🌪️ Our CEO @nrathaus had an engaging chat with our keynote speaker @yarden_shafir. They covered starting out in cybersecurity, tips for beginners, and future trends in the industry.

Watch now at: https://youtu.be/b51Ptn5K79U

Happy to announce @hyperdbg v0.10! 🎉🎊✨

This version comes with numerous bug fixes and stability improvements, plus new features like running assembly code directly in the events (VMX root-mode) and two new commands.

Check out the latest version: https://github.com/HyperDbg/HyperDbg/releases

For more information,

Assembly codes in conditions:
- https://docs.hyperdbg.org/using-hyperdbg/prerequisites/how-to-create-a-condition

Assembly codes in code sections:
- https://docs.hyperdbg.org/using-hyperdbg/prerequisites/how-to-create-an-action

Assemble virtual address:
- https://docs.hyperdbg.org/commands/debugging-commands/a

Assemble physical address:
- https://docs.hyperdbg.org/commands/extension-commands/a

On the ​ there is a narrative whereby a Cobalt Strike¹ update "forced" #CrowdStrike to push out an update which caused the Falcon crash² .

Inevitably the usual crowd came out and we have statements such as:

> So, it’s Cobalt Strike’s success and popularity with threat actors that prompted CrowdStrike to rush out a signature for their agents, resulting in crashes on thousands of systems.
>
> Can someone add this to the balance sheet of damage caused by popular C2 frameworks?³

We therefore justify the complete lack of QA by blaming a C2 framework from a commercial company which, as many others, is used by baddies too.

The best bit is that Florian had to tell people it was said in jest (follow-up xeet) but… too late. He was quoting a xeet by Constantin Raiu but it was taken seriously.

We have just given #CrowdStrike something to blame in their narrative: "we were doing it to save the world from Cobalt Strike, they should not be allowed to exist!"

​

__
¹ https://www.cobaltstrike.com
² https://x.com/craiu/status/1814566308056318381
³ https://x.com/cyb3rops/status/1814944503498678678

A #CrowdSstrike offensive summary (update):

* we know Flacon updates are not verified prior to being enabled
* we know that they don't do staged updates
* we know a lot of large customer names
* we know the DR plans (or lack thereof) of said large customers
* we know the systemic reactivity

Learned opinion: it does not look good.

For those involved with the darker side of cybersecurity this is a monstrously useful set of data points.

It's quite funny that in the midst of the crowdstrike thing yesterday, someone tweeted - afaict as a shitpost - that Southwest Airlines were unaffected due to running windows 3.1. Then digitaltrends published that claim using the tweet as a source, and are now being quoted themselves as a source.

AFAICT, it's entirely bollocks. Same with the claim they still run Windows 95, that's from the same lazy digitaltrends article, misquoting another misquote from 2 years ago.

Another nice thing on X is you can see Marc Andreessen complaining that the current US gov is adversial to blockchain and "AI", and "currently proposing a tax on unrealized capital gains, which would absolutely kill both startups and the venture capital industry that funds them".

I mean, shut up and take my vote?

https://x.com/pmarca/status/1809340920287916286

I actually find community notes a nice feature of X.

Customizing your BSOD by @yarden_shafir :)

https://threadreaderapp.com/thread/1814733681849667734.html

@taviso dissecting one of the #CrowdStrike analyses(? English is hard):

https://threadreaderapp.com/thread/1814762302337654829.html

After 4 days of works, I have a working #Xen 4.2.5 running #NetBSD 6.1.5 as dom0 on i386.

I am able to confirm that #NetBSD 10 and #Linux 4.13 are able to run as domU PV.

The journey was very long:
#pkgsrc 2018Q3 provided a lot of help and sometime tiny annoyances.
I had to build 3 compilers: gcc 4.4, gcc 4.8 and gcc 6.4.
I had to downgrade #ocaml to version 4.00.1, rewriting xentools42 Makefile to use my downgrade and kill xen' ocaml binding (because file not found in pkg install).
I had to force some version of GCC to build some packages - pkgsrc helped there.

Recent version of Linux doesn't seem to boot, the ramdisk/initrd for old Linux is broken, the xm stack seem more broken than the xl stack.

But I was able to run 2 domU PV on i386!

#crowdstrike T&Cs¹, paragraph 8.6 (HT: @JdeBP ), as usual the bit in caps is the best one:

TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE OFFERINGS AND CROWDSTRIKE TOOLS. THERE IS NO WARRANTY THAT THE OFFERINGS OR CROWDSTRIKE TOOLS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS. THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE.

So very sorry for airports, airlines, hospitals and many other victims covered by the above… it says you shouldn't have used it even if we sold it to you.

​

__
¹ https://www.crowdstrike.com/terms-conditions/

Some absolute legend figured iut how to automate the Crowdstrike fix with a combo of WinPE and PXE

https://www.reddit.com/r/sysadmin/s/6TgvK8idNN

This seems like a legit analysis of the #CrowdStrike crash woth samples and without politics or conspiracy theories (that appear to be rampant on X...):

https://threadreaderapp.com/thread/1814343502886477857.html

Need some more info to manage your calendar?

r2con2024 will happen in Barcelona on November 8, 9.

There will be two days of competitions, workshops and presentations. Get ready to share knowledge and have fun with friends!

We can’t spoil the location yet, so stay tuned for further updates!

Concerning CrowdStrike:

We are now at t+26h. Please compare how much we knew about the xz-attack after less than a day with what we know about the chain of events of giant outage yesterday.

If something similar had been caused by an OSS component, we would see congress discussing a ban on open software in critical infrastructure already.

As a manager, one of the most valuable things you can do is to model asking "dumb" questions—that is, questions that show ignorance about things you "should" know.

"Better to remain silent and be thought a fool than to speak and remove all doubt" may be all well and good in a social context, but in a professional context you have to be willing to ask questions that unlock information you need—even if you feel self-conscious about your current ignorance.

good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products.

it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?

The #CrowdStrike thing looks like a major testing fuckup, that shouldn't have happened.

On the other hand we know that relevant .sys artifacts are DRM'd and user-specific.

I wouldn't be surprised if the issue was related to DRM, at least in the sense that full, DRM-enabled end-to-end testing was not implemented and/or some DRM-introduced bug.

The ambulance chasing by some companies (of which I used to work at) over the crowdstrike issue is disgusting.

In an unexpected turn of events, a sensible take on #Crowdstrike from the Orange Site.

Source: https://news.ycombinator.com/item?id=41004184