News recap

Jul. 13th, 2017 01:05 pm
jack: (Default)
[personal profile] jack
Unfortunately, I often lose track of events when they're no longer headline news, even important ones.

I'd not realised how long the situation in eastern Ukraine had been :( But apparently, it's mostly in the same situation, with several large areas controlled by separatists backed by Russia, with continued fighting but not a lot of movement in lines of control.

Everyone condemned Russia and instituted sanctions, but it doesn't seem to have made much difference :( I guess eventually, the current situation will be formalised. Unless someone offers military aid to Ukraine which might even be worse, more proxy (or not proxy) wars :(

I think I sort of knew that, but I wasn't really sure.

I looked this up while checking what happened under NotPetya, the malware that used the same exploit as WannaCry, but also sought administrator privileges on networks to spread throughout organisations. It seems it didn't go globally apocalyptic as it temporarily seemed it might. But was pretty bad in Ukraine. It was initially spread when a commercial accounting package widely used in Ukraine was hacked to include it in a software update.

That's scary in two ways. One, it was targeted at Ukraine in several ways. It superficially presented itself as ransomware, but actually just did damage, the "accept money and decrypt" stuff was half-arsed.

Secondly, most people don't have a good defence against a legitimate software update. Image if chrome were hacked, or windows! That's hopefully not likely, but if it were possible, and someone used a new exploit to subvert their software updates directly instead of spreading indiscriminately first, it could infect *incredibly* widely.

Date: 2017-07-13 01:24 pm (UTC)
mtbc: photograph of me (Default)
From: [personal profile] mtbc
At work I've been trying to get us to GPG-sign our list of hashes of downloadable artifacts but I'm not holding my breath for either our getting around to it or any users ever checking.

Date: 2017-07-15 06:22 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
There really ought to be a standard for associating downloads with hashes.

(Of course if someone can intercept downloads from your site they can probably intercept the hashes too. Hmm. This actually sounds like something where a blockchain might actually be useful!)

Date: 2017-07-15 09:28 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
What key would you put in an earlier version? A public one to match against the key used to sign the later version?