In August some (e.g. [1],[2]) were writing about sites detecting private browsing, specifically the NYT, in order to block people who were using Incognito mode in Chrome to get around free article limits. Looks like Bloomberg now has this feature active as well.
I'm at my moms house for Mother's Day weekend and cleaned her computer after she told me she was getting a lot of popups. One of the frequent popups was for a site called suchhappy.com which looks like a BuzzFeed/viral content site. You can check out suchhappy.com and see that Taboola partners with them and has big ads showing at the top on the homepage and all over the place when you click into an article.
To see posts about suchhappy.com being malware, look at the below links. After following the instructions I was finally able to get rid of it.
When will VC funded companies stop using malware to grow? How can we, as investors, entrepreneurs, and techies, place pressure on these advertising companies to stop supporting malware? Akamai and Amazon are complicit because they are the CDN on a bunch of the links on the page. Additionally, there are companies called "UDM Serve" and "RevContent" with ads on the page.
From what I understand this is the next phase from Microsoft in the gradual rollout of a functional "blacklist" of original Microsoft-signed keys that all UEFI motherboards shipped with until not that long ago. Until the keys became compromised. These were built-in Microsoft-signed keys which were available for something like Linux to use when Microsoft SecureBoot was enabled on the motherboard, if the OS was willing to go the extra mile and obtain its own Microsoft-signed key according to the strict Microsoft process. Which Linux did eventually, but it took a year or two, until then you mainly needed to disable SecureBoot before you could boot Linux. After that "finally" Linux was able to boot on any UEFI PC having SecureBoot enabled, using a key which is pre-existing on every motherboard, without having to insert its own Linux key into the firmware beforehand. Adding Linux-specific SecureBoot Keys can be good to avoid because it requires making changes to machine keys, and does alter the firmware, but this also is a well-known valid UEFI alternate approach used by distros that did not want to have any Microsoft-signed anything.
Ideally a USB drive or SSD with Linux properly installed should smoothly boot on any UEFI motherboard, especially on motherboards other than the one the drive was attached to when Linux was installed. Which means on a different PC you may need to use the firmware interface itself [0] to select the proper EFI folder to boot from, but with Linux having its own Microsoft-signed key it's supposed to be just booting right up when SecureBoot is enabled using the same key built into every motherboard originally. As allowed for by the hardware manufacturers and UEFI standardizers, this was supposed to put Linux on equal footing with Windows since Windows has its own non-Linux SecureBoot keys built into every motherboard, from the time UEFI was first introduced to consumers along with "SecureBoot".
Anyway, this is the next step in replacing the compromised firmware keys from Microsoft. Until now with Windows you would have been expected to optionally initiate this blacklist procedure yourself, with this update it will occur to the PC by default.
In 2023 Ubuntu launched its equivalent firmware key replacement:
So it might have already happened to your Linux PC by default.
However at this point, today's Windows patch is apparently only being applied to plain Windows PCs:
>This SBAT update will not apply to systems that dual-boot Windows and Linux
I believe a further milestone will be encountered where it will close this door eventually.
So I would think this is a good time to see where you stand with older ISOs and bootable drives which may need "re-shimming" of some sort before they will boot like they used to do when SecureBoot was enabled :\
.
[0] Sometimes needed when there is no bootentry in the firmware that is normally placed by the OS install process.
Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version.
BleepingComputer reports: The issues have been reported to Google in a Chromium bug post where Google employees have started to investigate the problems. "We're continuing to see user reports about this behavior, including reports from our social team," notes Google product manager Craig Tumblison. "One user has shared that disabling the "chrome://flags/#cross-origin-embedder-policy-credentialless" flag resolves the behavior.
Another report shares a specific error message: "The connection was rejected at https://cards-frame.twitter.com". Test team, would you be able to try enabling that flag to see if the behavior appears?"
The 'chrome://flags/#cross-origin-embedder-policy-credentialles' flag is related to a new Cross-Origin-Embedder-Policy feature released with Chrome 96. Google states that you can fix these bugs in some cases by setting the "chrome://flags/#cross-origin-embedder-policy-credentialless" to disabled. If you are affected by these issues, you can copy and paste the above chrome:// address into the Google Chrome address bar and press enter. When the experimental flag appears, please set it to Disabled and relaunch the browser when prompted.
I've just read a recent article by BleepingComputer[1] and the article says that "Password Length Does Not Guarantee Password Safety". I think we all know the XKCD about the very same issue[2].
So now I'm wondering: what even is the strongest way?
Currently, I'm using KeePassXC to generate all my passwords - and I always try to have as many characters as possible with special and uppercase characters, but my laptop and password database decryption keys are generated using EFF's Dice[3].
After seeing the (Dutch) documentary 'Rats & Slaves' [0] about Remote Access Trojans, and finding that they also exist for Linux [1] I am going to do some scanning today on my systems.
Question is: What tools are best to use here to ensure I can sleep safely knowing no viruses, trojans, rootkits and other filth have nestled in my systems?
Also curious what are best, reliable websites to keep up-to-date on security best-practices related to this.
PS. I intend to start my scan with ClamAV, followed by chkrootkit and rkhunter as outlined here [2].
I was wondering, why isn't the best practice to bcrypt the password both on the client and the server? Since I won't change anything that already are the best practices for the server side (salt, strong hash, HTTPS), it can only be safer. The server would consider the already hashed password as the password, and would hash it again before store it.
- In case I log the entire request when an exception is thrown, if an exception happens in the login/signup request, I would never get access to the user plaintext password
- I know that if somebody have access to these only-client-side-hashed passwords, either by MITM (which a lot of companies do in their private networks replacing the SSL certificates) or by logs or a malicious server administrator, they would be able to use it to authenticate in my site, but wouldn't have access to the plaintext password, so it would never compromise the user's account in other sites and services (even for those users that reuse their passwords)
Cross-posted from my stackoverflow's question: https://stackoverflow.com/questions/50701933/why-doesnt-owasp-recommend-to-bcrypt-the-password-both-on-the-client-and-the-se
In 15 years following online scams and schemes, the twitter crypto giveaway the most profitable and lucrative I have even seen. There is nothing that compares to it in terms of consistent $ and profits and no risk of consequences. You'd have to sell millions of dollars of pills to equal the daily profit of a single twitter scammer, so this much smaller footprint makes the scma especially hard to trace and effectice and under the radar and quasi legal. By tracking wallets, I estimate the total take to be $40-60 million on twitter alone at today's prices of bitcoin and ethereum and doge. Total complicity by twitter to allow it to continue for years on end. It makes you wonder if twitter employees are not being bribed to allow the scam to run and then pull it down after elon makes a new tweet. The scammers make way more $ than twitter engineers that's for sure. Americans are being scammed by this and congress should demand an explanation as to how it can continue. Attorney generals need to be notified.
No results via Twitter/Google/HN so figured I'd check with y'all.
I went to download the December W10 update, specifically: https://www.bleepingcomputer.com/news/microsoft/windows-10-cumulative-updates-kb4592449-and-kb4592438-released/
The direct download link for x64 20H2 is here: https://download.windowsupdate.com/d/msdownload/update/software/secu/2020/12/windows10.0-kb4592438-x64_b6914251264f8f973c3f82f99b894935f33c38e6.msu
A Chrome privacy warning popped up to my surprise. I double checked the links etc. Tried again and same. The certificate showed as issued to .vo.msecnd.net. I tried again, this time the cert showed a248.e.akamai.net. Then from another browser, .clo.footprintdns.com.
What the heck is this. I had a colleague confirm from another city. Same results. Any ideas?
In August some (e.g. [1],[2]) were writing about sites detecting private browsing, specifically the NYT, in order to block people who were using Incognito mode in Chrome to get around free article limits. Looks like Bloomberg now has this feature active as well.
[1] https://9to5google.com/2019/08/09/new-york-times-detect-incognito-chrome-76/
[2] https://www.bleepingcomputer.com/news/google/google-chrome-incognito-mode-can-still-be-detected-by-these-methods/