ) , the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement.

BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland ." According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A .

Here's how Petya encrypts files on a system (video).

News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well .

From the report:

"We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

[Jun 28, 2017] Heritage Valley Health System Target Of Cyber Attack

Jun 28, 2017 | it.slashdot.org
(cbslocal.com) 23 Posted by msmash on Tuesday June 27, 2017 @03:20PM from the aggressive-expansion dept. The Heritage Valley Health System says it has been hit with a cyber attack. From a report: A spokeswoman confirmed the attack Tuesday morning. "Heritage Valley Health System has been affected by a cyber security incident . The incident is widespread and is affecting the entire health system including satellite and community locations. We have implemented downtime procedures and made operational adjustments to ensure safe patient care continues un-impeded." Heritage Valley is a $480 million network that provides care for residents of Allegheny, Beaver, Butler and Lawrence counties, in Pennsylvania; parts of eastern Ohio; and the panhandle of West Virginia. Also read: Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World .

[Jun 28, 2017] Hacker Behind Massive Ransomware Outbreak Cant Get Emails From Victims Who Paid

Jun 28, 2017 | it.slashdot.org
(vice.com) 143 Posted by msmash on Tuesday June 27, 2017 @04:41PM from the interesting-turns dept. Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere . The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files . [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.

[Jun 28, 2017] Petya Ransomware Outbreak Originated In Ukraine Via Tainted Accounting Software

Jun 28, 2017 | tech.slashdot.org

An anonymous reader quotes a report from Bleeping Computer:

Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc , a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos , ESET , MalwareHunter , Kaspersky Lab , and others , an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory . Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware .

[Jun 28, 2017] Petya cyber attack Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down

Jun 28, 2017 | telegraph.co.uk

Ransomware is 2016-programme 'Petya'

Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency has told Reuters.

"There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.

I t said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016.

Russia's top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted. 3:48PM 'A multi-pronged attack' "This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," said Allan Liska, a security analyst at Recorded Future.

"There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine).

[Jun 28, 2017] Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down

Jun 28, 2017 | marknesop.wordpress.com
Moscow Exile , June 27, 2017 at 11:42 am
Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down

Huge cyber attack cripples firms, airports, banks and government departments in Ukraine

Hack may have spread to Britain, with the advertising firm WPP affected

Danish and Spanish multinationals also paralysed by attack

Michael Fallon warns UK could respond to cyber attacks with military force

The Defence Secretary has said the UK would be prepared to retaliate against future cyber attacks using military force such as missile strikes.

He warned cyber attacks against UK systems "could invite a response from any domain – air, land, sea or cyberspace".

Tough guy, huh?

What a tosser!

Blah, blah, fucking-blah.

And the firm where I was working this afternoon, MSD Pharmaceuticals, has been down all day.

That's in Moscow.

In Russia.

Anyone said "Putin done it!" yet?

Moscow Exile , June 27, 2017 at 11:46 am
Comment to same story in the Independent:

This story was being reported as an attack on Ukraine alone by this a- wipe earlier today (and Russia were being put in the frame for it)

The attack was always a global one and indeed many Russian companies have been hit – but of course the 1% want the world to believe it is all down to the Russian government.

Add to that bit of knowledge – the extra bits of knowledge that the 1% are all buying up properties in New Zealand all of a sudden – and the US are suddenly pushing hard against the Syrian government, notwithstanding the fact that Russia are allied to Syria and Iran in their fight against terrorism (i.e. the US)

Can you all now see what is going on in the minds of those that would rule the world?

Moscow Exile , June 27, 2017 at 1:52 pm
Kremlin says its computers not affected by hacker attack

Well there you are, then!

The Kremlin must have been behind the attacks.

Stands to reason, don't it?

marknesop , June 27, 2017 at 3:50 pm
Actually, they blame North Korea for it, although that seems pretty unlikely to me and is more likely just capitalizing on an event to do a little bashing.

Why is Fallon only prepared to respond militarily to the next attack? Why not this one? Come on, Mikey, get your finger out! What're they paying you for?

kirill , June 27, 2017 at 6:58 pm
Trash talking chihuahua.

[Jun 28, 2017] Huge ransomware outbreak spreads in Ukraine and beyond • The Register

tech.slashdot.org
Updated A huge ‪ransomware‬ outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries.

Check out our full analysis of the software nasty, here .

Early analysis of the attack points towards a variant of the known Petya ransomware , a strain of malware that encrypts the filesystem tables and hijacks the Master Boot Record to ensure it starts before the operating system on infected Windows PCs. Early reports suggest the malware is spreading using by network shares and email but this remains unconfirmed. The outbreak is centred but not confined to the Ukraine. Victims in Spain, France and Russia have also been reported.

Victims include Ukrainian power distribution outfit Ukrenergo, which said the problem is confined to its computer network and is not affecting its power supply operations, Reuters reports . Other victims include Oschadbank, one of Ukraine's largest state-owned lenders.

Global shipping outfit Maersk Group is also under the cosh.

Hackers behind the attack are demanding $300 (payable in Bitcoin) to unlock each computer. It's easy to ascribe any computing problem in Ukraine to Russia because of the ongoing conflict between the two countries, but the culprits behind the latest attack are just as likely to be cybercriminals as state-sponsored saboteurs, judging by the evidence that's emerged this far.

"While ransomware can be (and has been) used to cover other attacks, I think it's wise to consider Ukraine attack cybercriminal for now," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. ®

Updated at 1500 UTC to add : Allan Liska, intelligence architect at Recorded Future, said the attack has multiple components including an attack to steal login credentials as well as trash compromised computers.

"This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," Liska said. "The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable)."

There is some speculation that, like WannaCrypt, this attack is being spread using the EternalBlue exploit, which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). "Our threat intelligence also indicated that we are now starting to see US victims of this attack," according to Liska.

There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan that extracts usernames and passwords from compromised computers. This means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion, according to Recorded Future.

Updated at 1509 UTC to add : Reg sources from inside London firms have been notifying us that they've been infected. We were sent this screenshot (cropped to protect the innocent) just minutes ago:

[Jun 24, 2017] Obama Ordered Cyberweapons Implanted Into Russias Infrastructure by Jason Ditz

Jun 23, 2017 | news.antiwar.com

Former Official: Implants Designed to 'Cause Them Pain and Discomfort'

A new report from the Washington Post today quoted a series of Obama Administration officials reiterating their official narrative on Russia's accused hacking of the 2016 election. While most of the article is simply rehashes and calls for sanctions, they also revealed a secret order by President Obama in the course of "retaliation" for the alleged hacking.

This previously secret order involved having US intelligence design and implant a series of cyberweapons into Russia's infrastructure systems, with officials saying they are meant to be activated remotely to hit the most important networks in Russia and are designed to " cause them pain and discomfort ."

The US has, of course, repeatedly threatened "retaliatory" cyberattacks against Russia, and promised to knock out broad parts of their economy in doing so. These appear to be the first specific plans to have actually infiltrate Russian networks and plant such weapons to do so.

Despite the long-standing nature of the threats, by the end of Obama's last term in office this was all still in the "planning" phases. It's not totally clear where this effort has gone from there, but officials say that the intelligence community, once given Obama's permission, did not need further approval from Trump to continue on with it, and he'd have actually had to issue a countermanding order, something they say he hasn't.

The details are actually pretty scant on how far along the effort is, but the goal is said to be for the US to have the ability to retaliate at a moment's notice the next time they have a cyberattack they intend to blame on Russia.

Unspoken in this lengthy report, which quotes unnamed former Obama Administration officials substantially, advocating the effort, is that in having reported that such a program exists, they've tipped off Russia about the threat.

This is, however, reflective of the priority of the former administration, which is to continuing hyping allegations that Russia got President Trump elected, a priority that's high enough to sacrifice what was supposed to be a highly secretive cyberattack operation.

[Jun 17, 2017] Erebus Ransomware Targets Linux Servers by Jahanzaib Hassan

Jun 17, 2017 | www.hackread.com
The IT security researchers at Trend Micro recently discovered malware that has the potential to infect Linux-based servers. The malware, called Erebus, has been responsible for hijacking 153 Linux-based networks of a South Korean web-hosting company called NAYANA. NAYANA's clients affected

Erebus is a ransomware capable of infecting Linux operating systems. As such, around 3,400 of NAYANA's clients were affected due to the attack with databases, websites and other files being encrypted.

The incident took place on 10th June. As of now, NAYANA has not received the keys to decrypt their files despite having paid three parts of the ransom. The fourth one, which is allegedly the last installment, is yet to be paid. However, according to NAYANA, the attackers claimed to provide the key after three payments.

Related How To Prevent Growing Issue of Encryption Based Malware (Ransomware) What is Erebus?

According to Trend Micro's report , Erebus was originally found back in September 2016. At the time, the malware was not that harmful and was being distributed through malware-containing advertisements. Once the user clicked on those ads, the ransomware would activate in the usual way.

The initial version of the Erebus only affected 423 file types and did so using the RSA-2048 encryption algorithm, thereby encrypting the files with the .encrypt extension. Furthermore, it was this variant that was using a number of websites in South Korea as a command-&-control (C&C) center.

Later, in February 2017, the malware had seemingly evolved as now it had the ability to bypass User Account Control (UAC). For those who may be unfamiliar with UAC, it is primarily a Windows privacy protection system that restricts anyone who is not authorized, to alter the user's computer.

However, this later version of the Erebus was able to do so and inject ransomware ever so conveniently. The campaign in which this version was involved demanded a ransom of 0.085 bitcoins – equivalent to USD 216 at present – and threatened to delete the files in 96 hours if the ransom was not paid.

Now, however, Erebus has reached new heights by having the ability to bypass not only UAC but also affect entire networks that run on Linux. Given that most organizations today use Linux for their networks, it is no surprise to see that the effects of the malware are far-reaching.

How does the latest Erebus work?

According to Trend Micro, the most recent version of Erebus uses RSA algorithm to alter the AES keys in Windows and change the encryption key as such. Also, the attack is accompanied by a Bluetooth service so as to ensure that the ransomware does not break, even after the computer is rebooted.

This version can affect a total of 433 file types including databases, archives, office documents, email files, web-based files and multimedia files. The ransom demanded in this campaign amounts to 5 bitcoins, which is USD 12,344 currently.

Related New Linux SSH Brute-force LUA Bot Shishiga Detected in the Wild Erebus is not the first of its kind

Although ransomware affecting Linux based networks are rare, they are, however, not new. Erebus is not the first ransomware to have affected networks running on Linux. In fact, Trend Micro claims that such ransomware was discovered as far back as in 2014.

Some of the ransomware include Linux.Encoder, Encrypter RaaS, KillDisk, KimcilWare and much more. All of these were allegedly developed from an open-source code project that was available as part of an educational campaign.

The ransomware for Linux, despite being somewhat inferior to those for Windows , are still potent enough to cause damage on a massive scale. This is because, a number of organizations and data centers use Linux, and hijacking such high-end systems can only mean catastrophe.

Safety precautions

To avoid any accidents happening, IT officials and organizations running Linux-based networks need to take some serious precautions. The most obvious one is to simply keep the server updated with the latest firmware and anti-virus software.

Furthermore, it is always a good idea to keep a back-up of your data files in two to three separate locations. It is also repeatedly advised to avoid installing unknown third-party programs as these can act as potential gateways for such ransomware.

Lastly, IT administrators should keep monitoring the traffic that passes through the network and looks for anomalies by identifying any inconsistencies in event logs.

[Jun 09, 2017] Task force tells Congress health IT security is in critical condition by Sean Gallagher

Jun 08, 2017 | arstechnica.com

6/8/2017

Report warns lack of security talent, glut of legacy hardware pose imminent threat.

A congressionally mandated healthcare industry task force has published the findings of its investigation into the state of health information systems security, and the diagnosis is dire.

The Health Care Industry Cybersecurity Task Force report (PDF), published on June 1, warns that all aspects of health IT security are in critical condition and that action is needed both by government and the industry to shore up security. The recommendations to Congress and the Department of Health and Human Services (HHS) included programs to drive vulnerable hardware and software out of health care organizations. The report also recommends efforts to inject more people with security skills into the healthcare work force, as well as the establishment of a chain of command and procedures for dealing with cyber attacks on the healthcare system.

The problems healthcare organizations face probably cannot be fixed without some form of government intervention. As the report states, "The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security."

At the same time, government intervention is part of what got health organizations into this situation-by pushing them to rapidly adopt connected technologies without making security part of the process.

The report, mandated by the 2015 Cybersecurity Act , was supposed to be filed to Congress by May 17. However, just five days before it was due, the WannaCry ransomware worm struck the UK's National Health Service , affecting 65 hospitals.

"The HHS stance is pretty much that we got incredibly lucky in the US [with WannaCry], and our luck is going to run out," Joshua Corman, co-founder of the information security non-profit organization I Am The Cavalry and a member of the task force, told Ars. The report was delayed by the WannaCry outbreak, Corman said, who observed that the task force members were disappointed that they hadn't gotten the report out sooner: "because if the report had been out a week or two prior to WannaCry, you could have bet that every Congressional staffer would have been reading it during the outbreak."

The task force was co-chaired by Emery Csulak, the chief information security officer for the Centers for Medicare and Medicaid Services, and Theresa Meadows, who is a registered nurse and chief information officer of the Cook Children's Health Care System. The task force also included representatives from the security industry, government and private health care organizations, pharmaceutical firms, medical device manufacturers, insurers, and others from the wider health care industry-as well as healthcare data journalist and patient advocate Fred Trotter . Corman said that the task force was "probably the hardest thing I've ever done and maybe the most important thing I'll ever do-especially if some of these recommendations are acted upon."

But it's not certain that the report will spur any immediate action, given the current debate over healthcare costs in Congress and the stance of the Trump administration on regulation. Even so, Corman explained:

When we were working on this, we realized that if it was summarily ignored by the next administration, or if it was ignored for being too costly, the report could still be a backstop-in that when the first crisis happens, this will be the most recently available report that will be the blueprint for what to do next. It's just an indicator of how many minutes to midnight we are on this particular clock-we may be out of time to get in front of it, but we can certainly try to see which of these measures can be put in place in parallel [with a security crisis].

Brace for impact

The ransomware attack on Hollywood Presbyterian Medical Center, which happened just a few weeks after President Obama signed the legislation that established the task force, helped establish the urgency of the work the group was doing ( Ars' coverage of the ransomware attack is cited in the task force's final report). At the task force's first in-person meeting in April, Corman said he brought up the Boston Marathon bombing. "I said, imagine if you combined something like this physical attack with something like the logical attack [at Hollywood Presbyterian]." The impact-disrupting the ability to give urgent medical care during a physical attack-could potentially magnify the loss of life and shatter public confidence, he suggested.

The recommendations generated by the task force amount to a Herculean to-do list:

Define and streamline leadership, governance, and expectations for health care industry cybersecurity. Increase the security and resilience of medical devices and health IT. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. Increase health care industry readiness through improved cybersecurity awareness and education. Identify mechanisms to protect research and development efforts, as well as intellectual property, from attacks or exposure. Improve information sharing of industry threats, weaknesses, and mitigations.

That list is no short order. And it may already be too late to prevent another major incident. In the wake of the Hollywood Presbyterian ransomware attack last year, "the obscurity we've enjoyed is gone," Corman explained. "We've always been prone, we've always been prey-we just lacked predators. Once the Hollywood Presbyterian attack happened, there were a lot more sharks because they smelled blood in the water." As a result, hospitals went from being off attackers' radar to "the number-one attacked industry in less than a year," he said.

The task force's long-term target is to get the health industry to adopt the risk management strategies of NIST's Critical Infrastructure Cybersecurity Framework . But that's a long way off, considering the potential costs associated and the bare-bones nature of many health providers' IT. Many healthcare delivery organizations "are target rich and resource poor, and [they] can't fathom further investment in cyber hygiene, period," said Corman.

The challenges to securing health IT identified by the task force, including some of the problems exposed by the Hollywood Presbyterian attack, are substantial:

A severe lack of security talent in the industry. As the report points out, "The majority of health delivery organizations lack full-time, qualified security personnel." Small, mid-sized, and rural health providers may not even have full-time IT staff, or they depend on a service provider and have little in the way of resources to attract and retain a skilled information security staff.

Premature and excessive connectivity. Health providers rapidly embraced networked systems, in many cases without thought to secure design and implementation. As the report states, "Over the next few years, most machinery and technology involved in patient care will connect to the Internet; however, a majority of this equipment was not originally intended to be Internet accessible, nor designed to resist cyber attacks."

In some significant ways, this is a problem that Congress helped create with the unintended consequences of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Passed in 2009 as part of the American Recovery and Reinvestment Act, it gave financial incentives for hospitals to rapidly deploy electronic health records and offered billions of dollars in incentives for quickly demonstrating "meaningful use" of EHRs. Combined with the Merit-Based Incentive Payment System used by Medicare and Medicaid, the HITECH Act forced many health providers to quickly adopt technology they didn't fully understand. While EHRs have likely improved patient care, they also introduced technology that care providers couldn't properly secure or support.

Legacy equipment running on old, unsupported, and vulnerable operating systems . Since a large number of medical systems rely on older versions of Windows-Windows 7, and in many cases, Windows XP-"there's zero learning curve for an ideological adversary," Corman said. "There's nothing new to learn." The systems were never intended to be connected to the Internet in many cases-or to any network at all. Some systems, Corman said, "have such interoperability issues-forget security issues-that they're so brittle, most hospitals will say that, even if you just do a port scan, you'll crash them-you don't even need to hack them."

On top of that, some of the legacy medical devices on hospitals' networks now are unpatchable or unsecurable, and they would have to be completely retired and replaced. The task force recommended government incentives to get rid of these devices, following a "cash for clunkers" model. But that may not be effective in luring some health organizations to get rid of them, simply because of the other costs associated with getting new hardware in. And many of the newer systems they would use to replace older ones with are still based on legacy software anyway.

A wealth of vulnerabilities, and it only takes one to disrupt patient care. The increased connectivity of health providers without proper network segmentation and other security measures exposed other systems that were never meant to touch the network-medical devices powered by embedded operating systems that may never have been patched and have 20-year lifecycles. According to the task force report, one legacy medical technology system they documented had more than 1,400 vulnerabilities on its own. And the exploitation of a single vulnerability on a single system was able to affect patient care during the Hollywood Presbyterian attack.

Furthermore, because these legacy systems are often based on older, common technologies, virtually no special set of skills is required to perform such an attack. Basic, common hacking tools could be used to gain access and wreak havoc. This is demonstrated in attacks like the one at MedStar hospitals in Maryland last March, in which an old JBoss vulnerability was exploited (likely with an open source tool) to give attackers access to the medical network's servers.

It was clear to everyone on the task force, Corman noted, that there were no technical barriers to a "sustained denial of patient care like what happened at Hollywood Presbyterian, on purpose" at virtually any healthcare facility in the United States. "I said we all make fun of security through obscurity, but what if that's all we have?" Corman recounted. "Seriously. What if that's all we have?"

Planning for "right of boom"

Given that untargeted and incidental attacks on hospitals have already happened, it seems inevitable that someone will carry out a targeted attack at some point. Corman said that increases the importance of doing disaster planning and simulations now to optimize responses, "so we can see who needs to have control-is it FEMA, the White House, DHS, HHS, the hospitals? We drill with our kids what you're supposed to do in a fire. Before we have a boom, we need to prioritize simulations, practice, and disaster planning."

Another part of planning for the post-attack scenario-or "right of boom"-is to make sure that the right supports are in place to quickly recover. "We need to make sure that we've done enough scaffolding now so that we can have a more elegant response," Corman said, "because if this looks like Deepwater Horizon, and we're on the news every night, every week, gushing into the Gulf, that's going to shatter confidence. If we have a prompt and agile response, maybe we can mitigate the harm."

Sean Gallagher
Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.

[Jun 09, 2017] Sneaky hackers use Intel management tools to bypass Windows firewall

Notable quotes:
"... the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. ..."
"... Using the AMT serial port, for example, is detectable. ..."
"... Do people really admin a machine through AMT through an external firewall? ..."
"... Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution. ..."
Jun 09, 2017 | arstechnica.com
When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files -- such as new payloads to run and new versions of their malware-to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system's own IP stack and, as such, is invisible to the operating system's own firewall or other network monitoring software. The PLATINUM software uses another piece of virtual hardware-an AMT-provided virtual serial port-to provide a link between the network itself and the malware application running on the infected PC.

Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM's malware can move files between machines on the network while being largely undetectable to those machines.

PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network stack and firewall.

Enlarge / PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network stack and firewall. Microsoft

AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. This in turn could be used to enable features such as the remote KVM to control systems and run code on them.

However, that's not what PLATINUM is doing: the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn't exploiting any flaw in AMT; the malware just uses the AMT as it's designed in order to do something undesirable.

Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows-or that AMT was already enabled and the malware managed to steal the credentials.

While this novel use of AMT is useful for transferring files while evading firewalls, it's not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity. potato44819 , Ars Legatus Legionis Jun 8, 2017 8:59 PM Popular

"Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity."

It's worth noting that this is NOT Windows Defender.

Windows Defender Advanced Threat Protection is an enterprise product.

aexcorp , Ars Scholae Palatinae Jun 8, 2017 9:04 PM Popular
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead? 1810 posts | registered 8/28/2012

bothered , Ars Scholae Palatinae Jun 8, 2017 9:16 PM
Always on and undetectable. What more can you ask for? I have to imagine that and IDS system at the egress point would help here. 716 posts | registered 11/14/2012
faz , Ars Praefectus Jun 8, 2017 9:18 PM
Using SOL and AMT to bypass the OS sounds like it would work over SOL and IPMI as well.

I only have one server that supports AMT, I just double-checked that the webui for AMT does not allow you to enable/disable SOL. It does not, at least on my version. But my IPMI servers do allow someone to enable SOL from the web interface.

xxx, Jun 8, 2017 9:24 PM
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat.

Do people really admin a machine through AMT through an external firewall? 178 posts | registered 2/25/2016

zogus , Ars Tribunus Militum Jun 8, 2017 9:26 PM
fake-name wrote:
Quote:
blockquote

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter? 1646 posts | registered 11/17/2006

bthylafh , Ars Tribunus Angusticlavius Jun 8, 2017 9:34 PM Popular
zogus wrote:
Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?
tomca13 , Wise, Aged Ars Veteran Jun 8, 2017 9:53 PM
This PLATINUM group must be pissed about the INTEL-SA-00075 vulnerability being headline news. All those perfectly vulnerable systems having AMT disabled and limiting their hack. 175 posts | registered 8/9/2002
Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:41 PM
Causality wrote:
Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security through obscurity with its "secret" coding, and anybody should know that security through obscurity is no security at all.
Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution.

Hopefully, either Intel will start looking into improving this and/or MSFT will make enough noise that businesses might learn to do their update, provisioning in a more secure manner.

Nah, that ain't happening. Who am I kidding? 1644 posts | registered 3/31/2012

Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:45 PM
meta.x.gdb wrote:
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?
The interconnect is via W*. We ran this dog into the ground last month. Other OSs (all as far as I know (okay, !MSDOS)) keep them separate. Lan0 and lan1 as it were. However it is possible to access the supposedly closed off Lan0/AMT via W*. Which is probably why this was caught in the first place.

Note that MSFT has stepped up to the plate here. This is much better than their traditional silence until forced solution. Which is just the same security through plugging your fingers in your ears that Intel is supporting. 1644 posts | registered 3/31/2012

rasheverak , Wise, Aged Ars Veteran Jun 8, 2017 11:05 PM
Hardly surprising: https://blog.invisiblethings.org/papers ... armful.pdf

This is why I adamantly refuse to use any processor with Intel management features on any of my personal systems. 160 posts | registered 3/6/2014

michaelar , Smack-Fu Master, in training Jun 8, 2017 11:12 PM
Brilliant. Also, manifestly evil.

Is there a word for that? Perhaps "bastardly"?

JDinKC , Smack-Fu Master, in training Jun 8, 2017 11:23 PM
meta.x.gdb wrote:
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?
The catch would be any machine that leaves your network with AMT enabled. Say perhaps an AMT managed laptop plugged into a hotel wired network. While still a smaller attack surface, any cabled network an AMT computer is plugged into, and not managed by you, would be a source of concern. 55 posts | registered 11/19/2012
Anonymouspock , Wise, Aged Ars Veteran Jun 8, 2017 11:42 PM
Serial ports are great. They're so easy to drive that they work really early in the boot process. You can fix issues with machines that are otherwise impossible to debug.
sphigel , Ars Centurion Jun 9, 2017 12:57 AM
aexcorp wrote:
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead?

I'm not even sure it's THAT convenient for sys admins. I'm one of a couple hundred sys admins at a large organization and none that I've talked with actually use Intel's AMT feature. We have an enterprise KVM (raritan) that we use to access servers pre OS boot up and if we have a desktop that we can't remote into after sending a WoL packet then it's time to just hunt down the desktop physically. If you're just pushing out a new image to a desktop you can do that remotely via SCCM with no local KVM access necessary. I'm sure there's some sys admins that make use of AMT but I wouldn't be surprised if the numbers were quite small. 273 posts | registered 5/5/2010
gigaplex , Ars Scholae Palatinae Jun 9, 2017 3:53 AM
zogus wrote:
fake-name wrote:
blockquote Quote: blockquote

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?
We just got some new Dell workstations at work recently. They have serial ports. We avoid the consumer machines. 728 posts | registered 9/23/2011

GekkePrutser , Ars Centurion Jun 9, 2017 4:18 AM
Quote:
Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.
Not that fortunately.. Serial ports are still very useful for management tasks. It's simple and it works when everything else fails. The low speeds impose little restrictions on cables.

Sure, they don't have much security but that is partly mitigated by them usually only using a few metres cable length. So they'd be covered under the same physical security as the server itself. Making this into a LAN protocol without any additional security, that's where the problem was introduced. Wherever long-distance lines were involved (modems) the security was added at the application level.

[Jun 08, 2017] NSA Denies Everything About Latest Intercept Leak, Including Denying Something That Was Never Claimed

Notable quotes:
"... Targeting telco and ISP systems administrators goes well outside the bounds of "national security." These people aren't suspected terrorists. They're just people inconveniently placed between the NSA and its goal of " collecting it all ." ..."
"... The NSA's own documents say that QUANTUMHAND "exploits the computer of a target that uses Facebook." The man-on-the-side attack impersonates a server , not the site itself. The NSA denies impersonating, but that's not what The Intercept said or what its own documents state. This animated explanation, using the NSA's Powerpoint presentation, shows what the attack does -- it tips the TURBINE servers, which then send the malware payload before the Facebook servers can respond. ..."
"... To the end user, it looks as though Facebook is just running slowly. ..."
"... When the NSA says it doesn't impersonate sites, it truly doesn't. It injects malware by beating Facebook server response time. It doesn't serve up faux Facebook pages; it simply grabs the files and data from compromised computers. ..."
"... The exploit is almost wholly divorced from Facebook itself. The social media site is an opportunity for malware deployment, and the NSA doesn't need to impersonate a site to achieve its aims. This is the NSA maintaining deniability in the face of damning allegations -- claiming something was said that actually wasn't and resorting to (ultimately futile) attempts to portray journalists as somehow less trustworthy than the agency. ..."
"... At this point, the mere fact that the NSA denies doing something is almost enough to convince me that they are doing it. I'm trying not to be paranoid. They just make it so difficult. ..."
"... considering how much access they seemed to have I think it is entirely possible for them to do that. And the criminal energy to do it definitely there as well. ..."
"... And there is still the question if Facebook and similar sites might be at least funded, if not run by intelligence agencies altogether. If that is the case that would put this denial in an entirely different light. It would read "We don't impersonate companies. We ARE the companies."... ..."
"... Max level sophistry. I wonder if anyone at the NSA even remembers what the truth is, it's been coated in so many layers of bullshit. ..."
"... As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins." ..."
Jun 08, 2017 | www.techdirt.com
The recent leaks published at Glenn Greenwald's new home, The Intercept, detailed the NSA's spread of malware around the world, with a stated goal of sabotaging "millions" of computers. As was noted then, the NSA hadn't issued a comment. The GCHQ, named as a co-conspirator, had already commented, delivering the usual spiel about legality, oversight and directives -- a word salad that has pretty much replaced "no comment" in the intelligence world.

The NSA has now issued a formal statement on the leaks, denying everything -- including something that wasn't even alleged. In what has become the new "no comment" on the NSA side, the words "appropriate," "lawful" and "legitimate" are trotted out, along with the now de rigueur accusations that everything printed (including, apparently, its own internal documents) is false.

Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed.
First off, for the NSA to claim that loading up "millions" of computers with malware is somehow targeted (and not "indiscriminate") is laughable. As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins."

Targeting telco and ISP systems administrators goes well outside the bounds of "national security." These people aren't suspected terrorists. They're just people inconveniently placed between the NSA and its goal of " collecting it all ."

Last, but not least, the NSA plays semantic games to deny an accusation that was never made, calling to mind Clapper's denial of a conveniently horrendous translation of a French article on its spying efforts there.

NSA does not use its technical capabilities to impersonate U.S. company websites.
This "denial" refers to this portion of The Intercept's article.
In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target's computer and exfiltrate files from a hard drive... In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target's computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive.

The NSA's own documents say that QUANTUMHAND "exploits the computer of a target that uses Facebook." The man-on-the-side attack impersonates a server , not the site itself.

The NSA denies impersonating, but that's not what The Intercept said or what its own documents state. This animated explanation, using the NSA's Powerpoint presentation, shows what the attack does -- it tips the TURBINE servers, which then send the malware payload before the Facebook servers can respond.

To the end user, it looks as though Facebook is just running slowly.

https://player.vimeo.com/video/88822483

When the NSA says it doesn't impersonate sites, it truly doesn't. It injects malware by beating Facebook server response time. It doesn't serve up faux Facebook pages; it simply grabs the files and data from compromised computers.

The exploit is almost wholly divorced from Facebook itself. The social media site is an opportunity for malware deployment, and the NSA doesn't need to impersonate a site to achieve its aims. This is the NSA maintaining deniability in the face of damning allegations -- claiming something was said that actually wasn't and resorting to (ultimately futile) attempts to portray journalists as somehow less trustworthy than the agency.

sorrykb ( profile ), 14 Mar 2014 @ 9:39am

Denial = Confirmation?
NSA does not use its technical capabilities to impersonate U.S. company websites.

At this point, the mere fact that the NSA denies doing something is almost enough to convince me that they are doing it. I'm trying not to be paranoid. They just make it so difficult.

Anonymous Coward , 14 Mar 2014 @ 9:48am
Re: Denial = Confirmation?

considering how much access they seemed to have I think it is entirely possible for them to do that. And the criminal energy to do it definitely there as well.

By now you have to assume the worst when it comes to them, and once the truth comes out it tends to paint and even worse picture then what you could imagine.

And there is still the question if Facebook and similar sites might be at least funded, if not run by intelligence agencies altogether. If that is the case that would put this denial in an entirely different light. It would read "We don't impersonate companies. We ARE the companies."...

Mark Wing , 14 Mar 2014 @ 10:35am

Max level sophistry. I wonder if anyone at the NSA even remembers what the truth is, it's been coated in so many layers of bullshit.

art guerrilla ( profile ), 14 Mar 2014 @ 12:06pm
Re: NSA Word-Smithing

I can not stress this poster's sentiment, as well as voiced in the article itself, of the CHILDISH semantic games the alphabet spooks will play... they WILL (metaphorically speaking) look you straight in the eye, piss on your leg, and INSIST it is raining; THEN fabricate evidence to 'prove' it was rain...

In my readings about the evil done in our name, with our money, *supposedly* to 'protect and serve' us, by the boys in black, you can NOT UNDERESTIMATE the most simplistic, and -to repeat myself -- CHILDISH ways they will LIE AND DISSEMBLE...

They are scum, they are slime, they are NOT the best and the brightest, they are the worst and most immoral...

YOU CAN NOT OVERSTATE THEIR MORAL VACUITY...

we do NOT deserve these pieces of shit...

Anonymous Coward , 14 Mar 2014 @ 11:17am

We know that the NSA, with the cooperation of the companies involved, has equipment co-located at major backbones and POPs to achieve the goals for QUANTUMHAND, QUANTUMINSERT, and etc.

At what point will we start confronting these companies and pressuring them to discontinue such cooperation? I know it's no easy task, but just as much as the government is reeling from all the public pressure, so too will these companies if we press their hands. Make it affect their bottom line.

Anonymous Coward , 14 Mar 2014 @ 1:49pm
is techdirt an hack target?

this page of your site tries to run scripts from
google
amazonaws
twitter
facebook
ajax.googleapis
techdirt

and install cookies from
techdirt
imigur

and request resources from
rp-api
vimeo

and install/use tracking beacons from
facebook connect
google +1
gravitar
nativo
quantcast
redit
repost.us
scorecard research beacon
twitter button.

...and who knows what else would run if all that was allowed to proceed. (I'm not going to run them to find out the 2nd level stuff)

for all the great reporting techdirt does on spying/tracking/privacy- you need to get you shit together already with this site; it seams like you're part of the problem. Please explain the technical facts as to why these same types of hacks couldn't be done to your readers through this clusterfuck of off site scripts/beacons/cookies/resources your forcing on people to ignorant to know how to block them.

Matthew Cline ( profile ), 14 Mar 2014 @ 1:50pm

As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins."

Well, heck, that's easy. Since the computers of the sys admins are just means to an ends, simply define "target" in a way that excludes anyone whose computers are compromised as a means to an end.

Anonymous mouse , 14 Mar 2014 @ 1:56pm

I seem to remember some articles about why people who don't use Facebook are suspect. To wit,

Are these possible signs that the NSA and GHCQ planted those stories?

Anonymous Coward , 14 Mar 2014 @ 3:49pm
The fun has yet to really begin

On April 8th, this year, Microsoft will stop installing new security patches from Windows XP, leaving computers running it totally vulnerable to such hacks. Anybody want to place bets on the fact that the alphabet soup agencies of our wonderful gummint are going to be first in line to exploit them? Just think what NSA could do with 300,000,000+ computers to play with!

[Jun 06, 2017] Trend Micro AV gave any website command-line access to Windows PCs

Jun 06, 2017 | theregister.co.uk

So a part from writing fake secutiry software, they also make fake statements and perform fake research.

> > > >

[May 29, 2017] It might make sense to use a separate Linux computer ot VM on laptop for internet browsing; you just can't secure Windows

Notable quotes:
"... But the point is that no matter where you turn the stuff is plain ass insecure and the probable most secure is Linux, and of all the distros if you remove the services you don't need, printing, etc.. most secure, and if it isn't perfect well you paid nothing! But most importantly you can control what is shared and communicated with very easy controls. ..."
"... What the NSA did in respect to recently disclosed leaks and congressional oversight in respect to their spying or collecting data upon Americans was wrong, but to be honest? ..."
"... They didn't need to because they could buy better data from Google, Facebook, Microsoft, and the cell companies. ..."
"... Using Linux and Firefox correctly with standard addons for privacy protects you pretty damn well. Just saying, and you can update a computer in less than one agonizing "Don't turn off your computer" screens from Microsoft with yet another Net Framework, Browser edge, Microsoft store, Bing.. all that shit we really just don't F0cking need! ..."
"... Shit is shit, and it was made with the INTENTION of exploitation. Why I'd say that was it's HIGHER purpose, to exploit .. and now of course that sword cuts both ways. The level of bullshit, is equal and proportionate to the level of actual shit. And hell, honesty being at shall we say a premium. folks just can't come out and admit to such things. Why whatever would people think!? So, so many ways, the masses of people, the sea of humanity, has been sold out, and sold down the river. ..."
"... Insecurity cuts both ways: For and against the surveillance state. For anonymity for those who know how to use it, against for everyone else. For those with the right tools, there is freedom in the dark spaces of that insecurity. And a base for rebelion. Think Everyman Hacker vs The Deep State. You should really read Thieves Emporium. It's a primer on where the dots are going delivered using technically-accurate fiction to keep you interested to the last page. ..."
May 29, 2017 | www.zerohedge.com

Dilluminati , May 27, 2017 11:02 PM

I have sat through about 5 hours of MSFT loading up a VM getting ready to run a SQL SERVER 2016 lab/VM. I believe nothing except that all tech with the exception of Linux is pretty f0cked up.

... ... ...

That's just the truth. Most software is such garbage, designed to leak information for corporate greed, you really have to blame Microsoft and Google.

HRH Feant2 - Dilluminati , May 27, 2017 11:19 PM

Damn, dude, I feel your pain! I have done more than one wipe of my OS and a fresh install. It sucks.

I am looking to cut the cord, too. Found a nice handset that uses Bluetooth so I can have a decent convo using my cellphone without actually holding the damned thing up to my skull! Less than $50 on Amazon.

Comcast sucks and costs too much.

Dilluminati - HRH Feant2 , May 27, 2017 11:39 PM

I guess reading over my comments and the responses is that new tech sucks, is insecure, old tech sucks and is insecure, and no matter how much you spend on MSFT it sucks and is insecure. (most people don't know better) Android is improving an a Linux derivative, but the Google store tyranny has me thinking getting as bad as MSFT.

But the point is that no matter where you turn the stuff is plain ass insecure and the probable most secure is Linux, and of all the distros if you remove the services you don't need, printing, etc.. most secure, and if it isn't perfect well you paid nothing! But most importantly you can control what is shared and communicated with very easy controls.

What the NSA did in respect to recently disclosed leaks and congressional oversight in respect to their spying or collecting data upon Americans was wrong, but to be honest?

They didn't need to because they could buy better data from Google, Facebook, Microsoft, and the cell companies.

And guess what? Because these systems collect information that is the basis for leaked information.

http://www.omgubuntu.co.uk/2016/01/ubuntu-online-search-feature-disabled...

Using Linux and Firefox correctly with standard addons for privacy protects you pretty damn well. Just saying, and you can update a computer in less than one agonizing "Don't turn off your computer" screens from Microsoft with yet another Net Framework, Browser edge, Microsoft store, Bing.. all that shit we really just don't F0cking need!

It's just F0cking redonkulous, and I'm going to cert 2016 and I look at the courseware and I'm like wtf? Redmond still shilling mobile data from SQL SERVER, as if nobody got the F0cking message at MSFT that their phones are DEAD!

Or R inside Sql Server, yeah daddy.. I'm going to run some R on SQL SERVER just to buy some more damn licenses... anybody smart enough for R not dumb enough to buy lottsa SQL SERVER.. just f0cking saying the dumb shit, additional shit, that adds really very little value except insecure stuff.

But yeah locked down Ubuntu loads up in about 1/10 the time and more secure.. and that is a fact.

Giant Meteor - Dilluminati , May 27, 2017 11:23 PM

Excellent excellent points ... Not as plugged in tech wise as you seem to be, but understand the hightlights .. Shit is shit, and it was made with the INTENTION of exploitation. Why I'd say that was it's HIGHER purpose, to exploit .. and now of course that sword cuts both ways.

The level of bullshit, is equal and proportionate to the level of actual shit.

And hell, honesty being at shall we say a premium. folks just can't come out and admit to such things. Why whatever would people think!? So, so many ways, the masses of people, the sea of humanity, has been sold out, and sold down the river.

Funny thing is, aside from those on the government dole payroll (which is an extensive list) lot's of folks will admit to the case, ie; "we been robbed!" and are starting to wake up to the fact ...

But the ramifications as you have laid out, so simple to see, and understand, and yet ... Well, like I mentioned, they're fightin for THEIR way of life, and THEIR freedumbs ... Well done ..

Sam.Spade - Dilluminati , May 28, 2017 1:22 AM

So project the dots. Insecurity cuts both ways: For and against the surveillance state. For anonymity for those who know how to use it, against for everyone else.

For those with the right tools, there is freedom in the dark spaces of that insecurity. And a base for rebelion.

Think Everyman Hacker vs The Deep State.

You should really read Thieves Emporium. It's a primer on where the dots are going delivered using technically-accurate fiction to keep you interested to the last page. Not nearly as detailed as your post, nor as specific, but explains the broad-brush concepts on both sides of the new internet freedom struggle very well.

The Daily Bell thought it was so good they published it as a serial which you can read for free at http://www.thedailybell.com/editorials/max-hernandez-introducing-thieves... .

Or you can guy a copy on Amazon (rated 4.6 in 120 reviews), Nook (same rating, fewer reviews), Smashwords (ditto), or iBooks.

Please take a look, I think you will like the book.

[May 23, 2017] Sysinternals Sync

May 23, 2017 | technet.microsoft.com

See Sysinternals Sync.

UNIX provides a standard utility called Sync, which can be used to direct the operating system to flush all file system data to disk in order to insure that it is stable and won't be lost in case of a system failure. Otherwise, any modified data present in the cache would be lost. Here is an equivalent that I wrote, called Sync, that works on all versions of Windows. Use it whenever you want to know that modified file data is safely stored on your hard drives. Unfortunately, Sync requires administrative privileges to run. This version also lets you flush removable drives such as ZIP drives.

Using Sync

Usage: sync [-r] [-e] [drive letter list]

-r Flush removable drives.
-e Ejects removable drives.

Specifying specific drives (e.g. "c e") will result in Sync only flushing those drives.

[May 23, 2017] FogBugz - discuss.joelonsoftware.com

May 23, 2017 | Unmount hard drives from Windows command line?

Is there a command to unmount an HDD from the command line or a tool to do so?

Tuesday, January 31, 2006

I believe that you're looking for NET USE:

NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[/USER:[dotted domain name\]username]
[/USER:[username@dotted domain name]
[/SMARTCARD]
[/SAVECRED]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]

Mark Lubischer

well... that is if it's a mapped network drive Mark Lubischer


Tuesday, January 31, 2006

mountvol X: /d Roland Kaufmann

"Well, mostly I'm interested in unmounting a USB drive - quickly and easily (sans mouse clicks)."

Oh, Microsoft calls this "ejecting [a] device", not unmounting a drive. The system help files only provide instructions on how to do it graphically.

Googling for the relevant terms returns http://www.robvanderwoude.com/index.html and you might be interested in the fifth entry down from the top. The tenth entry might also help.

(I don't make any recommendations about this software, I'm just following the first link that looked relevant.)

Google also suggested a few other links when I used "Windows eject device command line" as my search terms.

TheDavid, Tuesday, January 31, 2006

My posting crossed with the OP's answer.

Mark Russinovish's Sync is the right thing to use:

http://www.sysinternals.com/Utilities/Sync.html

See also:

http://ask-leo.com/is_there_a_way_to_safely_remove_hardware_from_a_batch_file.html


Post SP1, I think Windows XP automatically disables write caching on USB storage devices, so you can just pull them with no ill effects.

If you want to leave the device connected but not see a drive letter, you can do this through the Disk Management snap-in in Manage Computer. But this is not click-free.

The same thing could be accomplished through the management APIs with a script (wshost or monad), I should think.

Windows in general doesn't go for the concept of mounting/unmounting. USB storage is generally auto-mounted, and SCSI/IDE storage is either detected at startup or mediated through a RAID array which implements a SCSI miniport driver. You can dynamically assign / remove drive letters from drives or volumes, and mount volumes under a folder on another volume. The system is quite flexible, but to retain a degree of backwards compatibility it doesn't quite approach the Unix model.

.NET Guy
Wednesday, February 01, 2006

devcon is exactly what I was looking for - thanks. (eject, hmmm, smells like floppy disks).

I have used sync from sysinternals.com previously, but in this case it was not insuring a disconnect (which, it turns out, the USB device requires to flush its own buffers).

Thanks,

hoser
Wednesday, February 01, 2006

The current version of Sync has an 'Eject' option on it - does even that not work?

Will Dean
Thursday, February 02, 2006

[May 23, 2017] Command line to Safely Remove a USB drive

May 23, 2017 | technet.microsoft.com

Greetings!

I have a Windows 7 Professional PC with a backup routine that runs on boot-up in a batch file. It copies various files to a USB hard drive, then sends me a message on another PC saying the backup is complete.

I need a command to put in the batch file to safely remove the USB drive after the copying is done and before the "finished" message is sent.

I want the "Safely Remove Hardware" process to run, but I don't want to have to log in to the PC to click the "Safely Remove Hardware" icon. I already have the "Optimize for quick removal" set.

I have seen this thread: http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/a163abeb-f4d6-425e-b30b-e900ab118f0a and do not need to show a missing box. I'd like to have the whole thing happen in the batch file without my interaction.

I realize there isn't an actual command line command, like COPY or DEL, but there must be something the OS runs when the "Safely Remove" icon is clicked and a choice from the popup menu is chosen.

Example: there's no command to lock the PC, even in Shutdown.exe. But this text in a command line:

%windir%\system32\rundll32.exe user32.dll,LockWorkStation

locks the PC.

What's the line of text needed to eject a USB drive safely, preferably with feedback (if %Errorlevel% style) to show success or failure? (VBscript or WMI commands would be fine, too)

Edited by ScottGus1 Wednesday, February 15, 2012 1:12 PM

Wednesday, February 15, 2012 1:10 PM

Reply

|

Quote

Avatar of ScottGus1

ScottGus1

Avatar of ScottGus1

65 Points

Answers

Question

Sign in to vote
6

Sign in to vote

I did ask on the Scripting Guys forum (http://social.technet.microsoft.com/Forums/en/ITCG/thread/964f7d82-8810-4c18-93a3-0e5de1a3f006) and the answer is that there isn't one. No Microsoft-only command can eject a usb drive just like "Safely Remove Hardware" does it.

I finally settled on "RemoveDrive" (http://www.uwe-sieber.de/drivetools_e.html) because it returns an %errorlevel% in a batch file, based on whether it was successful in ejecting the USB hard drive or not. My batch file now works perfectly, and it automatically ejects the drive after writing the backups to it.

Thanks to All for your help!

Thanks, folks, for the suggestions. I tried the links suggested.

The script mentioned in the Neowin link returns "404 file not found" when I try to download it. Dead link.

I got Devcon from Microsoft as AskLeo mentioned. I was able to use "Devcon hwids" to find my USB drive (hardware ID was "USBSTOR\WD______0528AS_External_1", but...

"Devcon remove USBSTOR\WD______0528AS_External_1" returned "Remove failed"

"Devcon disable USBSTOR\WD______0528AS_External_1" returned "Disable failed"

"Devcon remove USBSTOR\DISK" and "Devcon disable USBSTOR\DISK" also failed.

Looking thru comments on AskLeo's article I found DevEject. This also failed to eject my USB drive.

I will ask on the scripting forum.

Meanwhile, any other thoughts?

====

I tried again this morning to use devcon. I got the hardware id of the drive using "devcon hwids *WD*" (without quotes, and I knew the WD was good since it's a Western Digital drive). Devcon returned the hardware IDs of the drive. I copied a unique hardware ID to the clipboard, typed "devcon remove " and then pasted the hardware ID. Devcon showed the whole hardware ID of the drive and responded, "remove failed". There were no errors in the Event Viewer, Application or System.

I tried this both in a normal and a "run as admin" command prompt, same results.

I then tried a third-party utility called "USB Disk Eject" (http://quick.mixnmojo.com/usb-disk-eject-1-2-beta-5), which worked properly, achieveing the same thing as "Safely Remove Hardware" on a command line. The way the author of USB Disk Eject speaks, it sounds like ejecting a disk is a lot more than just removing an item from the Device manager, which usually calls for a reboot anyway.

Microsoft / Sysinternals really needs to have an in-house utility for command-line safe-removal of USB drives...

===

See Sysinternals Sync.

UNIX provides a standard utility called Sync, which can be used to direct the operating system to flush all file system data to disk in order to insure that it is stable and won't be lost in case of a system failure. Otherwise, any modified data present in the cache would be lost. Here is an equivalent that I wrote, called Sync, that works on all versions of Windows. Use it whenever you want to know that modified file data is safely stored on your hard drives. Unfortunately, Sync requires administrative privileges to run. This version also lets you flush removable drives such as ZIP drives.

Using Sync

Usage: sync [-r] [-e] [drive letter list]

-r Flush removable drives.
-e Ejects removable drives.

Specifying specific drives (e.g. "c e") will result in Sync only flushing those drives.
===

In windows, at command line write "RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll" and select the drive You want to eject.

[May 20, 2017] While Microsoft griped about NSA exploit stockpiles, it stockpiled patches Fridays WinXP fix was built in February by Iain Thomson

Notable quotes:
"... However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt. ..."
May 16, 2017 | theregister.co.uk
And it took three months to release despite Eternalblue leak 16 May 2017 at 01:44, When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency . If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing us Friday's cyber assault, he said.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith.

Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months.

Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.

In April, exactly a month later, an NSA toolkit of hacking weapons , including Eternalblue, was dumped online by the Shadow Brokers: a powerful loaded gun was now in the hands of any willing miscreant.

In May, just last week in fact, the WannaCrypt ransomware, equipped with this weapon, spread across networks and infected tens of thousands of machines worldwide, from hospital computers in the UK and Fedex terminals in the US, to railways in Germany and Russia, to cash machines in China.

On Friday night, Microsoft issued emergency patches for unsupported versions of Windows that did not receive the March update – namely WinXP, Server 2003, and Windows 8 RT. Up until this point, these systems – and all other unpatched pre-Windows 10 computers – were being menaced by WannaCrypt, and variants of the software nasty would be going after these systems in the coming weeks, too.

The Redmond tech giant was praised for issuing the fixes for its legacy Windows builds. It stopped supporting Windows XP in April 2014 , and Server 2003 in July 2015 , for instance, so the updates were welcome.

However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

Here's the dates in the patches:

The SMBv1 bug is trivial , by the way: it is a miscalculation from a 32-bit integer to a 16-bit integer that can be exploited by an attacker to overflow a buffer, push too much information into the file networking service, and therefore inject malicious code into the system and execute it. Fixing this programming blunder in the Windows codebase would have been easy to back port from Windows 8 to XP.

If you pay Microsoft a wedge of cash, and you're important enough, you can continue to get security fixes for unsupported versions of Windows under a custom support license. It appears enterprises and other organizations with these agreements got the legacy fixes months ago, but us plebs got the free updates when the house was already on fire.

Smith actually alluded to this in his blog post over the weekend: "We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only , including Windows XP, Windows 8, and Windows Server 2003." [Italics are ours.]

Money talks

Custom support is a big earner: Microsoft charged Britain's National Health Service $200 per desktop for year one, $400 for year two and $800 for a third year as part of its contract. UK Health Secretary Jeremy Hunt cancelled the contract after a year as a cost-saving measure. The idea was that a year would give NHS trusts time to manage their upgrades and get modern operating systems, but instead it seems some trusts preferred to spend the money not on IT upgrades but on executive remuneration, nicer offices, and occasionally patient care. Defence Secretary Michael Fallon claimed on Sunday that "less than five per cent of [NHS] trusts" still use Windows XP.

Naturally, Microsoft doesn't want to kill the goose that lays such lovely golden eggs, by handing out patches for old gear for free. And supporting a 16-year-old operating system like Windows XP must be a right pain in the ASCII for its engineers. And we appreciate that computers still running out-of-date operating systems are probably doing so for a reason – perhaps it's a critical device or an MRI scanner that can't be upgraded – and thus it doesn't matter if a patch landed in February, March or May: while every little helps, the updates are unlikely to be applied anyway.

On the other hand, we're having to live with Microsoft's programming mistakes nearly two decades on, mistakes that Microsoft is seemingly super reluctant to clean up, unless you go the whole hog and upgrade the operating system.

Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor.

We asked Microsoft to comment on the timing of its patching, but its spokespeople uselessly referred us back to Smith's blog. Meanwhile, here's some more technical analysis of the WannaCrypt worm and how a kill switch for the nasty was found and activated over the weekend.

[May 19, 2017] Global Cyberattack Are Private Interests Using States: The global cyberattack, the NSA and Washingtons war propaganda against Russia by Bill Van Auken

Notable quotes:
"... Thus, amid the hysterical propaganda campaign over Russian hacking, Washington has been developing an array of cyber-weapons that have the capability of crippling entire countries. Through the carelessness of the NSA, some of these weapons have now been placed in the hands of criminals. US authorities did nothing to warn the public, much less prepare it to protect itself against the inevitable unleashing of the cyber weapons it itself had crafted. ..."
"... There was no question then of an investigation taking months to uncover the culprit, much less any mystery going unsolved. Putin and Russia were declared guilty based upon unsubstantiated allegations and innuendo. Ever since, the Times ..."
"... Since Trump's inauguration, the Democratic Party has only intensified the anti-Russian propaganda. It serves both as a means of pressuring the Trump administration to abandon any turn toward a less aggressive policy toward Moscow, and of smothering the popular opposition to the right-wing and anti-working class policies of the administration under a reactionary and neo-McCarthyite campaign painting Trump as an agent of the Kremlin. ..."
May 16, 2017 | www.defenddemocracy.press

The cyberattack that hit some 200,000 computers around the world last Friday, apparently using malicious software developed by the US National Security Agency, is only expected to escalate and spread with the start of the new workweek.

The cyber weapon employed in the attack, known as "WannaCrypt," has proven to be one of the most destructive and far-reaching ever. Among the targets whose computer systems were hijacked in the attack was Britain's National Health Service, which was unable to access patient records and forced to cancel appointments, treatments and surgeries.

Major corporations hit include the Spanish telecom Telefonica, the French automaker Renault, the US-based delivery service Fedex and Germany's federal railway system. Among the worst affected countries were reportedly Russia, Ukraine and Japan.

The weaponized software employed in the attacks locks up files in an infected computer by encrypting them, while demanding $300 in Bitcoin (digital currency) to decrypt them and restore access.

Clearly, this kind of attack has the potential for massive social disruption and, through its attack on institutions like Britain's NHS, exacting a toll in human life.

This event, among the worst global cyberattacks in history, also sheds considerable light on issues that have dominated the political life of the United States for the past 10 months, since WikiLeaks began its release of documents obtained from the hacked accounts of the Democratic National Committee and John Podesta, the chairman of Hillary Clinton's presidential campaign.

The content of these leaked documents exposed, on the one hand, the DNC's machinations to sabotage the presidential campaign of Bernie Sanders, and, on the other, the subservience of his rival, Hillary Clinton, to Wall Street through her own previously secret and lavishly paid speeches to financial institutions like Goldman Sachs.

Read also: Obama Warned to Defuse Tensions with Russia

This information, which served to discredit Clinton, the favored candidate of the US military and intelligence apparatus, was drowned out by a massive campaign by the US government and the corporate media to blame Russia for the hacking and for direct interference in the US election, i.e., by allegedly making information available to the American people that was supposed to be kept secret from them.

Ever since then, US intelligence agencies, Democratic Party leaders and the corporate media, led by the New York Times , have endlessly repeated the charge of Russian hacking, involving the personal direction of Vladimir Putin. To this day, none of these agencies or media outlets have provided any probative evidence of Russian responsibility for "hacking the US election."

Among the claims made to support the allegations against Moscow was that the hacking of the Democrats was so sophisticated that it could have been carried out only by a state actor. In a campaign to demonize Russia, Moscow's alleged hacking was cast as a threat to the entire planet.

Western security agencies have acknowledged that the present global cyberattack-among the worst ever of its kind-is the work not of any state agency, but rather of a criminal organization. Moreover, the roots of the attack lie not in Moscow, but in Washington. The "WannaCrypt" malware employed in the attack is based on weaponized software developed by the NSA, code-named Eternal Blue, part of a bundle of documents and computer code stolen from the NSA's server and then leaked by a hacking group known as "Shadow Brokers."

Read also: The End of Freedom? Secret Services developing like a Cancer

Thus, amid the hysterical propaganda campaign over Russian hacking, Washington has been developing an array of cyber-weapons that have the capability of crippling entire countries. Through the carelessness of the NSA, some of these weapons have now been placed in the hands of criminals. US authorities did nothing to warn the public, much less prepare it to protect itself against the inevitable unleashing of the cyber weapons it itself had crafted.

In its report on the global cyberattacks on Saturday, the New York Times stated: "It could take months to find out who was behind the attacks-a mystery that may go unsolved."

The co-author of these lines was the New York Times chief Washington correspondent David E. Sanger, who, in addition to writing for the "newspaper of record," finds time to lecture at Harvard's Kennedy School of Government, a state-connected finishing school for top political and military officials. He also holds membership in both the Council on Foreign Relations and the Aspen Strategy Group, think tanks that bring together capitalist politicians, military and intelligence officials and corporate heads to discuss US imperialist strategy.

All of this makes Sanger one of the favorite media conduits for "leaks" and propaganda that the CIA and the Pentagon want put into the public domain.

It is worth contrasting his treatment of the "WannaCrypt" ransomware attack with the way he and the Times dealt with the allegations of Russian hacking in the run-up to and aftermath of the 2016 US presidential election.

There was no question then of an investigation taking months to uncover the culprit, much less any mystery going unsolved. Putin and Russia were declared guilty based upon unsubstantiated allegations and innuendo. Ever since, the Times, serving as the propaganda outlet of the US intelligence services, has given the lead to the rest of the media by endlessly repeating the allegation of Russian state direction of the hacking of the Democratic Party, without bothering to provide any evidence to back up the charge.

Read also: Political Coverup of Iraq Atrocities

With the entire world now under attack from a weapon forged by Washington's cyberwarfare experts, the hysterical allegations of Russian hacking are placed in perspective.

From the beginning, they have been utilized as war propaganda, a means of attempting to promote popular support for US imperialism's steady escalation of military threats and aggression against Russia, the world's second-largest nuclear power.

Since Trump's inauguration, the Democratic Party has only intensified the anti-Russian propaganda. It serves both as a means of pressuring the Trump administration to abandon any turn toward a less aggressive policy toward Moscow, and of smothering the popular opposition to the right-wing and anti-working class policies of the administration under a reactionary and neo-McCarthyite campaign painting Trump as an agent of the Kremlin.

SOURCE www.wsws.org

[May 19, 2017] There are other search engines, browsers, email services besides those operated by the giants. DuckDuckGo, protonmail, and the Opera browser (with free built-in VPN!) work well for me

As soon as DuckDuckGo shows ads and you have Javascript enabled your privacy evaporate the same way it evaporated in Google, unless you use VPN. But even in this case there are ways to "bound" your PC to you via non IP based methods.
May 19, 2017 | www.nakedcapitalism.com

lyman alpha blob , May 19, 2017 at 1:58 pm

There are other search engines, browsers, email services, etc. besides those operated by the giants. DuckDuckGo, protonmail, and the Opera browser (with free built-in VPN!) work well for me.

The problem is, if these other services ever do get popular enough, the tech giants will either block them by getting their stooges appointed to Federal agencies and regulating them out of existence, or buy them.

I've been running from ISP acquisitions for years, as the little guys get bought out I have to find an even littler one.

Luckily I've found a local ISP, GWI, that I've used for years now. They actually came out against the new regulations that would allow them to gather and sell their customers' data. Such anathema will probably wind up with their CEO publicly flayed for going against all that is good and holy according to the Five Horsemen.

[May 17, 2017] How to Enable Volume Shadow Copy in windows 7 - Microsoft Community

May 17, 2017 | answers.microsoft.com
The title and message were edited so now we know what is needed.

How to Create a System Restore Point in Windows 7
http://www.sevenforums.com/tutorials/697-system-restore-point-create.html

How to Do a System Restore in Windows 7
http://www.sevenforums.com/tutorials/700-system-restore.html


System Protection - Change Disk Space Usage
http://www.sevenforums.com/tutorials/335-system-protection-change-disk-space-usage.html


How to Turn System Protection On or Off in Windows 7
http://www.sevenforums.com/tutorials/330-system-protection-turn-off.html

Adjusting the amount of disk space System Restore uses to hold restore points
http://bertk.mvps.org/html/diskspacev.html


How To Change How Much Space System Restore Can Use
http://www.vistax64.com/tutorials/76227-system-restore-disk-space.html
http://www.petri.co.il/change_amount_of_disk_space_used_by_system_restore_in_vista.htm


Vssadmin ShadowStorage Commands
http://technet.microsoft.com/en-us/library/cc755866(WS.10).aspx


Volume Shadow Copy Service
http://technet.microsoft.com/en-us/library/ee923636(WS.10).aspx

Volume Shadow Copy Service
http://msdn.microsoft.com/en-us/library/bb968832(VS.85).aspx


VSSADMIN
http://technet2.microsoft.com/windowsserver/en/library/89d2e411-6977-4808-9ad5-476c9eaecaa51033.mspx?mfr=true


Windows Vista System Restore Guide
http://www.bleepingcomputer.com/tutorials/tutorial143.html


Controlling Shadow Copies in Vista (and Windows 7!)
http://www.pcmag.com/article2/0,2817,2342534,00.asp


A good utility :

Shadow Explorer - Free
http://www.shadowexplorer.com/


Hope this helps.
--------------------------------------------------------------------------------------------
Rob Brown - Microsoft MVP <- profile - Windows and Devices for IT: Bicycle - Mark Twain said it right.

[May 17, 2017] Microsoft blocks Kaby Lake and Ryzen PCs from Windows 7 updates

May 17, 2017 | www.techconnect.com
The time has finally come: Microsoft is dropping the banhammer on mixing modern processors with classic Windows operating systems.

Users are reporting their Windows 7 and 8.1 PCs with Kaby Lake and Ryzen processors are being blocked from receiving updates, according to Ars Technica and Tech Report .

That means all updates, including security updates, will be unavailable on PCs with brand new hardware running the two older operating systems. The first hints of this were revealed in March, when a Microsoft support page appeared detailing the policy of blocking updates for Kaby Lake and Ryzen-toting PCs using Windows 7 or 8.1.

Microsoft's stance on PCs running a classic Windows build with newer processors actually goes back to January 2016. At that time, Microsoft announced a plan to ease the transition to Windows 10 for enterprises by certifying some Skylake processors to run Windows 7 and Windows 8.1 for a limited time. The company also added that Intel's Kaby Lake, Qualcomm's 8996 Snapdragon processsors, and what we now call AMD Ryzen would all require Windows 10.

Since then, Microsoft has proved more flexible on the Skylake front . Select members of that processor generation will be able to run Windows 7 and Windows 8.1 until both systems reach the end of their extended support periods in 2020 and 2023 respectively. For Ryzen and Kaby Lake, however, Microsoft hasn't budged, with Intel and AMD willing to play along .

[May 17, 2017] How to avoid the WannaCrypt virus if you run Windows XP in VM

May 17, 2017 | www.techconnect.com
WannaCrypt may be exclusively a problem for Windows users, but the worm/virus combination could hit a Mac user with a Boot Camp partition or Windows virtual machines in VMware Fusion, Parallels, or other software. If you fit that bill and haven't booted your Windows system since mid-March or you didn't receive or install Microsoft's vital security update (MS17-010) released at that time, read on.

It's critical that you don't start up a Windows XP or later installation that's unpatched and let it connect to the Internet unless you're absolutely sure you have the SMB file-sharing service disabled or firewall or network-monitoring software installed that will block any attempt from an outside connection.

Also, if you use Windows XP or a few later releases of Windows that are past Microsoft's end of support since mid-March, you wouldn't have received the security updates that Microsoft was reserving only for corporate subscribers until last Friday . At that point, they made these updates generally available. If you booted any of those systems between mid-March and Friday, you're unprotected as well.

If your Mac is on a network that uses NAT and DHCP to provide private IP addresses, which is most home networks and most small-office ones, and your router isn't set up to connect the SMB file service from outside the local private network to your computer (whether Boot Camp or a VM), then the WannaCrypt worm can only attack your system from other computers on the same network. If they're already patched or there are no other Windows instances of any kind, you can boot up the system, disable SMBv1, and apply the patches.

If you don't want to take that chance or you have a system that can be reached from the greater Internet directly through whatever method (a routable IP or router port mapping to your Mac), you should disable networking on your computer before restarting into Boot Camp or launching a VM. This is easy with ethernet, but if you're using Wi-Fi for your Windows instance, you need to unplug your network from the Internet.

After booting, disable SMBv1. This prevents the worm from reaching your computer, no matter where it is. Microsoft offers instructions for Windows 7 and later at this support note . If you have a Windows XP system, the process requires directly editing the registry, and you will want to install firewall software to prevent incoming connections to SMB (port 445) before proceeding. The firewall approach is a good additional method for any Windows instance.

Once you've either disabled SMBv1 or have a firewall in place, you can enable network access and install all the patches required for your release, including MS17-010.

In some cases, you no longer need SMBv1, already known to be problematic, and can leave it disabled. If for legacy reasons you have to re-enable it, make sure you have both networking monitoring and firewall software (separately or a single app) that prevents unwanted and unexpected SMB access.

[May 16, 2017] Ransomware scum have already unleashed kill-switch-free WannaCry pt variant • The Register

Notable quotes:
"... Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, although this is subject to some dispute. ..."
"... Other researchers, including Kevin Beaumont, are also telling us they haven't yet seen a variant of WannaCrypt without a kill switch. ..."
"... Certainly the NSA should have reported it to Microsoft but they apparently didn't ... ..."
"... Implying that Windows 8, and Windows 10 are better than an unmaintained Windows XP SP3 Installation. Which can still do it's job. Probably better than those other Two numbskull OSs. Assuming Microsoft were kind enough to continue supporting it. But, alas that way only madness lay. As XP does not contain Tracker's, and (Cr)App Stores to take your Moneyz. ..."
"... It's clear the NSA intended to not inform Microsoft at all as this was part or their arsenal, a secret tool on their version of a Bat Belt. We must blame the NSA as they developed it, hoarded it and then lost control of it when it got out. This should be an example of how such organisations should not be using such methods. ..."
"... The NSA found it. Kept it secret, then lost the code due to real humans making mistakes or breaking in who discover a pot of "hacker gold" runnable and mature from the fist double click. ..."
"... In my experience with embedded systems there is nothing particularly fancy about the way the PC talks to the special hardware. There is nothing that says it can't be upgraded to say 32 bit Windows 7 or even rewritten for Linux. Much of the code is written in C or Delphi. It would take a bit of work but not impossible. ..."
"... The problem is that like Microsoft the manufacturers have moved on. They are playing with their next big thing and have forgotten about that old stuff. ..."
"... And in a few years it will all be forgotten. Nachi / Blaster anyone? ..."
"... Patching and AV inevitably often is bolting the stable door after horses gone for the first hit. Yet proper user training and proper IT configuration mitigates against almost all zero day exploits. I struggle to think of any since 1991. ..."
"... Firewalls, routers, internal email servers (block anything doubtful), all superfluous services and applications removed, no adhoc sharing. users not administrators, and PROPER training of users. ..."
"... Went to the doctor's surgery this morning. All the computers were down. I queried if they'd been hit with the malware, but apparently it was as a preventative measure as their main NHS trust has been badly hit, so couldn't bring up any records or even know what the wife's blood test was supposed to be for. Next I'm expecting the wife's hospital appt to be canceled due to the chaos it is causing. ..."
"... The answer is not to avoid Windows. It's for our so-called security agencies to get to understand that they are not supposed to be a dirty tricks department collecting weapons for use against others, but that they are supposed to work on our national security - which includes public and private services and businesses as well as the Civil Service. ..."
"... Windows 10 STILL has SMBv1 needlessly enabled by default. Should either be disabled by default or removed all together. Wonder when someone will find another exploitable weakness. Staying secure means turning off protocols you don't need. ..."
"... Instead of that, criminally stupid idots at NHS IT in the affected trusts as well as other enterprises which were hit: 1. Put these unpatchable and unmaintainable machines in the same flat broadcast domain with desktop equipment. There was no attempt at isolation and segmentation whatsoever. ..."
"... Each of these should be a sackable offense for the IT staff in question. ..."
"... Systems vendors to the NHS are borderline criminal. In pharmacy, there are only 1 of 4 mandated systems vendors you can choose. The 3 desktop based ones have so much legacy crap etc that they still only work on windows 7. They also insist on bundling in a machine to just a stupid high cost to a tech illiterate customer base - generally a cut down crappier version of something you could by uin argos for 300 quid they will charge over a grand for. Their upgrade cycles are a f**king joke and their business model makes their customers very reluctant to do so as they have fork out silly money ..."
"... Firstly, a state actor attack would be far better targeted. Stuxnet, for example, actually checked the serial numbers of the centrifuges it targeted to ensure that it only hit ones created in the right date span to impact only those bought by Iran. The vector on this attack, on the other hand, literally just spammed itself out to every available IP address that had port 445 open. ..."
"... most of the original bits of this were actually quite shittily written. Oh sure, there was a genuine bit of high-tech NSA code in there from the shadow broker leak... but there was also a fair load of primitive crap there too. It's a bit like an 16 year old came into possession of an F-16; it was destructive as hell but he didn't really know how to fly it. ..."
"... there's literally 5 different layers of my SMB's security that blocked this (patching, permissions, firewall, commercial AV, VLANs). And we're not exactly cutting-edge - just running best practice. ..."
"... In short, if this was state-backed, then the state in question would have to be somewhere like Honduras, not one of the big-league infosec powers. ..."
"... I read the Malwaretech log (excellent description of why you'd look for a nonexistent domain to determine if you're sandboxed) and thought: OK, so the virus writer should check a randomly generated domain, instead of a fixed one. That way, they can't all be registered, your virus can't be kill-switched the way this one was, and your virus can still tell if it's being run in a sandbox. ..."
"... the code is not proxy aware and the kill switch would not work in well structured environments where the only access to the net is via a configured non transparent proxy. ..."
"... In this case, knowing there are a number of nation state backed cyber defence teams looking into this... they either a) have balls big enough to need a wheelbarrow and believe that they wont get caught no matter what and cyber defence is really too hard to deliver effectively, regardless of backers. or b) that they are insanely stupid and greedy and are not following the news... ..."
"... Given that the only safe/undetected way of laundering the bitcoins will be to buy drugs or guns or other such illegal goods on the darkweb and then turn that into cash by selling it on then the perps are as you say both greedy and insanely (criminally) stupid. ..."
"... If Microsoft had an update channel for security patches only, not unwanted features and M$'s own brand of malware, people would but alot more inclined to stay up to date. ..."
"... Rumors running around that this is Deep State sponsored coming out of various cliques in intelligence agencies in retaliation for the Vault 7 leaks. ..."
May 16, 2017 | theregister.co.uk
15 May 2017 at 09:42, John Leyden Miscreants have launched a ransomware worm variant that abuses the same vulnerability as ‪the infamous WannaCry‬pt‪ malware .

Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, although this is subject to some dispute.

"As far as I know there's only been two variants (one this morn) and none without [a kill]switch," security researcher Dave Kennedy told El Reg . Other researchers, including Kevin Beaumont, are also telling us they haven't yet seen a variant of WannaCrypt without a kill switch.

What isn't in question is that follow-up attacks based on something similar to WannaCrypt are likely and that systems therefore really need protecting. Black hats might well create a worm that attacks the same Windows vulnerability more stealthily to install a backdoor on the many vulnerable systems still out there, for example.

The WannaCrypt ransomware spread to devastating effect last week using worm -like capabilities that relied on a recently patched vulnerability in Microsoft's SMB file-sharing services (MS17-010). WannaCrypt used a purloined EternalBlue exploit originally developed by the US National Security Agency before it was leaked by the Shadow Brokers last month.

WannaCrypt's victims included the National Health Service, Spain's Telefónica and numerous other organisations across the world. A techie at Telefónica confirmed that the initial infection vector was a phishing email . The scale of the attack prompted Microsoft to take the highly unusual step of releasing patches for unsupported operating systems , including Windows XP. ®

Re: Inevitable

Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows.

The real issue here is that Microsoft stopped has patching XP and Vista systems in an attempt to force users to upgrade -- that's where the real money is in these vulnerabilities. So who's going to make out like a bandit from WannaCry et al? Expect Microsoft Win 10 share to increase over the next few months - they are the real winners here.

Mage

Re: The real issue here is that Microsoft stopped has patching XP

Actually technically they haven't stopped. (Vista yes).

BUT THE PATCHING IS NEARLY IRRELEVANT!

Like most other spam borne "attacks" this would be totally mitigated by

1) User training and common sense.

2) Better configured systems.

XP use by NHS is a red herring.

Even if EVERYONE used Linux* and it was updated daily, it will NOT stop this until the USERs are better trained and use email properly.

[*Because all the spam based attacks would be aimed at Linux]

Ken Hagan

Re: Inevitable

"Because the likes of the FSB & PLA must be too stupid to have also discovered these types of vulnerabilities."

If they knew about them, they didn't do a very good job of protecting their own gear from them.

M.
Re: Inevitable

Your Comment: "Yes, the NSA is criminal for making these immoral and unlawful cyber weapons..."

Unlawful? By what law, specifically? (NOTE: Title 10 and Title 50 authorities directly - and legally - trump certain US laws.) As an analogy - It's not "illegal" for a policeman to speed to catch up to a criminal. It's not "illegal" for the NSA to create tools to compromise computers.

You can argue all day as to whether it is illegal to DEPLOY tools, once created, against CERTAIN computers, but I don't think you have a leg to stand on calling the fact that NSA *creates* such a tool - if they even did create one themselves - in any way an illegal act.

Michael Habel
Re: Inevitable

Implying that Windows 8, and Windows 10 are better than an unmaintained Windows XP SP3 Installation. Which can still do it's job. Probably better than those other Two numbskull OSs. Assuming Microsoft were kind enough to continue supporting it. But, alas that way only madness lay. As XP does not contain Tracker's, and (Cr)App Stores to take your Moneyz.

DuncanLarge
Re: Inevitable

"Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows."

It's clear the NSA intended to not inform Microsoft at all as this was part or their arsenal, a secret tool on their version of a Bat Belt. We must blame the NSA as they developed it, hoarded it and then lost control of it when it got out. This should be an example of how such organisations should not be using such methods.

The only way Microsoft knew about this and patched this was because the NSA lost control of the code to ShadowBrokers who then reported it to Microsoft giving them enough time to roll out a patch before a public release.

As you correctly say, anyone could have developed code that exploits the flaw. But who detected that flaw first? So who should have the social responsibility to improve the "cyber" defense of at least their own nation by disclosing such a flaw?

The NSA found it. Kept it secret, then lost the code due to real humans making mistakes or breaking in who discover a pot of "hacker gold" runnable and mature from the fist double click.

For this very reason Apple, correctly, refused to create a version of iOS that could be installed on an iphone to weaken the pin entry screen to allow the FBI entry. Apple knew they could not simply trust that this hacked version of iOS could be kept under control.

inmypjs
Re: Inevitable

"blaming a commercial company for not patching a 13 year"

I think blaming and criticising a company that sold you buggy vulnerable crap and refuses to fix bugs because someone else didn't find and advise them of them soon enough is entirely justified.

I have some compilers from a company with a policy that finding a bug in an obsolete unsupported version of the compiler entitles you to a free upgrade to a current supported version. That would be the policy of a decent company (which Microsoft clearly isn't). Of course Microsoft's current supported version being a piece of shit that no one wants would stymie such a policy.

Wayland
Re: So you're blaming a commercial company for not patching a 13 year old OS?

In my experience with embedded systems there is nothing particularly fancy about the way the PC talks to the special hardware. There is nothing that says it can't be upgraded to say 32 bit Windows 7 or even rewritten for Linux. Much of the code is written in C or Delphi. It would take a bit of work but not impossible.

The problem is that like Microsoft the manufacturers have moved on. They are playing with their next big thing and have forgotten about that old stuff.

What is needed is a commitment from the manufacturers to either support the gear for 30 years or share the code and the schematics. Obviously a consideration would be required from the buyer, I don't see why they should do that for free.

The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between.

Dr Who
You could look at an event such as that of the last few days as the Internet's version of a wildfire. In the short run some damage is done but in the long run the fire's job is to clear out dead wood and enable the regrowth of a stronger, healthier ecosystem. Short term pain for long term gain.
Lost all faith...
And in a few years it will all be forgotten. Nachi / Blaster anyone?
katrinab
Not really.

"We've installed the MS security patch, we've restored from back-up. Everything's OK now".

Papworth NHS Trust has had something like 16 of these ransomware attacks in the last 12 months, and hasn't done anything. It is going to take a lot more than this to change management attitudes.

Mage
Internet's version of a wildfire.

No, because very few organisations and users will learn the real lessons.

Patching and AV inevitably often is bolting the stable door after horses gone for the first hit. Yet proper user training and proper IT configuration mitigates against almost all zero day exploits. I struggle to think of any since 1991.

Firewalls, routers, internal email servers (block anything doubtful), all superfluous services and applications removed, no adhoc sharing. users not administrators, and PROPER training of users.

Anonymous Coward

I wish! The idiots who think it's fine to run XP are paid ten times more than me and they'll still be in the same role this time next year. They'll be no getting rid of dead wood, just more winging it and forcing underpaid Techies to work more weekends after more screw ups.

Stuart 22
Is it just me?

Its surely incredible that a lone pizza stuffed actor could get immediate access to the worm and spend a night before he spotted the 'call home' vector? Is that really that hard? And beat the best resourced detection agencies worldwide?

Surely every IT detective agency including GCHQ would have sandboxed it on first sight, thrown their best at it if only to beat their friends across the pond, to save Jeremy Hunt & Mother Theresa's bacon just ahead of a new funding opportunity (aka new government).

It all smells not only of pizza but planted news. And if it is genuine what on earth are we paying this organisation and every anti-virus firm for?

Andy Non
Re: Experts all giving advice how how to stay secure

Went to the doctor's surgery this morning. All the computers were down. I queried if they'd been hit with the malware, but apparently it was as a preventative measure as their main NHS trust has been badly hit, so couldn't bring up any records or even know what the wife's blood test was supposed to be for. Next I'm expecting the wife's hospital appt to be canceled due to the chaos it is causing.

I wonder if we can get a go-fund-me page set up to hire someone to track down this hacker scum and take out a hit on them? A bullet to the brain may give other scumbags something to think about.

Voyna i Mor
Re: Experts all giving advice how how to stay secure

The answer is not to avoid Windows. It's for our so-called security agencies to get to understand that they are not supposed to be a dirty tricks department collecting weapons for use against others, but that they are supposed to work on our national security - which includes public and private services and businesses as well as the Civil Service.

The fact that May and Rudd seem totally unable to get what could go wrong post-Snowden suggests that when one of them became PM, a school somewhere missed the bullet of a particularly anal retentive geography teacher.

Anonymous Coward

Re: Experts all giving advice how how to stay secure

Actually Windows 10 was affected, but because it patches more aggressively the March fix was already applied to must unless they had different WSUS settings in a business/edu environment.

Ferry Michael
Re: Experts all giving advice how how to stay secure

Windows 10 STILL has SMBv1 needlessly enabled by default. Should either be disabled by default or removed all together. Wonder when someone will find another exploitable weakness. Staying secure means turning off protocols you don't need.

I have a dual boot laptop that has not booted to Windows since before March - I need to review what services it has enabled to make it a bit more secure before I connect it to the Internet to download latest patches.

Patching and anti-virus software take time to apply after a vulnerability has been discovered. That can be too late.

roblightbody
Re: Experts all giving advice how how to stay secure

From https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

"Customers running Windows 10 were not targeted by the attack today."

Voland's right hand
Re: Experts all giving advice how how to stay secure

Some people do not have any choice. When the X-ray machines in the affected hospital trusts were bought using Windows XP (or even 2001) imaging software, that was state of the art. The issue is that the life of a piece of equipment like this vastly exceeds the lifespan of the OS that was used for the control system. On top of that, quite often these cannot be patched as the software is written so badly that it will work only with a specific patch-level of the core OS.

That CAN and SHOULD be mitigated by:

0. Considering each and every one of those a Typhoid Mary in potentia

2. Preventing any communication except essential management and authentication/authorization going out

3. Providing a single controlled channel to ship out results to a location which we CAN maintain and keep up to date.

Instead of that, criminally stupid idots at NHS IT in the affected trusts as well as other enterprises which were hit:

1. Put these unpatchable and unmaintainable machines in the same flat broadcast domain with desktop equipment. There was no attempt at isolation and segmentation whatsoever.

2. In some cases allowed use of unrelated desktop applications (at ridiculously ancient patch-levels) such as Outlook or even Outlook Express.

3. Opened file sharing on the machines in question.

Each of these should be a sackable offense for the IT staff in question.

mcpharm
Re: Experts all giving advice how how to stay secure

It's more than incompetent IT people and way worse and virtually impossible to fix.

There is a lot of niche or specialist custom software used in the nhs that can only work on XP and ie 6 period. Most of the people who wrote are dead or retired etc

Systems vendors to the NHS are borderline criminal. In pharmacy, there are only 1 of 4 mandated systems vendors you can choose. The 3 desktop based ones have so much legacy crap etc that they still only work on windows 7. They also insist on bundling in a machine to just a stupid high cost to a tech illiterate customer base - generally a cut down crappier version of something you could by uin argos for 300 quid they will charge over a grand for. Their upgrade cycles are a f**king joke and their business model makes their customers very reluctant to do so as they have fork out silly money

for a new shit machine just cos their vendors tells they have to .. our superdupa crap shit fuck software will only work on a machine we provide. Emis/proscript have alot to answer for ..

Lots of the staff and their employers are basically proud of being a digital numbskull. "I am healthcare professional, why should i have to know anything about this" and the drones are so poorly paid / bitched at incessantly about everything they just have an" i dunno i just work here, that's not my job attitude" I have to screenshare to train people how to use our websites .. this means i have to get them stick a url into their browser, that's it ... you have no idea how many can't do that .. then get all offended when i ask them what browser they are using .. "i don;t know, why should i know that, i just use google" is always the response .. when half the nhs work force doesn't know what a f**king browser is and peversely proud of the fact they can't type a url into a brower address bar, how on earth are we ever going to hav any sunnvbnf0ijgogjrnb;vzjnav;kjnnf;kqgfnjv;jnf;jjvn;w

Data Security has turned into one of these tick box things, everyone has dire warning, you will be fined loads of money for doing something wrong that you don't understand and actively don't want to understand so no one gives a f**k as long as they can say they ticked the right boxes.

Anonymous Coward

A dish best served cold

Now, I would *hate* to start an internet rumour... but didn't the USA promise a retaliation? :-)

  • https://www.theguardian.com/us-news/2016/dec/16/obama-retaliation-russia-hacking-us-election
  • http://www.bbc.com/news/world-39919249

Yupp, there was some collateral damage amongst their allies, but thats the new normal.

Anon because I might be right ;-)

Naselus
Re: A dish best served cold

"Anon because I might be right"

You aren't.

Firstly, a state actor attack would be far better targeted. Stuxnet, for example, actually checked the serial numbers of the centrifuges it targeted to ensure that it only hit ones created in the right date span to impact only those bought by Iran. The vector on this attack, on the other hand, literally just spammed itself out to every available IP address that had port 445 open.

Second, US retaliation would almost certainly involve using a few zero-days. If you want to prove that you have vastly more power than your opponent, then you want to do something that literally resembles friggin' magic from his point of view. You want to show him that he can do nothing whatsoever to defend his critical infrastructure from your attacks. This did not; nothing in this hadn't already been discovered and patched. If the best thing the US can throw at Russia could be taken out by just switching on your WSUS server in the past three months, then there's no point even doing it because it would make them look weak, not strong.

Thirdly, and most importantly, most of the original bits of this were actually quite shittily written. Oh sure, there was a genuine bit of high-tech NSA code in there from the shadow broker leak... but there was also a fair load of primitive crap there too. It's a bit like an 16 year old came into possession of an F-16; it was destructive as hell but he didn't really know how to fly it.

I've just finished in a webinar on the incident, and there's literally 5 different layers of my SMB's security that blocked this (patching, permissions, firewall, commercial AV, VLANs). And we're not exactly cutting-edge - just running best practice.

In short, if this was state-backed, then the state in question would have to be somewhere like Honduras, not one of the big-league infosec powers.

Anonymous Coward

On the topic of NSA exploits being used by WannaCry, was the DOUBLEPULSAR exploit patched with MS17-010?

Commswonk
I can't help thinking that announcing the discovery of the kill switch might not have been a good idea.

And you should see the number of downvotes I got in another thread for suggesting exactly that.

Another commentator stated (if I understood him correctly) that the "public announcement" was more or less irrelevant because security experts' chatter on blogs would have given the game away anyway.

In turn that made me think along the lines of " FFS what sort of security experts swap notes on blogs that may be / almost certainly are open to being read by the hackers "

I think I despair... if the above is true then there is simply no hope.

Norman Nescio
Possibly not an intentional kill switch

As the Malwaretech blog entry here:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

points out, it was quite possibly not an intentional kill switch.

Some malware probes for the existence of a selection of randomly generated domains. Some sandbox VMs respond to all DNS lookups by providing back the IP address of the sandbox VM instance. If the malware sees a positive response to the DNS lookups (which should fail), then the logic is that it is probably running in a sandbox VM, which may well be being used to analyse/investigate the malware, so the malware stops running.

The single lookup of the unusual domain name was possibly a poor implementation of this technique.

Alternatively, it is an intentional kill switch, used during development, with a local DNS server on the malware developer's LAN, the function of which was to prevent infection of other devices on the same LAN. If anyone keeps records of DNS lookups, it might be interesting to see where the first lookups came from.

Bill Gray
Re: Possibly not an intentional kill switch

@Norman Nescio : "...The single lookup of the unusual domain name was possibly a poor implementation of this [sandbox detection] technique."

I read the Malwaretech log (excellent description of why you'd look for a nonexistent domain to determine if you're sandboxed) and thought: OK, so the virus writer should check a randomly generated domain, instead of a fixed one. That way, they can't all be registered, your virus can't be kill-switched the way this one was, and your virus can still tell if it's being run in a sandbox.

Except the folks creating sandboxes might take the precaution of checking the domain. Instead of returning a valid result for any garbage domain, check to see if it's been registered first. Suddenly, the virus can no longer tell that it's running in a sandbox.

Except then, the virus author checks four or five valid domains; if they all return identical results, you know you're running in a sandbox. (Reading further, I see that this method is actually used in some cases.)

Except that _then_, the sandbox authors do some revisions so that seemingly accurate results are returned that are actually remapped by the sandbox code.

This is all outside my area of expertise. Still, I could see a nearly endless cycle of fix/counter-fix going on here.

Blotto
Ransome code is not proxy aware, kill switch won't work in most enterprises.

the code is not proxy aware and the kill switch would not work in well structured environments where the only access to the net is via a configured non transparent proxy.

Enterprises will need to think a bit harder about how they ensure the kill switch is effective this time. The miscreants wont make this same mistake next time.

Talking about the kill switch is good, wouldn't have taken the miscreants long to work out something was not right anyway.

Anonymous Coward

What is the motivation here? Is all it seems to be...

<Black Helicopter Icon>

Ransomware usually works on a relatively widespread basis but usually SMB, and domestic users. Big organisations and governments, generally are defended (although clearly some well publicised exceptions)

The beneficiaries are usually relatively safe as law enforcement cannot usually be bothered to investigate and the cash rolls in for the most desperate victims.

In this case, knowing there are a number of nation state backed cyber defence teams looking into this... they either a) have balls big enough to need a wheelbarrow and believe that they wont get caught no matter what and cyber defence is really too hard to deliver effectively, regardless of backers. or b) that they are insanely stupid and greedy and are not following the news...

Or is this already a state backed exercise from somewhere and is simply a global experiment at our expense? The fact the original flaw was used by the NSA is not really relevant, it simply got it publicity but was clearly available for a long time.

Anonymous Coward

Re: What is the motivation here? Is all it seems to be...

Given that the only safe/undetected way of laundering the bitcoins will be to buy drugs or guns or other such illegal goods on the darkweb and then turn that into cash by selling it on then the perps are as you say both greedy and insanely (criminally) stupid. No doubt they'll have their comeuppance shortly - without being "caught" by any nation state backed cyber defense team - probably up some dark alley being stiffed by gangbangers.

Probably just some kid :-(

gerritv
The warning was there in Sep 2016!!

We were told to stop using SMB v1 in Sep 2016. The only reason to keep it enabled is to use it with XP!

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

IanMoore33
MS should hire the NSA hackers

maybe they can teach them something about software

Anonymous Coward

In light of this threat I just got around to patching a somewhat neglected Windows 7 PC. And now it's got a message from Microsoft (falsely) saying it's not genuine. It may not be registered but it's certainly a legitimately purchased copy. So far it's just a tiny message in the corner of the screen but who knows what else it'll do. I don't have time for this. Guess I'll roll back the update and take my chances.

This bullshit is what I blame more than anything, even the NSA, for outbreaks like this. If Microsoft had an update channel for security patches only, not unwanted features and M$'s own brand of malware, people would but alot more inclined to stay up to date.

Anonymous Coward

The goal here was 2 fold.

1. Hurt Russia.

2. Hurt NSA credibility.

Everything else is gravy for the attackers. Rumors running around that this is Deep State sponsored coming out of various cliques in intelligence agencies in retaliation for the Vault 7 leaks.

Lion
Peer creds

The scum are obviously in hiding - either on a luxury yacht on the Black Sea or in a basement somewhere. I'd hazard a guess it is the latter. There must be other scum in the same racket who know who the are. I wonder if they have earned any street creds for what they did?

  • - chaos (not really)
  • - financial bonanza (nope)
  • - media attention (big win)
  • - shit disturbing (yep - mostly stirred the NSA and Microsoft)
  • - rattle some chains (mostly IT departments)
  • - peer envy (I doubt it)

Their reward beyond the $30K they collected will be prison (blackmail and extortion are felonies).

John Smith 19
So the haul from this little operation is currently what $60K?

V. Poor criminal work. Extortion technique needs more work. Clean up costs have probably been in the $m.

Jim Birch
Re: So the haul from this little operation is currently what $60K?

This is a fairly typical ratio of realized proceeds of crime to cost of crime and prevention measures. The economic case for crime reduction is overwhelming. But it's easier said than done. People are creative, even (especially?) criminals.

truloxmyth
Its a sign of the times that no government is actually interested in Universal security, for the greater good of human kind. We're at a point where everything is now based online, and everyone in the world is connected.

The internet has removed the idea of 'borders' in the traditional sense!! I don't have to get on a plane to Italy, to see Italy. I can log onto remote cameras and a host of other online services, which mean I can be in the country without having to physically be in the country!

The NSA wasn't even bothered about protecting their own country... They didn't release this data, to allow the problem to be solved. If I were American I would be Pissed that my own government has been complicit in this entire debacle by keeping this quiet, and didn't release the information to the wider security community when they found the holes!!

If your doctor found you had terminal cancer, but they had a product that would guaranteed slowing of the cancer or entire removal of the disease then you would expect them to tell you wouldn't you?! But when the shady NSA finds a potentially life threatening exploit, they keep it to themselves?!... the middle letter of NSA stands for SECURITY for effs sake!!

There is no such thing as trust anymore between so called 'allies' as the NSA has just proved. It has also proved that life is worthless to them. This is clearly due to their inability to see the bigger picture of what they have A. Created, and B. Allowed to be released into the wild!!

Yes someone in their bedroom could have found the exploit, but that's a bedroom hacker/cracker. But you put pretty much unlimited resources and man power behind a department, then they are clearly going to come up with the exploit a billion times faster than a sole agent. Or even a collective of agents separated over the globe.

So all this stupidity that the NSA shouldn't be held accountable should be rethought. Because they CLEARLY are at fault here, for NOT DISCLOSING THE INFORMATION LAST YEAR!!!

[May 15, 2017] In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely

Notable quotes:
"... At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, " pay extra money to us or we will withhold critical security updates " can be seen as its own form of ransomware. ..."
"... This attack happened because the US Government didn't do it's job. It's primary task is national defense. It kept a vulnerability to itself to attack foreigners instead of protecting it's own infrastructure, businesses and individuals. The government had these tools taken and passed around for everyone to use. And crap like this is why governments can never be allowed to have backdoors. The secrets will always get out. Everyone is vulnerable. ..."
"... There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned. ..."
"... I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem. ..."
"... XP was far easier to lock down and fully secure than 8 or 10 with that bullshit telemetry, and it had far fewer hardware restrictions. It is smaller and faster and more capable at most of my tasks than most modern systems (example: I use ManyCam 3.0.80 - 2000/XP-Era multi-cam software. Runs like a champ on XP with 4 webcams, I go 7 [Ultimate] or higher, I can no longer use more than 2 webcams despite the software having the ability to access them and me having more than enough USB bandwidth for the uncompressed video streams.) ..."
"... Most real IT pros know that XP was far superior to the locked-down and (quite often) over-optimized (as in the optimizations go so far as to make the code more complex and actually runs slower due to shit like cache misses and what not) bullshit that is anything after Windows 7. ..."
"... Forever support isn't reasonable, but at the same time vendors using security update channels to push unwanted upgrades for the benefit of the vendor is equally bad. ..."
"... They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports. ..."
"... Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest. ..."
"... do those devices NEED internet connection? serious question as i don't know. if not, no problem ..."
"... Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners. ..."
www.theserverside.com

In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times:

At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware.

In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms.

However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.

Microsoft supported Windows XP for over a decade before finally putting it to sleep.

In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?

acoustix ( 123925 ) on Monday May 15, 2017 @01:01PM (#54419597)

Wrong Approach (Score:2)

This attack happened because the US Government didn't do it's job. It's primary task is national defense. It kept a vulnerability to itself to attack foreigners instead of protecting it's own infrastructure, businesses and individuals. The government had these tools taken and passed around for everyone to use. And crap like this is why governments can never be allowed to have backdoors. The secrets will always get out. Everyone is vulnerable.

WaffleMonster ( 969671 ) on Monday May 15, 2017 @12:09PM (#54419177)

Artificial scarcity (Score:2)

There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.

I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem.

jrifkin ( 100192 ) on Monday May 15, 2017 @11:55AM (#54419015)

Yes. It's like vaccinations (Score:2)

If the number of older systems is large enough, then Yes, Microsoft should release patches for them.

They should do this for two reasons:

1) Reducing the number of infected systems helps protect others from infections

2) It protects the innocent, like those whose Medical Care was interrupted in the UK, from collateral damage.

Who pays for it? Microsoft. They have benefited from the sale of all those systems, and certainly have enough cash to divert some to supported old but prevalent systems. Also, the fact that people still use MS systems, even if they're old, benefits MS in some way by helping them maintain market share (and "mindshare"). Odds are that these systems will eventually be replaced by more MS systems, representing future revenue for MS.

Khyber ( 864651 ) <techkitsune@gmail.com> on Monday May 15, 2017 @11:50AM (#54418981) Homepage Journal

Re: Silly idea (Score:2)

"I think there is clearly one party at fault, and it is IT."

Why so? XP was far easier to lock down and fully secure than 8 or 10 with that bullshit telemetry, and it had far fewer hardware restrictions. It is smaller and faster and more capable at most of my tasks than most modern systems (example: I use ManyCam 3.0.80 - 2000/XP-Era multi-cam software. Runs like a champ on XP with 4 webcams, I go 7 [Ultimate] or higher, I can no longer use more than 2 webcams despite the software having the ability to access them and me having more than enough USB bandwidth for the uncompressed video streams.)

Most real IT pros know that XP was far superior to the locked-down and (quite often) over-optimized (as in the optimizations go so far as to make the code more complex and actually runs slower due to shit like cache misses and what not) bullshit that is anything after Windows 7.

swb ( 14022 ) on Monday May 15, 2017 @12:20PM (#54419293)

It's an existential problem (Score:2)

Forever support isn't reasonable, but at the same time vendors using security update channels to push unwanted upgrades for the benefit of the vendor is equally bad.

My guess is that we're going to be getting to the end of the road of the "nasty, brutish and short" state of nature in the software industry and start seeing more regulations.

Vendors will be able to EOL their products, but will also have to supply security updates for N years after the product is officially ended. Vendors will be required to maintain a security update channel which may not be used for pushing upgrades or unrequested new products.

An interesting solution would be to let vendors "expire" a version by inserting a patch that boots the OS at a warning page requiring a firm verbal commitment ("I agree this is obsolete") before booting any further. Vendors would be REQUIRED to do this for operating systems they had obsoleted but only after their N years of post-EOL support had ended.

This way, nobody escapes the product being EOL. Customers can still use it, but must affirmatively acknowledge it is obsolete. Vendors are required to keep supporting it for a really long time after official EOL, but they can kill it more completely but only after the EOL support period.

Anonymous Coward on Monday May 15, 2017 @10:44AM (#54418429)

No (Score:5, Insightful)

No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.

jellomizer ( 103300 ) on Monday May 15, 2017 @10:48AM (#54418451)

Re:No (Score:4, Insightful)

I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.

AmiMoJo ( 196126 ) <mojo AT world3 DOT net> on Monday May 15, 2017 @12:11PM (#54419217) Homepage Journal

Re:No (Score:4, Insightful)

The people providing support should be the ones making MRI scanners, ATMs and other expensive equipment that only works with XP. Even when XP was brand new, did they really expect those machines to only have a lifetime of around 10 years? Microsoft was clear about how long support was going to be provided for.

It seems that people are only just waking up to the fact that these machines have software and it needs on-going maintenance. The next decade or two will be littered with software bricked but mechanically sound hardware, everything from IoT lightbulbs to multi-million Euro medical equipment.

In fact it's already happening. You can buy DNA sequencers on eBay, less than a decade old and original price $500,000, now barely worth the shipping because the manufacturer abandoned support.

number6x ( 626555 ) on Monday May 15, 2017 @12:18PM (#54419269)

They already exist (Score:4, Insightful)

They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports.

In this case, a router could be configured to keep the SMB port (445) blocked. A router, with updated software, and a firewall gateway can help protect even older devices with embedded code that may no longer be supported.

Of course, it goes to say, that you must keep the router's software updated and not use default credentials on the router.

The NHS decided to not upgrade many old systems because the threat was deemed minimal. Offices were urged to upgrade but funds were not made available and infrastructure budgets were cut again and again. Multiple bad decisions led to this result.

Many things could have prevented it. Better funding, better threat assessment, the NSA informing Microsoft of the vulnerability so it could have been patched years ago, and on and on...

In the end we are here, and hopefully threats will be re-prioritized and better protections will be put in place in the future (I could not keep a straight face while typing that and finally burst out laughing).

bugs2squash ( 1132591 ) on Monday May 15, 2017 @10:45AM (#54418433)

Don't be silly (Score:2)

this did not need to be fixed with an OS patch, it could have been prevented with better network security policies. I would be surprised if someone hadn't said something about addressing the vulnerability earlier but probably got ignored because of some budgetary issue.

It would be more reasonable to call for continued money to be made available to address these vulnerabilities after a system has gone into production and a move to use more open source solutions where users can share patches.

CAOgdin ( 984672 ) on Monday May 15, 2017 @11:07AM (#54418613)

I recommend a Subscription model... (Score:3)

Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest.

Given that a new Operating system (retail) is in the $100-$150 range, I'd propose "Life Extension" service subscription, solely for security updates in the $30-35/year range...with a required minimum of 10,000 customers to keep maintaining the service. That provides enough revenue ($1,000,000+ per annum) to support a small, dedicated staff.

Frankly, there's no reason that a M$ couldn't engage in a Joint Venture with a small qualified, independent security firm to provide the service, with special access to proprietary information within the O.S. vendor.

It would be an investment in the rehabilitation of the O.S. vendors' reputation, because M$ has gotten quite high-handed in recent years, dictating (or even forcing) software on unwilling customers.who have existing businesses to run.

ToTheStars ( 4807725 ) on Monday May 15, 2017 @11:29AM (#54418801)

What if we tied support to copyright? (Score:5, Interesting)

Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don't support anymore?

This could also work for art works, as well -- because copyright exists "To promote the Progress of Science and useful Arts," we could make it a requirement that an author (or company, or whatever) needs to be distributing (or licensing for distribution) a work to have copyright on it. When it's out of print, it enters the public domain.

Hartree ( 191324 ) on Monday May 15, 2017 @11:07AM (#54418625)

Yes, because WinXP was never killed off. (Score:2)

It also lives on in many scientific instruments. An old mass spec that runs XP (or even older. I regularly maintain X Ray diffraction machines that still run DOS) usually can still do the day to day job just fine. The software usually hasn't been supported for many years and won't run on anything newer. But replacing the instrument could cost a large amount of money (250K or up in many cases).

Research budgets aren't growing and I work for a university in a state that can't pass a budget. We just don't have the money to throw out older systems that work well just because the software is outdated. We just take them off the network and use other means to get the data transferred off of them.

ganjadude ( 952775 ) on Monday May 15, 2017 @11:37AM (#54418873) Homepage

Yes, because WinXP was never killed off. (Score:2)

do those devices NEED internet connection? serious question as i don't know. if not, no problems

DontBeAMoran ( 4843879 ) on Monday May 15, 2017 @11:22AM (#54418727)

Re:Bitcoin is the problem (Score:2)

Because ransomware did not exist before Bitcoin. :rolleyes:

jellomizer ( 103300 ) on Monday May 15, 2017 @11:12AM (#54418661)

Re:Silly idea (Score:2)

What happens if a still used software isn't owned by anyone any more. The Company is out of business, There is no source code available. There is a point where the end user has some responsibility to update their system. Like the Model-T they may still keep it, and use it for a hobby, but knowing full well if you take it on the Highway and get in an accident you are probably going to get killed.

thegarbz ( 1787294 ) on Monday May 15, 2017 @12:08PM (#54419169)

Re:Silly idea (Score:3)

Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners.

Also this isn't hobbies we're talking about. No one gives a crap if someone's Model T toy breaks down, just like no one will cry about the Windows XP virtual machine I play with at home.

The only complaints are against critical services, internet connected machines that operate and provide livelihoods for the owners. If the software isn't owned by anyone, ... well I'm sure the owner provided an unbiased risk assessment as to whether they should migrate to something that is supported by someone right? Didn't think so.

The end user has 100% of the responsibility, and dollars don't change that.

[May 15, 2017] Further Analysis of WannaCry Ransomware McAfee Blogs

May 15, 2017 | securingtomorrow.mcafee.com

WannaCry offers free decryption for some random number of files in the folder C:\Intel\<random folder name>\f.wnry. We have seen 10 files decrypted for free.

In the first step, the malware checks the header of each encrypted file. Once successful, it calls the decryption routine, and decrypts all the files listed in C:\Intel\<random folder name>\ f.wnry.

A code snippet of the header check:

The format of the encrypted file:

To decrypt all the files on an infected machine we need the file 00000000.dky, which contains the decryption keys. The decryption routine for the key and original file follows:

Bitcoin activity

WannaCry uses three Bitcoin wallets to receive payments from its victims. Looking at the payment activity for these wallets gives us an idea of how much money the attackers have made.

The current statistics as of May 13 show that not many people have paid to recover their files:

  • Wallet 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • Wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • Wallet 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The attackers appear to have earned a little over BTC 15.44 (US$27,724.22). That is not much considering the number of infected machines, but these numbers are increasing and might become much higher in the next few days. It's possible that the sink holing of two sites may have helped slow things down:

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Multiple organizations across more than 90 countries have been impacted, according to reports.

We will update this blog as we learn more.

[May 14, 2017] Cyber-attack could escalate as working week begins, experts warn by Robert Booth

May 14, 2017 | www.theguardian.com

"Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice," said Oliver Gower from the National Crime Agency.

A computer security expert credited with stopping the spread of the ransomware on Saturday by activating a digital "kill switch" warned on Sunday that a fresh attack was likely.

The expert, known only as MalwareTech on Twitter, said hackers could upgrade the virus. "Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw," he said on Twitter . "You're only safe if you patch ASAP."

On Sunday, Microsoft issued a security bulletin marked "critical" including security updates that it said "resolves vulnerabilities in Microsoft Windows".

It emerged over the weekend that NHS Digital last month emailed 10,000 individuals in NHS organisations warning them to protect themselves against the specific threat of ransomware and included a software patch to block such hacks on the majority of systems. However, it would not work with outdated Windows XP systems that still run on about 5% of NHS devices.

NHS Digital said it did not yet know how many organisations installed the update and this would be revealed in a later analysis of the incident.

... ... ...

Amber Rudd, the home secretary, who is leading the response to the attack, said the same day: "I don't think it's to do with ... preparedness. There's always more we can all do to make sure we're secure against viruses, but I think there have already been good preparations in place by the NHS to make sure they were ready for this sort of attack."

[May 14, 2017] More disruptions feared from cyberattack; Microsoft slams US secrecy

May 14, 2017 | www.atimes.com

In a blog post late Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the US National Security Agency, that leaked online in April.

He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Smith wrote. He added that governments around the world should "treat this attack as a wake-up call" and "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

The NSA and White House did not immediately respond to requests for comment about the Microsoft statement.

A general view of the Dharmais hospital in Jakarta, Indonesia May 14, 2017. REUTERS/Darren Whiteside
The Dharmais hospital in Jakarta was targeted by the Wannacry "ransomware" worm. Photo: Reuters/Darren Whiteside

US President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an "emergency meeting" to assess the threat posed by the global attack, a senior administration official told Reuters.

Senior US security officials held another meeting in the White House Situation Room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the massive cyber attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.

The investigations into the attack were in the early stages, however, and attribution for cyberattacks is notoriously difficult.

The original attack lost momentum late on Friday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.

Code for exploiting that bug, which is known as "Eternal Blue," was released on the internet last month by a hacking group known as the Shadow Brokers.

The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number would grow when people return to work on Monday.

[May 14, 2017] International manhunt to find criminals behind global cyber attack

Notable quotes:
"... French police said there were "more than 75,000 victims" around the globe, but cautioned that the number could increase "significantly". ..."
May 14, 2017 | timesofindia.indiatimes.com

International investigators hunted for those behind an unprecedented cyber-attack that affected systems in dozens of countries, including at banks, hospitals and government agencies, as security experts sought to contain the fallout.

The assault, which began on Friday and was being described as the biggest-ever cyber ransom attack, struck state agencies and major companies around the world - from Russian banks and British hospitals to FedEx and European car factories.

"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency. Europol said a special task force at its European Cybercrime Centre was "specially designed to assist in such investigations and will play an important role in supporting the investigation".

The attacks used ransomware that apparently exploited a security flaw in Microsoft operating systems, locking users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin. Images appeared on victims' screens demanding payment of $300 in Bitcoin, saying: "Ooops, your files have been encrypted!" Payment is demanded within three days or the price is doubled, and if none is received within seven days the files will be deleted, according to the screen message.

But experts and government alike warn against ceding to the hackers' demands. "Paying the ransom does not guarantee the encrypted files will be released," the US Department of Homeland Security's computer emergency response team said.

Mikko Hypponen, chief research officer at the Helsinki- based cyber security company F-Secure, told AFP it was the biggest ransomware outbreak in history, saying that 130,000 systems in more than 100 countries had been affected.

... .... ....
French police said there were "more than 75,000 victims" around the globe, but cautioned that the number could increase "significantly".

[May 14, 2017] A global outbreak of computer extortion virus: Tianjin enterprise release letter WannaCry worm infection emergency treatment

May 14, 2017 | www.aiainews.com
on May 12, called "encryption" (Wannacry) "worm" blackmail software in large-scale spread around the world.The software using the Windows SMB services vulnerabilities, documents, pictures, etc. Of computer implementation of high-strength encryption, and ransom.Currently, including universities, energy and other important information system, more class user attack, have serious security threat to China's Internet network.

a, infected host emergency isolation methods given WannaCry worm has a great risk, all the known infected host must isolate their work from the current network.

in view of the file has been damaged by worms, as of 2017/5/14 haven't found any effective means to restore.To prevent further spread worms, it is forbidden to infected host any file copy to other host or device, it is strictly forbidden to known infected host to access any network.

2, important documents emergency handling methods in order to ensure the important document is not destroyed by WannaCry worms, minimize loss, all uninfected hosts or ban on uncertain whether infected host.

the type host need to adopt the method of physical copy for processing, i.e., the host opens by the professionals, remove all the hard disk where important files, and use the external devices mounted to determine uninfected hosts will be copied.

to prevent secondary infection, copy the file must be in the isolation zone for processing.

it is strictly forbidden to hard disk may be infected by the IDE and SATA motherboard interface mounted directly to the copy machine, in order to prevent the copying machine use the hard disk boot, leading to possible infection.

existing in the network, have access to all Windows host should adopt the method of important file backup.

after the physical copy process, in accordance with the: three, host, emergency detection strategy is used to detect the emergency treatment.

the temporary absence of these conditions or because of some must be switched on, it is important to ensure keep access to the Internet boot in out of the office network environment (such as 4 g networks, ordinary broadband, etc.), at the same time must be the entire keep clear of the Internet.(access to the Internet standard for success: can open the following web site in the browser, and see the content as shown: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

)

for classified machine cannot access to the Internet, make sure the web server, network configuration and the domain name resolution to access the Intranet server.

the Intranet server home page must return the following contents:

sinkhole. Tech - where the bots party hard and the researchers harder. & lt;!- h4 - & gt;At the end of the temporary boot process, shutdown and physical copy process.

3, host, emergency detection strategies in view of the physical copy after the host, to make the following treatment:

test be mounted hard drive Windows directory, see if there are files: mssecsvc. Exe, if there are infected.

in view of the host other boot, check whether there is a file system disk Windows directory: mssecsvc. Exe.Check whether there is a service in the system mssecsvc2.0 (see specific operation at the end of this section).Any one is exists to prove that is infected.

for there is a firewall with other logging equipment in the network, check whether there is in the log of domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, if any, prove the existence of network within the infected host.In view of the infected host detect, be sure to at the end of the physical copy process format for all the hard disk.

similar to the host if there is a backup before 2017/4/13, full recovery operations can be performed (including system disk as well as other all), a backup after this time may have been infected, not for recovery.

in view of the network known to exist the infected host, prohibit open closed host, at the same time to physical copies of the host process.For the host has been switched on, immediately shut down, and the physical copy process.Attachment: the method of inspection service:

Windows + R key to open the "run" window:

input services. MSC enter, open the service administration page:

check all items in the" name "column, there mssecsvc2.0 suggests that infected.

4, uninfected hosts emergency defense strategy

to an infected host, there are four emergency defense strategy.

one strategy as the most effective means of defense, but takes longer.Other strategies for temporary solution for unable to implement strategies for temporary use.

application strategy two or three in the host will not be able to access the network sharing, please carefully use.

in no immediate application strategy and suggestion first application strategy four temporary defence.No matter use what kind of temporary strategy, all must be application strategy as soon as possible in order to achieve complete defense.

under 10 version for Windows host, suggest to upgrade to Windows 10 and update to the latest version of the system.Because of the situation cannot upgrade, be sure to use an emergency defense strategy for defense.

strategy one: install MS17-010 system patches

according to the system version, install patches MS17-010.With Windows 7 and above can be gained through the automatic updates to install all patches, Windows xp, Windows 2003 and Windows vista can be gained by installing temporary tools provided with the document.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

strategy 2: closing loopholes related services

by professionals using the following command to close loopholes related services:

sc stop LmHosts

sc stop lanmanworkstation

sc stop LanmanServer

sc config LmHosts start = DISABLED

sc config lanmanworkstation start = DISABLED

sc config LanmanServer start = DISABLE

strategy 3: configure the firewall ban vulnerabilities related port

for Windows 2003 or Windows xp system, click on the start menu, and open the "control panel".

double click the" Windows firewall "option in control panel, click on the" exception "TAB, and uncheck the" file and printer sharing ", and click ok.

for Windows 7 and above system, click on the start menu, open the control panel, click on the" system and security "" Windows firewall".

in Windows firewall configuration page, click the" allow the procedure or function through Windows firewall "option, click at the top of the" change Settings ":

in the list to find" file and printer sharing "checkbox, uncheck the, click ok in the end.

strategy 4: use the vulnerability defense tool

360 company provides tools for temporary immune defense worm, this tool can be downloaded in the 360 site.

directly to perform this tool can be simple to defence, every time to restart the host must perform this tool again.

5, emergency public server and network security defense strategy

on public server (such as web sites, public system, etc.) most can connect to the Internet, for Windows server 2008 r2 and higher versions, suggested that open system "automatically update" function, and install all patches.

for Windows server 2003, you can choose four, uninfected hosts emergency strategy of defense strategy for defense, at the same time Suggestions as soon as possible to upgrade to higher version of the server (such as Windows 2008 r2).

according to the internal network, need to ensure the safety of the host of the case to prevent possible infection.

without using the sharing function, but on firewalls, routers and other equipment 445 port access is prohibited.

since this worm using domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com as "switch", instantly attacks when unable to access the domain name.Therefore, the ban on the network security devices such as firewall and IPS intercept this domain name, otherwise it will trigger the infected host encryption process, cause irreparable damage.

use Intranet private DNS, be sure to configure the domain analysis, and point to survive in the Intranet web server.The Intranet server home page should be returned the following contents:

sinkhole. Tech - where the bots party hard and the researchers harder.

& lt;!- h4 - & gt;

net letter tianjin municipal party committee office, network security and information technology evaluation center

    A+
Date:2017-05-14 Tag: do   emergency   Tianjin   global   worm   infection   WannaCry   method   virus   computer  

[May 14, 2017] Along with hospitals some automanifactures were hit

May 14, 2017 | www.atimes.com
Targets both large and small have been hit.

Renault said on Saturday it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.

Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England, hundreds of hospitals and clinics in the British National Health Service, German rail operator Deutsche Bahn and International shipper FedEx Corp

A Jakarta hospital said on Sunday that the cyber attack had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register.

'Ransom' paymentsmay rise

Account addresses hard-coded into the malicious WannaCry software code appear to show the attackers had received just under US$32,500 in anonymous bitcoin currency as of 1100 GMT on Sunday, but that amount could rise as more victims rush to pay ransoms of US$300 or more to regain access to their computers, just one day before the threatened deadline expires.

[May 14, 2017] Wanna Cry variant without kill switch exists in the wild since May 13

May 14, 2017 | motherboard.vice.com

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.

[May 14, 2017] Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide - Slashdot

May 14, 2017 | it.slashdot.org

TiggertheMad ( 556308 ) writes: on Friday May 12, 2017 @07:19PM ( #54408293 ) Homepage Journal

National Insecurity Agency ( Score: 4 , Informative) ]

The NSA (and other ABC agencies that are undoubtedly running the same game plan) are doing what they are tasked with, finding ways to protect America and America's interests. Using hacking as a tool to this end is (relatively) new in the old game of spycraft, so there are going to be a few epic disasters like this before the black ops people start to figure out all the types of blow back they can experience.

The US was really big on foreign covert action in the 50's, and it took the bay of pigs to make people realize that there were ways that things could go horribly wrong. That didn't stop covert action from being used, but I think it was employed more carefully afterwards. Having all their shiny hacking toys stolen and having this happen is the hacking version of the 'Bay of Pigs'.

Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret.

Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts.

ancientt ( 569920 ) writes: < ancientt@yahoo.com > on Friday May 12, 2017 @08:07PM ( #54408453 ) Homepage Journal
Re:National Insecurity Agency ( Score: 3 )

Remotely exploitable network vulnerabilities shouldn't happen, but there seems no practical hope that they'll stop anytime soon. It would be negligent of legitimate spy agencies to fail to search for them and arguably be able to take advantage of them. Imagine you're trying to find out when an ISIS group is planning a bombing and you discover they're running a messageboard on a Windows machine with an SMB exploit, do you tell Microsoft to patch the exploit?

You never know which of the vulnerabilities you'll be able to use, but if you dedicate sufficient resources to finding them and building exploits for them, then there is a good chance you'll be able to spy on whichever bad guy your agency needs to spy on when the need arises. Getting all the vendors to patch the exploits you find does limit your own agency's ability to spy but you have to assume it doesn't impair your enemies as significantly since the enemy doubtless will have exploits you don't have.

What's the best solution? I suspect the best thing to do is build force-patch worms for every exploit. If you write an exploit, you should also dedicate resources to the task of writing a version of the exploit which pressures the owner of the exploited system to fix the problem. So in this instance, as soon as the attacks started being seen in the wild, the NSA servers should have launched a MASSIVE attack against any and all systems with the vulnerability which would disable the vulnerable systems in the least painful ways along with alerting the owners of the need to update their systems. Instead of getting "your files are encrypted and give hackers bitcoin to recover" messages, the people with exploitable systems should be seeing warnings like "Your system has been temporarily patched by the NSA for your own protection, please secure or update your device to protect it from malicious actors."

The Hajime botnet [arstechnica.com] may actually already be just the thing I'm describing. I'd prefer to see the NSA take public responsibility, and I'm doubtful the NSA is actually responsible for that one, but it is an example of how it could be done.

If I have a vulnerable system, I'd much prefer to see it hacked by the NSA instead of some ransomware writer. Do I wish it wasn't hackable? Of course, but I accept that anything plugged into a network might be hackable. I do what I can to protect it from everyone, including the NSA. It's not that I'm worried about the NSA (because they have the resources to gain physical access if they really want it) but if I do my best to build secure systems, then it's less likely I'll wake up to a ransomware message some morning

mcswell ( 1102107 ) writes: on Friday May 12, 2017 @11:09PM ( #54409045 )
Re:Say "thanks" to your "security"-agency... ( Score: 2 )

And why do you think Microsoft was able to patch this *before* the exploit was leaked by Shadow Brokers?

Anonymous Coward writes: on Friday May 12, 2017 @08:56PM ( #54408607 )
Re:Say "thanks" to your "security"-agency... ( Score: 1 )

microsoft is partly guilty in this for sure because A LOT of people have the updates turned off since the windows 10 debacle, the lies, the telemetry, the diagtrack process, the broken windows update service that sits iddle consuming 25% of your cpu, etc

but even a monkey like me that hears about the smb vuln, even if i dont know what it means exactly because im just a user and not an engineer, i could tell it was BAD, so i patched the living shit out of my computer

sorry but if youve had experiences with blaster, conficker, etc, you should know about this kind of things already, again, not an engineer at all, but just hearing about it, looking the ports affected this thing looked really bad

Man On Pink Corner ( 1089867 ) writes: on Friday May 12, 2017 @08:29PM ( #54408529 )
Re:That only happened to idiots. ( Score: 3 )

Microsoft told lie after lie after lie about their intentions. There was absolutely no reason to believe that setting your update threshold to "Critical Only" would save you from an unsolicited Windows 10 installation.

The only rational course of action for those who didn't want Windows 10 was to turn off Windows Update entirely. Deny this all you want, but be prepared for justified accusations of victim-blaming.

Anonymous Coward , Friday May 12, 2017 @06:55PM ( #54408177 )
It hit the NHS hard ( Score: 5 , Interesting)

I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working.

TroII ( 4484479 ) writes: on Friday May 12, 2017 @08:28PM ( #54408521 )
Re:It hit the NHS hard ( Score: 5 , Insightful)
And you use unpatched computers in a hospital WHY?

Because patches are often broken . Imagine these hospitals had applied the patch when Microsoft released it, but the patch was faulty in some way, and all of the hospital computers went down as a result. Instead of complaining the hospitals were running unpatched, you and/or many people like you would be bitching and moaning that they were negligent to install the patch too soon.

Updates from Microsoft frequently include at least one broken patch. There was one update last year that broke millions of peoples' webcams. There have been several updates that interfered with settings and reverted them back to default configurations, and several more updates that seemingly deleted group policy objects that had been configured by the domain administrator. There was a patch around the new year that inadvertently disabled the DHCP service, despite the update itself having nothing to do with DHCP. (Things that make you go hmmm.) This particular fuck-up rendered a lot of machines not only broken, but totally irreparable without manual human intervention, i.e. dispatching someone clueful to each of your premises to clean up the mess.

Patch deployment in any enterprise environment requires extensive testing. You have to coordinate with your software vendors to make sure their applications are compatible with the update. If you install Patch XYZ without first getting approval from Vendor123, you wind up invalidating your support contracts with them. All of this takes time. In 2016, there were several months in a row where Microsoft had to un-issue, repair, supersede, and re-release a broken patch they'd pushed out. Put yourself in the shoes of an admin team who got burned by Windows Update breaking your systems, especially repeatedly. Are you going to be in any hurry to patch? If you were bitten by the DHCP bug, do you trust that the "critical SMB patch" really only touches SMBv1, and isn't going to inexplicably corrupt Office or remove IPV4 connectivity on every computer it touches?

If the PC your kid plays Minecraft on gets hosed by a broken patch, it's not that big of a deal. The business world is a different story.

guruevi ( 827432 ) writes: < evi@evcir[ ]ts.com ['cui' in gap] > on Friday May 12, 2017 @07:03PM ( #54408215 ) Homepage
What boggles my mind ( Score: 4 , Informative)

Is that there are still 45k Windows machine that are directly connected to the Internet.

Any Windows machine I manage (mostly very specific medical software and medical machines) are either VM (and thus behind a firewall and any service proxied to a BSD or Linux host) or airgapped.

cpm99352 ( 939350 ) , Saturday May 13, 2017 @12:52AM ( #54409331 )
Plenty of blame to spread around ( Score: 2 )

1, Microsoft has always had a disclosure that their OS is not suitable for life-critical applications 2. NSA has a dual mission -- the second (neglected) mission is to ensure the security of domestic computer networks

[May 14, 2017] NHS workers and patients on how cyber-attack has affected them

May 14, 2017 | www.theguardian.com

Officials have claimed in the wake of the global ransomware attack that patient care has been unaffected despite 45 NHS sites being hit.

But hospitals across England and Scotland were forced to cancel routine procedures and divert emergency cases in the wake of the attack, which has shut down access to computers in almost 100 countries. Here, patients and NHS workers reveal how the crisis has affected them.

Bill, a doctor at a hospital in London
I have been unable to look after patients properly. However much they pretend patient safety is unaffected, it's not true. At my hospital we are literally unable to do any X-rays, which are an essential component of emergency medicine. I had a patient this evening who we could not do an X-ray for, who absolutely should have had one. He is OK but that is just one example.

My hospital is good in many ways but the IT system is appalling. I was shocked when I started in hospital at how bad the systems are. I know the staff will do their very best to keep looking after everyone, but there are no robust systems in place to deal with blackouts like this, information-sharing is hard enough in a clinical environment when everything works.

Without the IT systems I suspect test results will be missed, and definitely delayed. Handovers are much more difficult. It will absolutely certainly impact patient safety negatively, even if that impact can't be clearly measured. This is basically all the result of chronic underfunding and crap, short-sighted management.

Theresa, 44, a breast cancer patient from Lincolnshire
I was halfway through my chemotherapy infusion when the attack happened. The treatment finished without a hitch, but I then had to wait for a couple of hours for my medications to take home. That's because all drugs have to be checked against prescriptions, and they are all computerised. The hospital pharmacists worked quickly to produce paper copies, but it still took a while. The horrible side-effects (nausea, exhaustion, dizziness) kicked in while I was stuck in rush-hour traffic coming home. Fortunately, I wasn't driving.

There were other patients in the ward waiting to start their chemo whose drugs had been delivered but again couldn't be checked, so administration was delayed. In some cases treatment had to be postponed entirely for another day. The oncology nurses and the hospital staff were brilliant throughout, reassuring patients and doing their best in difficult circumstances. They were also deeply apologetic, frustrated that they couldn't do their job, and angry that such an act had put patients treatment – and lives – at risk.

Amber, 40, a community nurse from Essex
We have been unable to check patient information and scheduled visits for this afternoon. I am working this weekend and had to write down who we may see tomorrow from my own memory. Our own call centre for community services is in lockdown and unable to receive any information regarding authorisation for drug changes or referrals. We are also unable to look up patient addresses, complete any documentation or check test results.
Alun Phillips, 45, a community pharmacist from Merseyside
Doctors in Liverpool have been advised to isolate their computer systems from the wider NHS network. This has left many of our local surgeries unable to access patient records, which are cloud-based. Surgeries are unable to issue prescriptions from their systems, most of which are now issued electronically via the NHS spine. Even if they could, we (community pharmacy) are being advised to not connect to the spine. We have had quite a few requests from local surgeries to tell them what medication patient are on, as although they cannot access patient records we still have our copy of the patients' medication records. We have also made some emergency supplies of medication to patients unable to access GP services while they are down.
Kyle, 42, a patient from Maidestone
I am waiting for test results after a urine infection and pain in my kidneys. I called the doctors this afternoon. They said it looks like I need a further prescription but the doctor will need to call me back. Two hours later I get a call from the doctor advising me that they have had to shut down their systems due to this hack, and that they can't give me any results till Monday. I am now worried that my situation is going to get worse without any treatment.
Ben, 37, in the prescription team at a GP surgery in the north
We were unable to process any prescriptions for patients, including urgent requests. As a result patients could potentially be left without asthma, epilepsy or diabetes medication over the weekend. We also had a medical emergency on-site and waited over 40 minutes for an ambulance to attend.
Ali, a cardiologist from the north
I am a cardiology re