Jump to content
Search In
  • More options...
Find results that contain...
Find results in...


  • Content Count

  • Joined

  • Last visited


About kuhnertdm

  • Title

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. kuhnertdm

    Is Apple Even TRYING?? – Airpods 2 Review

    TLDW: Apple "New Airpods" (Referred to here as "Airpods 2" - Apple is taking a cue from Nintendo here I guess) Buds themselves look/feel identical to the old ones Released in conjunction with new wireless charging-capable charging case (which still has a lightning port for if you don't have a wireless charging pad) that also looks a bit nicer than the old one Very slight improvements Battery time during calls increased from 2h to 3h Uses Bluetooth 5 instead of 4.2 Able to activate Siri by voice now instead of just double-tapping 1-2s faster device switching 30% improvement in audio latency (though this was not noticeable to the reviewer) Apple did nothing to address concerns of different ear shapes leading to buds falling out or bad audio quality for many people (no replaceable/adjustable tips - one shape, and that's it) No new types of gestures - It only allows for double tap, though the double tap gesture can be customized per ear to a variety of different functions. Telling Siri is still the only way to change the volume; you can't do it with gestures. Very big problems on Android, including volume randomly switching to max upon switching to a new song No manual way to update the firmware (Official instructions are "Plug them into an Apple device and wait", which did not work for them after hours of letting them sit) Recommended if you know that they will fit your ears and are using an Apple phone. Not recommended for Android. Comments that Apple is seriously going to need to put more effort into these if they don't want third parties to take over.
  2. Sounds like it's your email account that's insecure then. Change your password there, and maybe consider setting up 2FA on one or the other
  3. Update was pushed yesterday, so if you've updated since yesterday you should have the fix.
  4. kuhnertdm

    database practice

    To clarify on the previous response, this is the typical process: To register a new user Generate a random salt (This doesn't need to be crypto-secure randomness, just whatever's easiest to generate a random number.) Concatenate the salt to the end of the user's password and hash that concatenated value (Do NOT implement this yourself, use the crypto library you mentioned, and if you're able to specify an algo, something like bcrypt is best. Do NOT use MD5 or another algo used for checksums and not for encryption.) Store the following values in a file for lookup later: User ID/Username/some identifier Plaintext salt (This is why we didn't need it to be crypto-secure random) Hashed value you just made To auth a returning user Look up the values you saved upon registration Concatenate the saved salt to the end of the supplied password, and hash that Compare the hash value to the saved hash value. If they match, user is auth'd
  5. Source: https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/ Story: EA has released an update for their "Origin" game launcher on Windows, fixing a vulnerability that could allow for arbitrary code execution at the privilege level of the currently logged-in user. The exploit must be triggered by following a maliciously constructed origin:// link from within a web browser. That type of link is typically used to launch Origin on the user's computer and perform an action automatically (for example, to navigate to a game on the store, or to launch a game from the app). However, researchers found that these links could also trigger Origin to run arbitrary code not related to the Origin service at all. The proof of concept launched the calculator app, which is a standard for proving that ACE can be done with an exploit. However, the potential negative effects of this kind of vulnerability basically extend to taking full control over the user's computer, as it could run arbitrary commands through Powershell, and if the user is logged in as a local admin (which the vast majority of gamers are on their own machines), those commands can be run as admin. To emphasize, the exploit can only be triggered by following a maliciously-crafted link, but that doesn't necessarily mean it's always user-triggered. If a site is already compromised with malware that can automatically redirect a web page, then this can all be done without the user knowing. Opinion: If you have Origin installed (even if you don't use it), you should update, as this exploit can happen even while Origin is not running, and without the user performing any action to trigger it.
  6. Every article about this event doesn't mention whether it was sandboxed, because the correct assumption is that it is. Saying that the articles indicate a problem is basically just assuming that they fucked up, because they didn't explicitly state that they didn't. If you read a local news article about someone getting arrested, you're not going to just assume that the officer randomly shot a cat because the article didn't say "no cats were randomly shot, per protocol".
  7. Very bad and misleading headline. It was done specifically for analysis purposes, and though it doesn't explicitly state as such, we can assume that it was done on a sandboxed machine. That's a basic procedure, and without plugging it into any machine ever, you can't get the full picture for forensics. It's really sad how every tech news site right now is chomping at the bit to say "LOOK THEY DID THIS THING THAT'S BAD AT THE VERY MOST SURFACE LEVEL!!!" when in context it's business as usual.
  8. kuhnertdm

    A NEW Level of Gimmick? Gigabyte Aero 15 x9 Review

    TLDW: Gigabyte Aero 15 x9 "AI Laptop" (Gaming Laptop) Specs: Intel Core i9-8950HK CPU (Overclockable) Nvidia RTX 2070 Max-Q GPU 16GB DDR4 RAM 1TB NVMe SSD 94Wh battery I/O: 3x USB 3.1 type-A 1x HDMI 2.0 1x RJ45 (Ethernet) 1x DP 1.4 USB 3.1 Type-C 1x Thunderbolt 3 USB 3.1 Type-C UHS-II Card Reader Combo Audio Jack Main selling point: "AI" optimization for games 144Hz 15" 1080p display OR 60Hz 15" 4K display (Option) $2400 for their recommended options Upsides: Good visual/structural design Lots of I/O Tons of horsepower in a really slim chassis GPU performs great for gaming, CPU is decent (see thermal throttling note below) Reasonable noise level Great display, even good enough for pro photo/video work Great trackpad (2nd favorite for the reviewer among all gaming laptops) Great battery, still beats the competition but not by as much anymore now that the competition is getting better Easily upgradable RAM/storage/battery Considerably cheaper than comparable competition with double the storage Downsides: Very bad thermal throttling, crippling the power of the CPU (i.e. literally no reason to not buy the i7 model because it will give you the same performance and be much cheaper) AI feature does not improve performance at all (against the implication of the marketing). It basically amounts to changing the optimization settings automatically for you (essentially turning your "gaming mode" on when you're gaming, and stuff like that) No G-Sync Bad webcam, bad mic, and AWFUL webcam positioning (also doesn't support Windows Hello) Various nitpicks on the keyboard, though it works well enough (gives it a "B+" because the competition is still better) Conclusion: Very strongly recommended for those looking for a good gaming laptop. Recommended except in the case where money is no object, in which case the reviewer recommends the Alienware M15 or Razer Blade 15 instead. Recommendation is made on the merits performance and convenience-wise and basically ignores the AI as a feature, as it doesn't improve performance like they say it does, and pretty much everything it provides can be done manually on comparable laptops anyway.
  9. Source: https://techcrunch.com/2019/04/11/much-to-oracles-chagrin-pentagon-names-microsoft-and-amazon-as-10b-jedi-cloud-contract-finalists/ Story: The US DoD yesterday announced their two finalists to their $10 billion RFP process that has been going on for years, which invited major cloud services providers to submit proposals for consideration for the contract. This eliminates two major players: IBM and Oracle. Google had been in the running until they voluntarily dropped out last year, citing ethical concerns with using AI for warfare purposes. There has been a lot of tension between the major players due to claims that the process unfairly favored Amazon's existing AWS platform, and that they really shouldn't have set it up as a single winner anyway, and should have rather made it a collaborative thing. Setting it up as a "winner-takes-all" scenario could virtually guarantee that the winner will receive future, potentially bigger contracts, as they would already own the cloud platforms being currently used by the government. IBM and Oracle have both made major public complaints about these two claims. Oracle has even attempted to sue the DoD over the "winner-takes-all" process, and has also secured private dinners with President Trump to attempt to convince him to interfere to change the process. These protests have obviously not worked now that both IBM and Oracle have been forced out of the running. Amazon and Microsoft's cloud platforms (AWS and Azure respectively) have far outpaced their competitors in terms of market share. AWS has the lead with about 31-34%, while Azure is sitting at 13-18%, but growing about twice as quickly as AWS. For reference, Google Cloud is sitting at 6-8% but growing slightly faster than Azure. Opinion: There's merit in the claims that this shouldn't be a winner-takes-all situation. Even beyond the unfairness of future contracts being awarded exclusively to the winner of this one, this could also remove any incentive for the winner to improve on their platform in terms of security, performance, etc. Enforcing competition with a collaborative contract would be ideal, but I'm also not too terribly sad with Oracle getting completely shut out of the running. Besides their shady practices regarding the RFP process, they've also proven to be rather anti-consumer in the past with non-government-related projects, such as suing Google for the use of Java in Android, and turning the first party Java JDK/JRE into a commercially licensed product, forcing countless companies who have ingrained their entire software base in Java to now have to pay out the ass to use it.
  10. Source: https://blog.mozilla.org/futurereleases/2019/04/09/protections-against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-and-beta/ Story: Mozilla has added options to block fingerprinting and cryptomining scripts in their Nightly and Beta channels. The options will be disabled by default (but easily enabled) on these channels while Mozilla studies their effectiveness at blocking the following two types of web-based malware: Fingerprinting - Recording information about the user's browser, computer, and potentially even browsing behavior/habits in an attempt to construct a "fingerprint" of the user, either to link the user to a real identity profile even if they are not logged into any site, or to give them ads that will have a greater effect on them. Cryptomining - Running mining software through the web browser on the user's computer to generate cryptocurrency for the website, which can be sold for effectively free money. They plan to turn these protections on by default for all users in the release channel in the future. Opinion: This is pretty much a solid move throughout, and the kind of thing that Mozilla would do to protect users' privacy, but that Google would not, themselves benefiting directly from practices like this. I have a couple concerns about it. First off, with any anti-fingerprinting measure comes the question "Will enabling this feature actually make me more fingerprintable?, as the makers of these scripts will be able to see that the scripts are getting blocked (i.e. aren't reporting back), and will then know that the user is a privacy-conscious individual. Knowing this can be a form of fingerprinting in itself. The other concern is the methods by which they're doing this. They're just matching up remote scripts against a blacklist of "domains that serve fingerprinting/cryptomining scripts", which can be very easily circumvented. The way they chose is very easy to implement, but it would have been a lot more effective if they had done any sort of analysis on the API calls made by the script in question. For example, if a script makes many calls requesting window size, OS, user agent, or other stats commonly used for fingerprinting, then the browser may know that something fishy is up.
  11. Source: https://www.reuters.com/article/us-usa-huawei-tech-zte/elite-u-s-school-mit-cuts-ties-with-chinese-tech-firms-huawei-zte-idUSKCN1RG0FS MIT statement: http://orgchart.mit.edu/node/27/letters_to_community/new-review-process-elevated-risk-international-proposals Story: MIT announced yesterday that they will not be renewing deals or accepting new ones with Chinese-based tech companies Huawei Technologies and ZTE Corp for the near future, as the US government investigates both companies' alleged sanctions violations. Huawei is currently under investigation after their CFO was arrested in Canada last year at the US's request for committing bank and wire fraud in order to circumvent US sanctions against Iran. Huawei has consistently denied the allegations since the incident. ZTE on the other hand was caught shipping goods from the US to Iran and North Korea, breaking similar laws. They were forced by the US to pay $1.4 billion to continue doing business in the US. MIT's announcement states that they won't be doing any more business with Huawei and ZTE until circumstances change. This could potentially be until the investigation concludes. They also announced stricter rules on in what circumstances they will collaborate with other companies in China/Russia/Saudi Arabia, countries whose interests commonly conflict with those of the US, where MIT is based. Opinion: I want to stress the difference here between the two major allegations against Huawei. The one that's relevant here is that they allegedly tried to circumvent US sanctions against Iran, for which there is some significant evidence showing that this is possible, and for which the investigation is happening. The other is much less formal, but basically a lot of people have suspicions that Huawei or other Chinese companies are or could be spying on the US for the Chinese government. For this one, I totally understand the potential motivation for this, but if I understand correctly, we still haven't really seen any evidence of this happening at all, so it's really more of a "pay close attention and watch out" thing rather than anything we have to react to.
  12. kuhnertdm

    Can This LAPTOP Replace a DESKTOP??

    TL;DW: Alienware Area 51m Laptop Specs: 8.5 lb I/O: 3x USB3.1, Thunderbolt 3, HDMI 2.0, Mini display port 1.4, headphone/mic, "Alienware graphics amplifier port", Ethernet IPv6 2x power bricks/ports (thing's a big power hog) Intel Core i9-9900K Nvidia RTX 2080 32GB DDR4 RAM 2x 512GB PCIe SSDs 1x 1TB HDD 17.3" 144Hz 1080p Anti-Glare IPS display Features: Virtually no flex on the chassis, solid feel throughout Really good upgradability, it's definitely designed around upgrading. This includes CPU/GPU ("Probably" on the GPU side, see vid for details) Best laptop they've ever tested for gaming/non-gaming benchmarks Eye-tracking tech (not well-supported in games) Webcam is "half-decent" Great keyboard (except the lighting) Downsides: $4500(!!!) No 1440p version Huge temperature problems Very heavy, 2x power brick Very bad battery life due to desktop components creating a huge power draw Very loud fans when on the "performance" mode Bad speakers when above 50% No fingerprint scanner/Windows Hello support Bad Synaptics touchpad, small, palm rejection issues, bad scrolling Conclusion: Not recommended except in extremely specific situations. For the same price, just get a good desktop AND a Surface laptop.
  13. At least from news stories I've seen online, this is a common practice. There's not really any consequences for police officers and such when they lie to someone about their rights. However, they do have to respect those rights if the person knows the rights. So, telling the person "you don't have a right to an attorney" is a tactic that they will use in the hopes that the person will believe them, and say "Ok, I'll willingly answer your questions without an attorney present". However, in this case that seems kind of fuzzy, especially considering that the officers clearly intended to compel him to answer their questions non-willingly. Plus, there's the aspect with how he was certainly detained without being charged with a crime, and was not allowed to leave until they let him.
  14. kuhnertdm

    Razer's laptop UEFIs susceptible to malware infections

    As of about half an hour ago, Razer is putting out a fix only after this was made public on Twitter. EDIT: I'm sorry, this was certainly NOT as of half an hour ago. I assumed this was breaking today, but it was actually from like 2 weeks ago.
  15. Source: https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/ Story: Eva Galperin, head of the Electronic Frontier Foundation's Threat Lab, will be giving a talk at the Kaspersky Security Analyst Summit next week in Singapore, describing her experience in helping victims of domestic abuse when abusers have compromised the victim's cell phone, and calling on antivirus companies, phone manufacturers, and public officials to start taking the threats seriously. "Stalkerware" is a type of spyware, typically marketed as a tool for parents to keep track of what their kids are doing on their phones, or potentially even where the phones are traveling with GPS data, or some other legitimate purpose. However, it's become a common tool of domestic abusers. Abusers are able to see everything that goes on on the victim's phone, including stealing things like photos and browsing history. Spyware like this has been historically deemed less of an important threat, as it requires a malicious actor to have local access to the phone to install it. In traditional threat models, the attacker typically does not have local access to the device, but in cases like this, it's very easy for an abuser to be alone with the device for enough time to install an app, sometimes directly from the app store. Galperin is calling on companies like Kaspersky to start taking the threat more seriously. Galperin has already made great progress with Kaspersky themselves, who have now implemented much stronger warnings when apps that may violate the user's privacy are found. Previously, their Android antivirus app just displayed a generic categorization of "not-a-virus" and gave the user an option to delete the malware or ignore it. Now, the app gives a much more descriptive warning of the dangers of the malware: Note: Image provided by Kaspersky, sourced through the linked Wired article In addition to phone antivirus providers, Galperin is also challenging other groups to respond to the problem of stalkerware. Apple does not allow antivirus apps on the iOS app store. So, she is calling the phone manufacturer out to challenge them to more strictly monitor the app store for stalkerware apps that may be posing as the "kid tracker" apps mentioned above. In addition, she will be calling on them to put more resources into displaying warnings to the user when their phone has been jailbroken, so that they will be aware if it was done without their knowledge. That said, it's traditionally difficult for Apple to detect this software-side, or otherwise it would be much more difficult to jailbreak an iPhone in the first place. Finally, she plans to issue challenges to public officials. Existing US cybersecurity laws are notoriously strict, and it should be incredibly easy to throw charges at providers of this type of software, that can be used to track someone without their consent. Galperin's work in this field began when she realized that a fellow security researcher had been using his skillset to abuse multiple women, installing spyware on their phones for the purposes of spying, blackmail, etc. She made a public call on Twitter for women who have been victims of this practice to get in contact so that she could help them. Recently, she has decided that she needs to go for the source, and stop this software from being so readily available to abusers. Opinion: This is incredibly important, and as a security engineer myself, it surprised me after reading this article how none of this had occurred to me in the past. From a traditional standpoint, you wouldn't think of apps like kid trackers as a big problem, as they have a legitimate use, and can't be easily installed on the device remotely. In addition, it's not exactly intuitive for antiviruses to say "You have an app on your phone that is meant to track your phone's location and report it to someone", as you'd think that the user of the device would know if they installed something like that. But honestly, the question of "was this installed by a user local to the device" shouldn't ever really be a factor in whether it's deemed a problem to be reported, as it can still be installed local to the device, without the primary user's knowledge.