This is absolutely crazy stuff. Chinese hackers were able to get into a bunch of government email accounts by forging Microsoft access tokens, but how it happened is wild.
Apparently an internal Microsoft system responsible for signing consumer access tokens crashed, then a bug in the crash dump generator caused the secret key to be written to the crash dump. Microsoft's secondary system for detecting sensitive data in crash dumps also failed, allowing the crash dump to be moved from an isolated network to the corporate one. The Chinese hackers compromised a Microsoft engineer's account and were able to get a hold of the crash dump. They were not only able to find the key and figure out that it's responsible for signing consumer access tokens, but were also able to exploit a software bug to use it to sign enterprise access tokens too, basically giving them the keys to the kingdom.
So many security system had to fail for this to happen. Either the hackers were very lucky or extremely patient.
@malwaretech sigh. I've wanted to do this in Linux for years, but I've got a different job, and nobody really likes being given ideas. Basically it's just an mprotect() flag to mark stuff as not dumpable, not mappable from /proc (or map-on-read zero pages), and show the flag in /proc/pid/maps.
For anyone unaware, Google Chrome is currently rolling out an update that track your interests based on browsing history, then share them with 3rd party websites. The notification page makes it sound like they added a new privacy feature, but in actuality they automatically enrolled you into their tracking system and you have to go and manually opt out.
@malwaretech I'm the last person to recommend using Google Chrome, but that new topics feature isn't actually as bad as you might think. As far as I can tell, Google actually really tried to make it as privacy preserving as possible. Steve Gibson did a very thorough explanation of what it does and how it works on a recent episode of the Security Now podcast. It is worth a listen.
Something I'd never seen before but isn't super uncommon in SoCal is this plankton that glows neon blue when disturbed. It causes the ocean to glow in the dark and is completely safe to swim in. https://www.instagram.com/p/Cwp7CpjJhey/
Also, FWIW, things makes a lot more sense when you stop looking at police as the solution to crime and start looking at them as the solution to rehabilitating individual criminals. If you want to address the problem you have to address the underlying societal causes. Not a single police officer I've spoken to even think that playing whack-a-mole with criminals is going to solve crime. ISPs censoring Nazi websites do far more to protect society than infinite policing (especially when being a nazi isn't even illegal). If you're going to knock the censorship, then pitch a better solution than "more cops lol".
This article from the EFF seems naive at best. They argue that Tier 1 ISPs should not police speech, which is fair, but their proposed solution is to just let hate sites sit around and radicalize people, then have the law deal with the few who cross the line between protected speech and criminal harassment.
Below is an extensive list of all the times 'just throw more cops at the problem' has solved anything:
@malwaretech I am not someone who could fly in the same seats as you on a plane; however, your original post was simply stating a fact about two different airlines. Sorry your getting people making value judgments about the person you are, it’s ridiculous.
I’m not sure if I’m out of touch or not, but I do find the idea of someone standing up for people who can also afford to fly on the same plane but in less nice chairs to be extremely funny. More than 3/4 of people have never been on a plane at all, but it’s important we stay focused on the real issue: the wealth disparity between the different airplane seat classes.
@malwaretech maybe a little bit. These things are all relative to your own experience, and I know that after the first time I saw these chairs available on a transatlantic flight I checked the prices out of curiosity. The moment of "huh, I could maybe afford that" was me realising I'd crossed an economic boundary of some form.
I see a lot of confusing around this due to the fact "cyber attack" gets used as an all-encompassing term for any kind of hacking at all (when ideally it should be reserved for intentionally destructive acts).
Basically, from most nations perspective, any kind of hacking for reconnaissance/intelligence gathering/data theft/whatever you want to call it, falls into the category of cyber-espionage, or cyber-enabled espionage. It's essentially treated similar to regular espionage (really annoying and definitely illegal, but not an act of war).
When countries talk about the possibility of invoking Article 5 in response to a cyber-attack, they don't mean cyber-espionage like stealing voter data, they mean an intentionally disruptive or destructive attack. Even something like accidentally taking offline a power grid while conducting espionage probably wouldn't meet the bar.
I think a lot of the confusion comes from people having a belief that cyber and kinetic attacks are fundamentally different, and thus responses must be in-kind. So if someone took offline your power grid with hacking instead of bombs, you can only respond with hacking instead of bombs. Not a lawyer, but as far as I'm aware this has never been a policy. Most of what I've seen is just official clarification of what's long been the case (we don't care if your attack uses hackers or bombs, you're getting clapped either way).
Nobody is actually insane enough to invoke Article 5 or any kind of kinetic response over basic cyber-espionage, because literally everyone is doing it and that would just be a direct escalation and also set the irreversible precedent of "you can bomb people for spying on you now". Which nobody wants.
Honestly the whole startup equity / tax stuff in the US makes my head spin. There's a really dumb situation where equity grants are considered income. So if a startup gave you $1m in stock, from the IRS' perspective, you just made $1m in income for the current tax year. You now have a tax bill of like $500k, but the startup is private so you can't sell the stock to obtain the money. Basically you have to somehow find $500k cash to pay your taxes or you're screwed. So in order to avoid this, there's these contracts where you don't technically own the stock until the company goes public, but that opens you up to the risk that if the contract isn't ironclad they can take back the stock, or do something shady like a debt or IP transfer to basically make your shares worthless.
Can someone explain employee stock options to me? I recently encountered them for the first time, and my understanding is they're not equity. It's basically just a contract that says "you can buy some of our stock if you want". So the part I'm confused about is, why do I need stock options to buy the stock? Since startups are private and their only way to raise money is via outside investment, wouldn't they want people to buy their stock? Why do you need the options and can't just say, phone up and just ask to buy shares?