sylver_dragon @ sylver_dragon @lemmy.world

Posts

4

Comments

951

Joined

2 yr. ago

If someone asks you if you're a god, you say YES!

It's a matter of circumstance. Authoritarianism is only useful in situations where time pressures make the slow, deliberate decisions of democracy unworkable. Combat is a good example of this. When the shells are raining down around you, there isn't really time to hold a vote on how to proceed. So, in such situations there is usually a chain of command which is given authoritarian control. Other emergent situations will also often require similar levels of top-down control. The person in charge may not make the best or fairest decisions in the heat of the moment. But, inaction will almost certainly be a worse choice.

The other side of this is, when the situation isn't emergent, a democratic (well, really semi-democratic, but I'm going to use "democratic") system is likely the best choice. And those democratic systems would be wise to prepare for the emergent situations by identifying and designating the people who will be handed dictatorial control when the fecal matter hits the air circulator. And the system for identifying when the emergency has ended, how dictatorial power is unwound and how the performance of the person handed that power is to be judged.

The reason I hedged with "semi-democratic" is that a truly democratic system can have issues too. The classic "tyranny of the majority" problem. As any majority could override the rights of a minority in a truly horrible fashion. The solution being things like constitutional democracies, where the power of the majority is limited in specific ways (e.g. unrevokable rights).

That is really rich coming from the person who wrote the decision making the President unaccountable to the Rule of Law.

I don’t get why people think putting manifests on a blockchain is a good idea.

Because you can still separate many fools from their money by adding "blockchain" to whatever you are doing.

Fair enough, but absent any evidence that password reuse is leading to a problem, the article is trying to claim that him being the victim of previous breaches is somehow a failure of security on his part. That's just dumb. Maye he did reuse passwords and that's going to cause problems. But, absent any evidence of it, the whole article just comes off as yellow journalism, at best.

I understand your desire to be charitable or tempered, but this isn’t some random schmuck who made an oopsie and reused a password from a previous database hack.

And nothing we know shows that he did that. Sure, he could have, and maybe he is that bad at security. The whole article is based on the supposition that he is reusing passwords. With no proof provided. If there's some evidence, then sure burn the witch. Otherwise, it's just baseless supposition.

This idiot has his dumb fingers in vital government systems, and the fact that he didn’t clean up his security profile before wreaking havoc says a lot about his ability to do his job safely.

There isn't anything he could have done about past breaches. As I said, my email is still in the HaveIBeenPwned database, not because I didn't clean up anything, but because I can't clean up anything. Once those creds have been published, they stay published forever. The only thing you can do is rotate any affected passwords and move on with life.

And yes, the obvious failures on the DOGE website do speak to poor coding practices. I wouldn't hire the guy to code anything, but I still think the article is just over the top muck raking trying to turn breached credentials into a story which really isn't there.

I'm no fan of the folks at DOGE; but, I feel this bit is important to highlight:

the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points.

I know that my own credentials show up in the HaveIBeenPwned database quite a few times. I've had the same email address going on three decades now and have been signed up to a lot of services which got breached. The result is that you can find my personal email address and the associated password for whatever service got popped. Does that mean my own security is bad and/or my credentials for anything else are compromised? No, because I use complex, unique passwords everywhere. Yes, if you dig through the data, you can find my username and password for Dungeons and Dragons Online. And that will net you fuck all, because that was the only place I used that password.

Honestly, this article is more an embarrassment to the person who wrote it than the person it's about. Anyone who has had the same email address for any significant length of time and has used it to sign up to internet based services has probably had their credentials for some of those sites compromised. Sure, the OpSec and practices of folks in DOGE have been terrible, but all we know is that this user has had their credentials from other sites and services dumped, just like every other victim of such breaches. That's not news, nor does it reflect on the victims of those breaches. This is just a sad attempt at a hit piece, which only shows the author's lack of ability to find anything interesting to write about.

When people stop believing that justice is possible via the government system, they will seek it through other means. It doesn't make it right, but it does provide a warning that the system is failing.

ServiceNow is very much aimed at the managers. It's good at reporting metrics like SLAs, ticket counts and anything else management dreams up to track metrics on. The interface for analysts putting data into it is slimy shit on toast. I swear, one of the questions I plan to ask, the next time I'm interviewing for a job is, "what do you use for security case management". If the answer is "ServiceNow" or "ServiceNow Security Incident Response (SIR)", that's going to be a mark against that company. The only thing worse than ServiceNow ITSM is ServiceNow SIR. It's all the terrible design of ITSM, but with basic security case management features implemented by clueless idiots.

The entertaining question would be: what do the salaries of the new employees look like, compared to the old ones? I'd suspect that the administration is thinking they can fire a well experienced, but expensive employee and hire on a cheap replacement. However, I also suspect many of those positions are fairly specialized and they are going to end up paying to get rid of all that experience and then end up paying a premiums to hire someone with the needed experience for the position.

“the arrestment failed,” said the official

I wonder at the nature of that failure. I'd immediately think this means "the cable broke" or "the hook broke". But, it could also mean "the pilot missed the cable and failed to respond correctly".

I think it's best to start with the classic mantra:
If you aren't paying for the service, you are not the customer, you're the product.

It's easy to think that Discord isn't reading your messages or listening to your calls, because the utilize End to End Encryption. And this is a good thing for them to be doing. It means that no one can intercept the conversation, as it passes over the web. However, there is one glaring loophole, the data is decrypted by the Discord app on your device. Does the Discord app then send any/all of that data up to their servers? Probably not, but they probably also have the app scan it for keywords and categorize it so that they can upload that metadata about you to their servers. Also, for public Discord channels, you can bet that they are reading, scanning, and categorizing everything on those channels. The Discord app is also collecting as much information as possible about the device you are using it on.
From their Privacy Policty:

Information about your device. We collect information about the device you are using to access the services. For example, this includes information like your IP address, operating system information, browser information, and information about your device settings, such as your microphone and/or camera.

The ultimate goal of this is to use this data to build a customer profile of you and sell that profile to advertising firms. As for how bad this is, that's up to your personal level of paranoia. For most people, this is probably a reasonable trade off, most of the time. If you are not the type of person who needs to protect their privacy carefully (e.g. a journalist in a hostile government) and the conversation you are having isn't all that important (e.g. talking about a video game), then it's probably fine. But, if you are having a conversation which might actually matter or you are worried about a repressive government, then maybe pick something with a better privacy track record (e.g. Signal).

Any sufficiently advanced technology would be indistinguishable from magic.

And from both of their perspectives, it doesn't matter. Continuity of consciousness really only matters in the future, not the past. If I die every night when I go to sleep and a brand new me, with all of my memories wakes up the next day, to that future me life is fine (at least until he dozes off). For past me, well they ceased to exist and there's no point agonizing over their deaths. To current me, falling asleep then becomes a terrifying experience, as that means oblivion for me, and fuck that future doppelganger me. In the Prince's scenario, unless he plans to piss off another witch, what happened to the previous him isn't really important. For the princess, it's even less important, as there is really no difference, from her perspective, of the two paths to arrive at now.

Roll Tide!
Brown tide.

Sorry, just recognized my typo, I meant to say "I wouldn't be surprised..."., Not sure how I missed that.

That depends on the use case. For drive encryption, a centrally assigned and managed password is fine. It provides for protection of data at rest while also ensuring that a single point of failure (the user) won't remove access to the data contained on the encrypted volume. Since it's not intended to prove identity, that risk needs to be mitigated by a different control.

At most organizations I have worked at (both IT and cybersecurity), decryption keys will be centrally managed. With some technologies (e.g. Bitlocker), it's possible to have multiple passwords which can be used to decrypt the drive, and it could be possible for the user to have one only they know. However, there isn't a logging mechanism to verify which password was used to unlock the drive, leaving the issue of non-repudiation. This could probably be fixed by having some sort of system which logs which user unlocked the drive, but that would be a very hard thing to do securely. Any such log would need to be in a space the bootloader can reach and write to, and now that location needs to be secured in a way which prevents a malicious actor from modifying the log. At that point, we're quickly arriving at having TPM and we might as well go whole hog and just do TPM and secure boot. Which is a great bit of technology; but, now only proves that the system hasn't been tampered with.

As a tangent, the reason most organizations centrally manage drive encryption keys is the need to unlock the drive, in the event the user is no longer able to. If you win the lottery, turn your laptop in and run off to parts unknown, the organization may want to unlock the laptop to recover anything you were working on. So, they need access to the decryption key.

Ultimately the problem is that the encryption password and your user account password are solving different security problems and there isn't a lot of good overlap between the two.

It's Yahweh's laws but the mythology has it provided by Moses in his sermons to the Israelites. As for Christians ignoring bits of it, part of that is based on saying attributed to Jesus in the gospels (e.g. the bit from Mark I quoted above) and also the simple fact that most religions update themselves as society changes. If anything, I think the Catholic church was smart to have a leader who could receive "new revelations from God". It lets them update canon, while maintaining the illusion that they aren't just making shit up to stay relevant.

I would be surprised if they were borrowing ideas from other cultures in the area (and vice versa). The various peoples in Mesopotamia were interacting regularly; so, some back and forth of ideas is to be expected. Though as a law code, Deuteronomy seems like it would be more home grown.