I just got a note from @Microfix that pointed me to an interesting discussion from Ionut Ilascu at BleepingComputer:

After Microsoft ends support for Windows 7 and Windows Server 2008 on January 14, 2020, 0Patch platform will continue to ship vulnerability fixes to its agents.

“Each Patch Tuesday we’ll review Microsoft’s security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching”

Micropatches will normally be available to paying customers (Pro – $25/agent/year – and Enterprise license holders). However, Kolsek says that there will be exceptions for high-risk issues that could help slow down a global-level spread, which will be available to non-paying customers, too.

Many of you know that 0Patch has been issuing quick fixes for bad bugs in recent patches. In all cases, I’ve refrained from recommending them, simply because I’m concerned about applying third party patches directly to Windows binaries. That said, to date, they’ve had a very good track record. Whether they can continue that record with patches-on-patches-on-patches remains to be seen, of course.

I fully expect Microsoft to release patches for newly discovered major security flaws, even after January 14. Whether those will step on the 0Patch patches is anybody’s guess.

Definitely something worth considering….

0patch promises to keep delivering security updates to Windows 10 even after Microsoft stops next year. Should you use it? We help you decide. //

It’s a way to (likely) get some extra security on a Windows PC by blocking potential flaws from being exploited. But you’re also trusting an additional vendor’s security software. //

If you’re going to connect a Windows 10 (or Windows 7) PC to a network after it’s no longer receiving patches, you should take some security precautions. Ensure you’re using a browser that’s still getting updates on your operating system and an antivirus that’s still supported. And yes, 0patch could also be an additional layer of security against nasty flaws.

“In the short term, it is a good option to buy time, but eventually, the operating system should be upgraded to a regularly supported version,” said Kron.

The folder, typically c:\inetpub, reappeared on Windows systems in April as part of Microsoft's mitigation for CVE-2025-21204, an exploitable elevation-of-privileges flaw within Windows Process Activation. Rather than patching code directly, Redmond simply pre-created the folder to block a symlink attack path. //

For at least one security researcher, in this case Kevin Beaumont, the fix also presented an opportunity to hunt for more vulnerabilities. After poking around, he discovered that the workaround introduced a new flaw of its own, triggered using the mklink command with the /j parameter.

It's a simple enough function. According to Microsoft's documentation, mklink "creates a directory or file symbolic or hard link." And with the /j flag, it creates a directory junction - a type of filesystem redirect.

Beaumont demonstrated this by running: "mklink /j c:\inetpub c:\windows\system32\notepad.exe." This turned the c:\inetpub folder - precreated in Microsoft's April 2025 update to block symlink abuse - into a redirect to a system executable. When Windows Update tried to interact with the folder, it hit the wrong target, errored out, and rolled everything back.

"So you just go without security updates," he noted.

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought:

In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.

This is the access that the Chinese threat actor Salt Typhoon used to spy on Americans:

The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.

This is the kind of information that all the sites you visit, as well as their advertisers and any embedded widget, can see and collect about you.

anon-l6yk
3 hours ago
My take is that this signal app was used extensively during the “Biden” administration and they created the original list of regular participants. How much do you want to bet that Goldberg was a regular participant in those classified briefings during the Biden years and this was a result of an incomplete purge of the unauthorized participants?

Rapid Response 47 @RapidResponse47
·
.@CIADirector: "One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer ... One of the things that I was briefed on very early was ... the use of Signal as a permissible work use — it is."

11:03 AM · Mar 25, 2025. //

RATCLIFFE: It is permissible to use to communicate and coordinate for work purposes, provided — provided, Senator — that any decisions that are made are also recorded through formal channels. So, those were procedures that were implemented — my staff implemented those processes, followed those processes, complied with those processes, and finally — just please — so, my communications, to be clear, in a Signal message group, were entirely permissible and lawful — and did not include classified information. //

As Bonchie rightly noted earlier, Goldberg's inclusion on the chat was an unforced error, and frankly, none of the administration should be in contact with him — ever — given his previous bad-faith reporting.

But as Ratcliffe's testimony clearly demonstrates, the use of the app itself by officials for non-classified communication and coordinating for work purposes is both allowed and legal — just as it was under the Biden administration. Hopefully, this will serve as a valuable lesson and help underscore the importance of mindfulness as to proper channels and participants when officials communicate with one another.

It’s hard to have a conversation with anyone in Washington these days without using Signal. I hate the app. It’s just one more messaging app that must be checked. Everyone in Washington, it seems, has Signal. Government officials use it. Reporters use it. Politicians on Capitol Hill use it. Hillary Clinton used an insecure email server. Everyone else just uses Signal, which, at least, is end-to-end encrypted.

With China thoroughly infiltrating our telecom system, no officials in DC are using built in phone messaging apps or voice to communicate important information now. Apple’s iMessage is robust and secure if the bubbles are blue. But someone may have their iCloud backup turned on, which would capture the chat. What’s App is fine and secure. But, again, someone might have a backup. Signal is secure and once a message is deleted, it is deleted. It is the preferred app.

For members of the Trump Administration, which last term saw rogue embedded progressives leaking classified information and even now has seen ICE raid information leak, bypassing government approved means of communications for Signal makes sense — the rogue bureaucrats provided the incentive.

But that is no excuse to add a reporter to a secure group chat trading information related to bombing the Houthis as the Trump national security team did. //

• This whole mess really does suggest that the Trump Administration, like the Biden Administration, has no clue how to get the Chinese out of our telecom networks.

Clive Robinson • March 20, 2025 12:38 PM

@ For those “new to the game”

CI/CD Secrets is liberaly spread across the articles, but none explain what they are in layman’s terms.

The first step is to understand what “Continuous Intergration”(CI) “Continuous Development/Deployment”(CD) Pipeline is. Gitlab has a reasonable description at,

https://about.gitlab.com/topics/ci-cd/cicd-pipeline/

However it says nothing about “secrets”

Put overly simply in our modern environments much is “done in the cloud” or in older parlance “across multiple servers” for which “Authorization”(AuthZ) and “Authentication”(AuthN) is required.

At the simplest that is a user has to have “an account” that once would have been a “user name” and was considered “public knowledge”, and “a password” or “passphrase” or other “secret” known only to the user and verifiable by the server.

However when you “automate” things it gets more complicated and it gets to the point where even the user does not know what is used for AuthZ and AuthN as they are “embedded in some way” into the automated pipeline.

It is these that form the basis for “CI/CD Secrets” and whilst they could be “dynamic” and “random” by “challenge and response” or “Zero Knowledge Proof” they generally are “static” and put as “plaintext in files”.

Thus if static “once leaked” anyone who has access to the leak can impersonate the valid user(s).

It’s actually a really bad security design for an automated system and should be replaced with something that is not vulnerable to being recorded and replayed, but still does not need user(s) to be actively involved.

Unfortunately by the way this attack works it can get around the “security advise” given online with articles like,

https://blog.gitguardian.com/handle-secrets-in-ci-cd-pipelines/

Who? • March 20, 2025 12:25 PM

@ Clive Robinson

Years ago I sent an email to DISA about some obvious “errors” in some networking-related STIGs that made those technical implementation guides dangerous if followed as published. They replied, in a somewhat unpolited way, noting the obvious (that I am not affiliated with the U.S. army); these technical implementation guides about some well-known routing devices remain unfixed yet.

Same happened again some time later, this time about some CTR and CSIs published by NSA. No answer at all, something I appreciate when compared to DISA reply, but they continue recommending a setup that opens widely known attacks against shared caches in certain processor architectures. Not to say, these documents have been updated at least one time but continue suggesting the insecure settings.

To be honest, I do not trust on what CISA/DISA/NSA may publish.

The current U.S. administration may continue degrading the country cybersecurity and international alliances. If U.S. citizens accept it this way, who am I to disagree?

Clive Robinson • March 20, 2025 12:58 PM

@ Who?, ALL,

With regards,

“To be honest, I do not trust on what CISA/DISA/NSA may publish.”

And so you should not. Likewise you should not trust the word of anyone including me 😉

It’s why I do not like the idea of “Best Practice” that every man and his dog took as an idea from the legal profession. Because there is no such thing as “best practice” and anything written in that regard almost certainly become “out of date” very shortly there after.

What people should do, and few have time to do so is learn what a system does and how and what it’s interactions, strengths, weaknesses and Non Obvious Flaws are.

From time to time, security issues are found within software. The FreeBSD package management system relies upon pkg-audit and the Vulnerability database to alert system administrators that attention is required.

The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple’s cloud storage service, iCloud.

Once the backdoor exists, others will attempt to surreptitiously use it. A technical means of access can’t be limited to only people with proper legal authority. Its very existence invites others to try. In 2004, hackers—we don’t know who—breached a backdoor access capability in a major Greek cellphone network to spy on users, including the prime minister of Greece and other elected officials. Just last year, China hacked U.S. telecoms and gained access to their systems that provide eavesdropping on cellphone users, possibly including the presidential campaigns of both Donald Trump and Kamala Harris. That operation resulted in the FBI and the Cybersecurity and Infrastructure Security Agency recommending that everyone use end-to-end encrypted messaging for their own security. //

It’s a question of security vs. security. Yes, we are all more secure if the police are able to investigate and solve crimes. But we are also more secure if our data and communications are safe from eavesdropping. A backdoor in Apple’s security is not just harmful on a personal level, it’s harmful to national security. We live in a world where everyone communicates electronically and stores their important data on a computer. These computers and phones are used by every national leader, member of a legislature, police officer, judge, CEO, journalist, dissident, political operative, and citizen. They need to be as secure as possible: from account takeovers, from ransomware, from foreign spying and manipulation. Remember that the FBI recommended that we all use backdoor-free end-to-end encryption for messaging just a few months ago.

Securing digital systems is hard. Defenders must defeat every attack, while eavesdroppers need one attack that works. Given how essential these devices are, we need to adopt a defense-dominant strategy. To do anything else makes us all less safe. //

Stéphan • February 26, 2025 7:37 AM

It will be interesting to see if the UK Govt is satisfied with the disabling of ADP, because that would confirm the backdoor is already in place for non-ADP iCloud accounts. Which would mean it is likely also in place for non-E2E-encrypted cloud services like Google and MS365 accounts. With this move Apple came up with a clever canary about the true underlying situation.

What that means is that multiple systems inside Bybit had been hacked in a way that allowed the attackers to manipulate the Safe wallet UI on the devices of each person required to approve the transfer. That revelation, in turn, has touched off something of a eureka moment for many in the industry.

“The Bybit hack has shattered long-held assumptions about crypto security,” Dikla Barda, Roman Ziakin, and Oded Vanunu, researchers at security firm Check Point, wrote Sunday. “No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.”

Bad actors can now digitally impersonate someone you love, and trick you into doing things like paying a ransom.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

1. Two people, Person A and Person B, sit in front of the same computer and open this page;
2. They input their respective names (e.g. Alice and Bob) onto the same page, and click "Generate";
3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Note that this depends on both Alice's and Bob's phones being secure. If somebody steals Bob's phone and manages to bypass the fingerprint or PIN or facial recognition of Bob's phone, then all bets are off.

Researchers have uncovered a sustained and ongoing campaign by Russian spies that uses a clever phishing technique to hijack Microsoft 365 accounts belonging to a wide range of targets, researchers warned. //

Advisories from both security firm Volexity and Microsoft are warning that threat actors working on behalf of the Russian government have been abusing this flow since at least last August to take over Microsoft 365 accounts. The threat actors masquerade as trusted, high-ranking officials and initiate conversations with a targeted user on a messenger app such as Signal, WhatsApp, and Microsoft Teams.

"An official website of the United States government," reads small text atop the Department of Government Efficiency (DOGE) website that Elon Musk's team started populating this week with information on agency cuts.

But you apparently don't have to work in government to push updates to the site. A couple of prankster web developers told 404 Media that they separately discovered how "insecure" the DOGE site was, seemingly pulling from a "database that can be edited by anyone."

One coder couldn't resist and pushed two updates that, as of this writing, remained on the DOGE site. "This is a joke of a .gov site," one read. "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN," read another.

houdini1984
8 hours ago
In a perfect world, Snowden would have been able to report the IC's violation of Americans' rights to Congress. He should have attempted to do so. But is he a traitor? Hardly.

Here's the thing. We're talking about a Congress that failed to punish the intelligence community for... wait for it... spying on Congress. Yes, that's right. The IC was literally spying on our representatives, and forced to admit to those activities. And what did Congress do? They continued to renew all the powers that the IC regularly abuses.

Anyone who's paying attention understands that our elected representatives are, almost to a man and woman, scared to death of this country's intelligence community. They are terrified that their own secrets may be used against them by a vengeful IC. They are willing to sacrifice your liberties to maintain some semblance of peaceful coexistence between themselves and the forces of the deep state.

So, yeah. Snowden's actions are easy to criticize. And they were illegal, in the purest sense of that word. But was he wrong to distrust Congress? Was he right to believe that the American people deserve to know that their government is violating their rights on a daily basis? Did he have an obligation to choose between going to prison or remaining silent?

Personally, I am glad that the truth came out. And I don't blame Tulsi one bit for refusing to be nagged into calling the man a traitor. That nagging is just designed to distract from the real issue, which is that our government has long been weaponized against us.

anon-w8wg houdini1984
5 hours ago edited
Snowden was kind of simultaneously hero and traitor. His actions absolutely threw a wrench in America's military and intelligence gears (I was in the military at the time). However, he brought to light things that the people needed to know, things that never should have been approved. Personally, I don't have a problem calling him traitor. I have no problem with Tulsi Gabbard not calling him a traitor, though, as long as she notes what was bad about his actions. She did this, which makes her more qualified than most intelligence directors, IMHO.

In fact, now that I think of it, Snowden might have helped put us on the MAGA track. So, maybe there's more good to him than I've given him credit for.

Random US Citizen
11 hours ago
What Snowden did was illegal and punishable by law. On the other hand, Gabbard is right—he also exposed a lot of domestic spying by the U.S. government against its own citizens. It’s interesting—in a sort of horrifying way—that so-called conservative Republicans are more upset that Gabbard opposes Patriot Act overreach than any other issue that came up at her confirmation hearing.

anon-bjec NightStalker
9 hours ago
I doubt we would have had one Trump presidency, much less two, without Snowden. Who would have believed the massive duplicity with which the deep state acts? A lot of us might have actually bought into the RUSSIA RUSSIA RUSSIA RUSSIA nonsense, not believed it was even possible for Obama to weaponize the IC against a political opponent. A lot fewer people would have been aware of just how bad the IC and deep state are when operating domestically.

People like Schifty Schiff see Russians under every rock without stepping back to see the big picture. Snowden exposed sources and methods alright. Sources: massive domestic spying apparatus weaponized against Americans. Methods: outrageous violations of every basic tenet of the Constitution and founding principles.

We needed to know.

Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.

There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.

I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.

When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.

"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.

The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)

Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.

Here are a few ways to securely erase your hard drive:

DBAN (Darik's Boot and Nuke) – Use this free tool that overwrites data multiple times, making recovery impossible.
Windows Secure Erase (for SSDs) – If you're wiping an SSD, use the manufacturer's secure erase tool (e.g., Samsung Magician, Crucial Storage Executive).
Command Prompt (for HDDs) – Run cipher /w:C: to overwrite deleted files on the selected drive.