Jump to content
Washington Football Team Logo
Extremeskins
Forum Rules and Guidelines

Random Tech/IT Thread

Gamebreaker

By Gamebreaker
in The Tailgate

 Share

Recommended Posts

China

China

Posted
Posted

‘Trojan Source’ Bug Threatens the Security of All Code

 

Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.

 

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

 

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

 

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

 

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

 

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

 

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

 

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”

 

Click on the link for the full article

  • Like 1
Link to comment
Share on other sites
  • 5 weeks later...
Corcaigh

Corcaigh

Posted
Posted (edited)

Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens.


When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile.

 

Is the Dell XPS 15 a decent choice for a Windows user?

 

Edited by Corcaigh
Link to comment
Share on other sites
EmirOfShmo

EmirOfShmo

Posted
Posted
1 hour ago, Corcaigh said:

Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens.


When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile.

 

Is the Dell XPS 15 a decent choice for a Windows user?

 

Similar requirements to yours. I've had a Dell Inspiron 5566 since 2017 for home use. Screen went bad about 1 year ago but I replaced it myself (part was ~$100). I've had multiple Inspiron laptops over the years with different companies & have always had good luck with them. 

Link to comment
Share on other sites
zCommander

zCommander

Posted
Posted
1 hour ago, Corcaigh said:

Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens.


When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile.

 

Is the Dell XPS 15 a decent choice for a Windows user?

 

 

Take a look at this: You want an Intel i5 or i7 with SSD. If you go with a 1 TB SSD then it is $80 more to double the storage. It is always good idea to backup your stuff to an external in case the computer SSD goes south. 

 

New Inspiron 15 Laptop

Estimated Value
 $1,018.99
Dell Price$849.99
 
You Save $169.00 (17%)
Free Shipping
11th Generation Intel® Core™ i7-11390H Processor
Windows 11 Home
Intel® Iris® Xe Graphics with shared graphics memory
16GB, 2x8GB, DDR4, 3200MHz
512GB M.2 PCIe NVMe Solid State Drive
15.6-in. display
Link to comment
Share on other sites
Corcaigh

Corcaigh

Posted
Posted (edited)

You think XPS is overkill? Willing to pay more for lighter or better build quailty as it will get a lot of use?

 

And maybe stick with the 512MB drive and put the difference into a 4 or 5TB external drive.

 

Edited by Corcaigh
Link to comment
Share on other sites
zCommander

zCommander

Posted
Posted (edited)
9 hours ago, Corcaigh said:

You think XPS is overkill? Willing to pay more for lighter or better build quailty as it will get a lot of use?

 

And maybe stick with the 512MB drive and put the difference into a 4 or 5TB external drive.

 

 

For what you were going to do I thought the XPS was an overkill. Looks like you liked how it is built. The are nice machines indeed. As an IT guy I always get Latitude and do stuff like Photoshop and video rendering as well.  :)

Edited by zskins
Link to comment
Share on other sites
  • 2 weeks later...
zCommander

zCommander

Posted
Posted
4 minutes ago, skinsmarydu said:

Nuttiest question ever, I'm sure...

Does anyone still use Firefox and is anyone else having trouble with it crashing all day today?

 

Yes. And nope. Do you have the latest version? If not then just go to firefox.com and download or reinstall. 

  • Thanks 1
Link to comment
Share on other sites
tshile

tshile

Posted
Posted

If you’re trying to keep up with log4j here’s an ongoing list of affected apps/vendors

 

https://github.com/authomize/log4j-log4shell-affected
 

if you’re managing a VMware setup then RIP your Christmas break. 
 

i get to sit on the sidelines for this one (so far at least.) 

 

also if you’re running VMware I’ve got random reports of their workarounds bricking the host. So. Proceed with caution. 

Link to comment
Share on other sites
gbear

gbear

Posted
Posted

Is the Lonovo Idea pad a decent laptop?  I don't know enough to know if this is a good buy, but it seems to have everything on my check list.

https://www.costco.com/lenovo-ideapad-5i-15.6"-touchscreen-laptop---11th-gen-intel-core-i7-1165g7---geforce-mx450---1080p---windows-11.product.100794677.html

 

I am looking for a lap top that will primarily be the one my wife uses.  She tends to open up a dozen windows with various office programs running in background complaining all the while about any lag in performance.  I would like to have the option to play some games on it (if I ever have time and energy at night), and I will end up watching all the Redskins games after they are played as my weekly workout routine allows.  My son will likely do some video editing on it along with mixing some music.  All in all, I thought this one looked like it could handle those needs. 

 

Does anyone have advice on this or other models? 

Link to comment
Share on other sites
tshile

tshile

Posted
Posted (edited)

I decided a long time ago Lenovo is junk and will never buy another. Thought they’d be good after buying the idea/think line from ibm but they weren’t. 
 

my advice is to stick to HP/Dell business line products. 
 

better warranty. Better hardware combination that’s certified (consumer lines use whatever is available at a price point to target a segment of the market.) driver/firmware update past a year (consumer doesn’t have that.) and a better support experience if you need it (they’re broken apart and business support is way better to work with.) a business line laptop with at least 16 gb memory running on an i5 should last you 5 years easy. 
 

 

Edited by tshile
  • Like 3
Link to comment
Share on other sites
tshile

tshile

Posted
Posted

Yeah man. And now you have to worry about configuration for every product because the patch doesn’t 100% cover it. 
 

It’s better to be a person responsible for the meetings and the deployment and being the person with the answers, instead of the being the dev reworking/qa/pushing fixes to your products in production 

 

even if you’ve got a test environment you’re not doing normal testing. 
 

Im just losing time tracking it all. Feels like every other hour I’m down a wormhole of “ugh this used it too?” Then make ticket including devs. 
 

it’s been two ****ty weeks. 
 

also super glad my VMware footprint is super small 😂 

Link to comment
Share on other sites
Renegade7

Renegade7

Posted
Posted (edited)

Bruh, the backup software on our production servers is vulnerable to it, beyond ironic from a security standpoint.

 

steve-harvey-scared.gif.d2b73ab552e0ff6d7d00012cae3838ac.gif

 

Same time its like herding cats dealing with different application teams and getting them to talk to each other.  Some are wanting 2.15, some are saying 2.16, some are making manual changes.

 

Confirming the scope of impact is hard enough, yes, what to do about it and the timeline for it is even harder.  This sucks worse then SolarWinds, imo, because in that case it was far easier to identify the servers that had the limited list of impacted software. 

 

It seems like the list of impacted software is growing as more and more folks confirm it, its f'n whackamole now.

Edited by Renegade7
  • Haha 1
Link to comment
Share on other sites
tshile

tshile

Posted
Posted (edited)

Yeah that link I posted about an aggregated list - like three hours later two things I knew had it weren’t on the list so I quit looking at it. 
 

was just discussing it with the wife and she asked how I’m figuring it out. 🤷‍♂️ if what you’re looking at does logging, and it’s not built on .net, then it probably used it…

 

thankfulky my dev exposure is just warning and in some cases deploying the fix. But otherwise I’m just a third party in the meeting silently going “so glad this has nothing to do with me…” in the form of a jingle 

 

My issue is getting key people to correctly understand the risk. Peoples risk assessments are just dumb. It seems like they’re either chicken little, or don’t care at all to the point of it being difficult to get any buy in. 
 

no, just because the system uses it, doesn’t mean this is a critical emergency that requires everyone to drop what they’re doing to placate your current line of questions (which are just different versions of previously asked questions)

 

or

 

yes, because your system is public-facing this is a ****ing emergency and you need to make some decisions. 
 

people are a trip. 
 

honestly though @Renegade7 embrace it dude. This is the best part of the job. 
 

the problem isn’t yours; it’s someone else’s 

but you get a front row seat to the **** show 

 

This is my favorite part of the job. Enjoy it. :cheers:

Edited by tshile
Link to comment
Share on other sites
Renegade7

Renegade7

Posted
Posted (edited)
20 minutes ago, tshile said:

Out of curiosity 

 

veeam?

 

Lol, pm sent. :cheers:

 

Ya, know, my wife says I take my job too seriously.  I dont know, maybe she's right, but context is everything.  

 

Our group is inside a software development shop, SolarWinds made it clear that software developments shops can and will be targeted in the future.  I work for the federal government, so the obvious concern is that state actors will start coming after us with this zero day (if they haven't already, not in the SOC anymore).

 

Have to be careful what I say here, but yes, our group is asking how responsible for this are we in context that we don't have the power or permissions to implement the fixes ourselves. 

 

Its obvious that someone needs to coordinate zero day efforts concerning scope and confirming timelines are made for addressing it, and I'm fine with the security team doing that, if anyone should know those two things, its us.

 

There's already hints of a lessons learned meeting coming after this is over, first thing is get those same people you had in the "where the hell are we now" meeting together on day one of the zero day of this level of impact and recurring if neccesary for progress made if something like SharePoint/Teams isn't enough.

 

I only say this not as a complaint but as wisdom to other shops going through something similar.

Edited by Renegade7
Link to comment
Share on other sites
tshile

tshile

Posted
Posted
15 minutes ago, Renegade7 said:

Ya, know, my wife says I take my job too seriously.  I dont know, maybe she's right, but context is everything.  

You need to learn to enjoy the parts where you’re just managing the situation. You’ll be in enough where the spotlights on you, don’t make it worse for yourself when it isn’t.  Just make sure you’re not the one ****ing up, stay on top of your responsibilities. And let others worry about theirs. 
 

but, and regarding the rest, we may just be in different spots. You’re in a security team. So, this is probably the only thing you’re doing right now. 
 

im a consultant/sme/whatever you need me to be. 
 

My role is different. Other than tracking and installing patches when available, not much for me to do. We did risk assessment day 1. Nothing was so critical it had to be shut down. Everything could have public access shut down until remedy is known. Just lucky like that in this case. 
 

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...