The application yes, but the programmer? That requires network, api and a sent packet or more.

Just because you run a binary doesn’t mean a server across the Internet knows you.

Users though, disregard my advice. Assume what you run is running foreign remote code that could encrypt and ransom you.

Why would I game in my office when my couch down stairs in front of a 70 inch TV is so much more comfortable and has no work available to do on it?

This is what I’ve done for years. It just auto starts after OS launch in big picture and I grab my controller. Occasionally I have my wireless keyboard for something but it works fine.

I don’t own a steam deck they’re not available from valve here in Australia. So I’m sure I’m missing out on some polish. But I’ve never seen it so I don’t miss it.

People come over, sit on the couch, grab a controller, steam is loaded, they play game. The OS and then steam is out of the way in a flash. After all I’m after the game not the launcher.

You’re old fashioned. :)

I ended up reading it on bleeping computer since the linked site looks like an auto tldr bot saved 50% of the words. The important 50% was discarded.

https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/

At this point we want antivirus and anticheat out of windows kernel. Microsoft killing access to it will genuinely fix Linux compatibility issues.

It couldn’t be more win-win.

Microsoft is trying to test that approach. The company tested restricting kernel access to third party security vendors in the past, with Vista OS in 2006, but had to backtrack the move.

Symantec and McAfee then claimed Microsoft’s decision to shut off access to the kernel amounts to “anti-competitive behavior.”

Without kernel access, this software may struggle to perform in-depth behavioral analyses of processes and applications, to meet its objectives, said Varkey. “Blocking this access can limit the software’s ability to detect and prevent sophisticated attacks.”

They can’t be trusted, kick out everyone’s access to the kernel. Everyone must use API and that can be interpreted.

I checked too, it’s not a valid public DNS record, so then the question is, does Oktas internal DNS resolve this. Even if it does, how does okta even sit in this? Are they the identity provider for Twitter? Surely even if it’s identity, it’s got nothing to do with content moderation? So many questions.

Though I agree, you’re trading problems: https://www.forbes.com/2009/05/09/japan-downsize-mizhuho-merger-zombies-tokyo-dispatch.html

The youth can’t get jobs because the positions are filled by entrenched creating this “unless you’re the cream of the crop you won’t get a decent job” permiating from school cumulating into your ranking at education all the way through to graduating in university where only the top cream get reasonable jobs, and many don’t. Even that doesn’t even start to scratch the surface since there’s the aging population, negative population growth requiring less “low skill jobs” like trades in construction…

My point is, I wouldn’t want to replicate that either.

Same, I need too much mental space for it, it’s so engaging that I want to actually have the room to enjoy it. When I do I love it, but when I don’t I kind of don’t want to disrespect it and my enjoyment of it with a half attentive state.

Yep though I’m a sysadmin and can feel for that, these consolidated platforms are being used as a straight “you trust this, when I infect you, I’ll use payloads I’ll temporarily host in github because you adjust already block overseas by default expect a bunch of whitelist trusted domains.”.

https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

It’s technically easy to allow a subdomain, but it’s really hard to unblock just a path.

So yeah, what generally happens is the SOC team complains that the new threat is here, and either vendors (had this with fortinet) move the risk rating of github from a 3.5 to a 6 out of 10, I had put the threshold at a default 5, and now it’s being blocked. I wonder why it wasn’t blocked before, well it wasn’t as risky last week as it is now.

Anyway just thought I’d share the IT sysadmin POV.

More to point, using security as an example, we use SentinelOne and azure sentinel. I’ve had a ‘I want to compare crowdstrike and huntress labs’ because I’ve seen really good things with those xdr seim tools. But I got shot down. Why? We can’t deviate our standards. Well, how will we know if the competition is better? Is our choice good? Who knows.

I still don’t know. I sleep easy knowing it’s not my burden though. It’s their fault if they get compromised on an attack that the other vendor would stop.

Penny drop moment of “oh right we have to look at the competing engines to see our own weakness”? Frankly it should be obvious.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

For me it raises really a odd question about their culture too, since only after inshin’s remaster did they add a policy to review developer tools and technology, in a development company.

I’m trying to not read into it any more than that but I can’t help but imagine there were board meetings beforehand going ‘guys our team want to try using unreal’ and some exec going ‘no it’s banned we only use our own propriety code or else we’ll lose our brand and be washed out! All other engines are banned!’.

To me, not a player, it seems like there’s a long winded explanation/justification for why they uploaded a illegitimately approved run. In Super Mario maker, if you make a level you need to beat it to upload it. They beat it with a tool instead of skill, to ensure the sequence of frame perfect tricks could be completed, something nearly impossible to do by real players.

There were many top level players all at once playing that level non stop. So I feel for them. Training their muscle memory to execute robot timings for what came out to be not a legit level.

Most of what was said was irrelevant, they managed a life story in the middle of an apology.

The messaging around this so far doesn’t lead me to want to follow the fork on production. As a sysadmin I’m not rushing out to swap my reverse proxy.

The problem is I’m speculating but it seems like the developer was only continuing to develop under condition that they continued control over the nginx decision making.

So currently it looks like from a user of nginx, the cve registration is protecting me with open communication. From a security aspect, a security researcher probably needs that cve to count as a bug bounty.

From the developers perspective, f5 broke the pact of decision control being with the developer. But for me, I would rather it be registered and I’m informed even if I know my configuration doesn’t use it.

Again, assuming a lot here. But I agree with f5. That feature even beta could be in a dev or test environment. That’s enough reason to know.

Edit:Long term, I don’t know where I’ll land. Personally I’d rather be with the developer, except I need to trust that the solution is open not in source, but in communication. It’s a weird situation.

Although that might be true, the moment the ‘friend’ gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it’s already second hand info we can’t tell, but if the phisher simply asked ‘can you read me the code on your authenticator’ or ‘press approve and you’ll complete the recovery process’ and would have been successful.

In investigating account breaches I’ve found most people shamefully don’t retell the whole story they’re embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.

Anyway I’m a big advocate for layers of security and you’re completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I’m empathetic when it is successful.

On many systems, the weakest link is that it needs to accommodate a ‘lost my x’ eg mfa, password etc.

Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, “not phishing resistant” factors like security questions. That way the account can get it removed or a new one put on.

Mfa isn’t a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there’s a reason IT departments sign you up for those phishing simulation and training videos.

But you could still be right in this case, I just wanted to note broadly speaking you can’t assume prefect security is achieved with mfa. You still need to be constantly vigilant.

Dude, someone corrected your misinformation and you call them a bully?

https://www.bleepingcomputer.com/news/security/critical-bug-in-owncloud-file-sharing-app-exposes-admin-passwords/

Just remember to patch. Owncloud has some of the worst possible cves right now.

I’m just going to give you props. I have worked in Managed IT Services for a dozen years and some of the worst clients are construction, engineering and architects who use solidworks, autodesk and archicad products.

You’ve eaten humble pie and admitted that using computers as a tool, and systems design are different and though you might understand a lot, just like I can build a 3d model, the devil is in the detail.

Building robust solutions that meet your business continuity plans, disaster recovery plans, secure your data for cyber risk and to meet ISO and yet are still somehow usable in a workflow for end users is not something you just pick up as a hobby and implement.

The way I handle technology Lifecycle is in 5 steps: strategy, plan, implement, support, maintain. Each part has distinct requirements and considerations. It’s all well and good to implement something but you need to get support when it goes wrong or misbehaves. You need to monitor and report for backups, patching, system alerts. Lots of people might do the implement, but consider the Lifecycle of the solution.

People do these things at home but they’re home labbing, they’re labs. Production requires more.

Anyway a bunch of people closer to your part of the world will probably help you out here.

I just want to again recognise and compliment you on realising and openly saying you want help rather than just do the usual “oh I know best” that I hear over and over usually just before someone gets ransomed on their never patched log4j using openssl heartbleed publicly exposed server infrastructure.

Lol, a thousand hours would be 6 months of full time work (40 hour week). I’m not sure I’d employ someone who has 6 months of IT experience into a systems administrator job and task them to build a an erp/dms/unified coms solution for a client.

But this guy should be able to do it as a hobby?