Security, Confidentiality, Integrity, and Windows TCO

posted by Roy Schestowitz on Oct 06, 2024

• Confidentiality

  • Mat Duggan ☛ Post-Quantum Cryptography Basics

    TL/DR: The tooling to create post-quantum safe secrets exists and mostly works, but for normal developers dealing with data that is of little interest 12 months after it is created, I think this is more a "nice to have". That said, these approaches are different enough from encryption now that developers operating with more important data would be well-served in investing the time in doing the research now on how to integrate some of these. Now that the standard is out I suspect there will be more professional interest in supporting these approaches and the tooling will get more open source developer contributions.

  • The Register UK ☛ Apple fixes password-blurting VoiceOver bug

    In typical Apple fashion, the company hasn't released much in the way of details about the first security issue, tracked as CVE-2024-44204, which makes it tougher to understand the conditions under which this vulnerability could be triggered, or how to avoid it until the update is applied.

• Integrity/Availability/Authenticity

  • The Conversation ☛ 2024-09-27 [Older] Fyre Festival II: why people give fraudsters a second chance

  • Anna’s Archive ☛ The critical window of shadow libraries - Anna’s Blog

    Why do we care so much about papers and books? Let’s set aside our fundamental belief in preservation in general — we might write another post about that. So why papers and books specifically? The answer is simple: information density.

    Per megabyte of storage, written text stores the most information out of all media. While we care about both knowledge and culture, we do care more about the former. Overall, we find a hierarchy of information density and importance of preservation that looks roughly like this: [...]

  • [Repeat] SANS ☛ Survey of CUPS exploit attempts

    It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

    We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

• Windows TCO

  • The Record ☛ White House official says insurance companies must stop funding ransomware payments

    Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday.

    The call for the practice to end, which was made without any indication the White House was formally proposing to ban the practice, follows the fourth annual International Counter Ransomware Initiative (CRI) summit in the United States this week, where the 68 members of the CRI discussed tackling the problem.

  • Ruben Schade ☛ Web tech needs diversity

    Hey, remember Crowdstrike? That update to Windows security software that affected airports, hospitals, supermarkets, schools… and clients who called me desperate to know why their VMs had vanished? It was fun! By which I mean it was an unmitigated disaster, and the ultimate example of a technical externality bourne by everyone.

    I haven’t seen much of a postmortem discussion on this; certainly not to the same extent as the wall-to-wall coverage those BSODs garnered. I suspect the press got their story, social media got their memes, and we all went on with our lives. Well, until the next one hits.