HackerTrans
TopNewTrendsCommentsPastAskShowJobs

evilDagmar

no profile record

comments

evilDagmar
·el mes pasado·discuss
Let's not. There's enough overcomplicated nonsense examples of cybersecurity in movies as it is. If you could compromise a device via bluetooth, then you could exfiltrate data via bluetooth just as easily.
evilDagmar
·hace 8 meses·discuss
It's not inconceivable to suggest that the people claiming that the CSAM hadn't been removed knew it was still there not only because they'd never actually sent the request for removal, but because they themselves put up the original site and requested the CSAM be indexed in the first place.
evilDagmar
·hace 8 meses·discuss
"The Feeling of Power" IIRC.
evilDagmar
·hace 9 meses·discuss
It's amusing how the article says it's "potentially" in violations of US hacking laws.

That practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
evilDagmar
·hace 10 meses·discuss
Oh, one of my absolute favorite things is setting ServerTokens ProductOnly, so that scrubs will freak right out when they see their canned vuln scanner get bug-eyed and basically scream that the server might be vulnerable to every possible exploit ever written.
evilDagmar
·hace 10 meses·discuss
Oh that app did a huge thing just by showing how far the administration is willing to go with its delusional fascist nonsense. The app was _barely_ functional and available on a minority of the smart phones, and yet there the White House was, making hyperbolic claims on a regular basis about the massive "dangers" it posed. They even went so far as to go after the guy's wife since they didn't have any legal means to oppose him.

Things which take minimal effort but produce a massive response are what Trump's fire hose of duplicitous social media posts are all about. It's perfectly fine work to leverage that same asymmetry in response.
evilDagmar
·hace 10 meses·discuss
The "disclosure" was a big waste of time. It was vague and ill-informed, nothing that came after seems to give the impression that they actually knew what they were talking about.

The only serious vulnerability that might have applied would have required the man to be using Apache as a reverse proxy to another server, which is just _extremely unlikely_ considering where it was hosted and what it was being used to do.
evilDagmar
·hace 10 meses·discuss
Truth. A stripped down configuration of that running nothing but personally-written code on the backend would pretty much render those issues moot (as in "completely mitigated").

Considering how lacking in detail the reports were, I'd probably have just dismissed this man's claims as "AI slop". That he was relying on nmap to tell him the version of something that is easily discovered using openssl s_client (because those HTTP response headers are perfectly human-readable) is kind of telling in and of itself.
evilDagmar
·hace 10 meses·discuss
This is completely missing the point.

Until there's a substantial number of driverless cars on the roads, LPR systems will always equate to tracking people. You might as well argue that exposing geospatial data about cell phone movements is fine because cell phones aren't people.

These systems, when abused, amount to warrantless monitoring of civilians over long periods of time. A judge can not and will not order someone's movements to be tracked over the last six months. They can facilitate someone's movements going forward to be monitored for a specific period of time.

...and these systems are always abused. To the degree that if you've put an RFP out there for a LPR system that disposes of the scan data after 30 days, suddenly no one wants to submit a proposal.

Abuse is pretty much the default state unless there are hard guardrails against it. That knucklehead in Millersville was pretty obviously using FINCEN data to go looking up the life details of people his political party didn't like, probably because the only safeguard was that someone had to enter a relevant case number to show that the search was legal. Lo and behold a regular audit being performed by the TBI resulted in a near immediate lockout of Millersville from their system and a warranted search of said knucklehead's residence because of "irregularities". It's not hard to figure out what was going on there.

It took months to get the LPR system in Mt. Juliet, TN to actually start disposing of the scanned data, and we've already seen reports of LPR systems being abused by ICE/CBP to search for people all over the nation. What's currently holding up Nashville getting such a system? I'm pretty sure it's the data destruction policy, because the state-level government is being run by people who think such Orwellian surveillance is just dandy.