[ Politics ] Open Question : Are you getting sick of the media overhyping the coronavirus?

My brother is a physician and has told me the coronavirus isn’t all that serious. If you do get it, the chances if you dying are slim to none. It’s only the elderly and those with health issues that have a higher chance of dying. I think the media is using this opportunity to make Trump look bad. If Biden does get elected, I wouldn’t be surprised if the coronavirus all of a sudden isn’t an issue anymore.

Why do trolls’ posts keep getting promoted and upvoted while truth-saying posts are deleted?

Yesterday, I asked this question: How can Tutanota, ProtonMail and Hushmail all claim to provide privacy when they only allow privacy-incompatible payment options?

It’s now been "closed" as "off-topic", even though it couldn’t possibly be more on-topic. Anyway, that is something I’ve come to expect from Stack Exchange and is not the real point of this question.

What I don’t understand is why an (apparent) troll’s post, which lies about ProtonMail accepting Bitcoin, gets to stay, and is even upvoted, when the reply I posted, with a screenshot showing that ProtonMail does NOT support Bitcoin, was deleted. That post and screenshot is just entirely gone. Vanished. As if it never was posted at all.

ProtonMail does not support Bitcoin. Bitcoin is not an option to pick from when registering an account — only "pay card" and "PayPal". The fact that they allow Bitcoin payments after you have already compromised yourself by using their privacy-incompatible payment options is like saying:

Sure, you can have a cookie… but only after we’ve shot you in the head!

You get my point? It’s absurd of them to claim to support Bitcoin payments when they literally don’t. What point would there be to start using Bitcoin (and their .onion site, which just redirects to protonmail.com for the registration form) after you’ve already entered all your personal information and tied the account to your real-life identity? The same of course goes for PayPal (the less commented on them, the better).

This is not the first time I see this kind of behaviour on this site. It seems to be patrolled by people who violently defend companies’ lies and privacy violations, and censor anyone questioning it. I hope such is not the case, but considering how difficult it is to get an answer to anything these days, or even to have your question stay up and not get "closed" or deleted outright, it’s difficult to draw any other reasonable conclusion.

How does releasing exfiltrated data increase the chances of an attacker getting caught?

I’m reading an article from the Institute for Applied Network Security (IANS) titled "Ransomware 2.0: What It Is and What To Do About It", and there’s a piece I don’t understand. The article requires a subscription, but here’s the excerpt (emphasis mine):

[Attackers] typically threaten to release confidential data to the internet or dark web if the victim refuses to pay. This extortion tactic is fairly new and it is unclear whether it will become more prevalent. If it does, it is uncertain whether attackers will release the data they’ve exfiltrated (and even how much data they’ve exfiltrated in the first place). Obviously, the more data an attacker exfiltrates, the higher they raise their profile and the more likely they are to be caught before the encryption phase. Therefore, unlike attackers motivated by IP theft, Ransomware 2.0 attackers have an incentive to minimize their data exfiltration.

Why would attackers not follow through with the threat of releasing this data? Does exfiltrating more data give forensic scientists, network admins, and the like better insight into the anomalous and malicious behavior–and shouldn’t attackers sufficiently cover their tracks? If not, how is the attacker profile increased with the volume of exfiltrated data published?

Getting strange output on commands that used to work

I have used the following code before and it worked then but now it seems to default to the word Function, and some of the other commands are giving results like All when they used to work.

Would you help clarify what’s going on?

 usaStateCases[s_] :=       Select[data, MatchQ[Interpreter["USState"][s], First[#]] &][         All, #ConfirmedCases["LastValue"] &] // Normal // First          usaStateDeaths[s_] :=       Select[data, MatchQ[Interpreter["USState"][s], First[#]] &][         All, #Deaths["LastValue"] &] // Normal // First          usaStateCases["California"]  

This used to work but now, the output of the last line is Function

TIA

What prevents a Fallen from getting way too many thralls?

Well I have been reading Demon The Fallen corebook and gaining a thrall seems liike a relatively easy thing and quite useful for the demon allowing them to boost their followers and if they have thralls through the world then constantly gain faith. So what i wish to ask is that is there any limiting factor to how many thralls a demon can have?

Getting numerous HEAD requests by Java user agents to resources that require authentication to view within a web application. Should I block them?

I have recently started using Cloudflare’s firewall in front of a web application. This app has a limited user base of selected applicants and they must log in to view anything. There is no public registration form and nothing within the portal can be accessed without an account.

Since moving the DNS to Cloudflare I can see we are receiving numerous daily HEAD requests to paths that are only accessible within the portal.

These requests come from one of two groups of IP addresses from the United States (we are not a US-based company; our own hosting is based in AWS Ireland region and we’re pretty sure at least 99% of our users have never been US-based):

Java User Agents

  • User agent is Java/1.8.0_171 or some other minor update version.
  • The ASN is listed as Digital Ocean.
  • The IP addresses all seem to have had similar behaviour reported previously, almost all against WordPress sites. Note that we’re not using WordPress here.

Empty User Agent

  • No user agent string.
  • The ASN is listed as Amazon Web Services.
  • The IP addresses have very little reported activity and do not seem at all connected to the Java requests.

Other Notes

  • The resources being requested are dynamic URLs containing what are essentially order numbers. We generate new orders every day, and they are visible to everyone using the portal.
  • I was unable to find any of the URLs indexed by Google. They don’t seem to be publicly available anywhere. There is only one publicly accessible page of the site, which is indexed.
  • We have potentially identified one user who seems to have viewed all the pages that are showing up in the firewall logs (we know this because he shows up in our custom analytics for the web app itself). We have a working relationship with our users and we’re almost certain he’s not based in the US.

I am aware that a HEAD request in itself is nothing malicious and that browsers sometimes make HEAD requests. Does the Java user agent, or lack of a user agent in some cases, make this activity suspicious? I already block empty user agents and Java user agents through the firewall, although I think Cloudflare by default blocks Java as part of its browser integrity checks.

Questions

  1. Is there any reason why these might be legitimate requests that I shouldn’t block? The fact it’s a HEAD request from a Java user agent suggests no, right?

  2. One idea we had is that one of the users is sharing links to these internal URLs via some outside channel, to outsource work or something. Is it possible some kind of scraper or something has picked up these links and is spamming them now? As I say, I was unable to find them publicly indexed.

  3. Is it possible the user we think is connected has some sort of malware on their machine which is picking up their browser activity and then making those requests?

  4. Could the user have some sort of software that is completely innocent which would make Java based HEAD requests like this, based on their web browsing activity?

Any advice as to how I should continue this investigation? Or other thoughts about what these requests are?

getting no subject alternative name present exception when the csr shows that the SANs are present

I am trying to setup ssl for grpc but no matter what I try I get a no subject alternative name present. I’ve verified the SANs are in the certificate signing request. The common name and also a SAN are the ip addr. I am trying to connect using the ipAddr. The exception I get is

Caused by: java.security.cert.CertificateException: No subject alternative names present     at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:137)     at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96) 

The text of my csr follows:

sysadmin@rit5 san]$   openssl req -in my.csr -noout -text     Certificate Request: Data:     Version: 0 (0x0)     Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89     Subject Public Key Info:         Public Key Algorithm: rsaEncryption             Public-Key: (2048 bit)             Modulus:                 00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:                 54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:                 ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:                 f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01:                 dc:47:48:53:ce:45:c9:a9:f1:9d:d0:0f:a7:cb:d5:                 5b:55:eb:b4:38:cb:50:5d:51:c2:bb:65:f6:76:09:                 76:8d:34:0a:c6:35:95:e3:0f:8f:71:be:73:22:78:                 84:26:4f:5e:d3:6a:2c:69:b4:57:e1:fc:37:47:e6:                 56:80:6c:bf:7a:97:78:20:17:22:d0:fc:c6:0c:17:                 0b:dc:23:8f:0e:8a:cb:48:6d:a6:0c:ce:4b:24:54:                 66:82:d0:29:dd:bf:5b:5f:cd:b8:f3:2f:3a:40:09:                 cd:84:6c:2f:74:60:74:e2:3a:13:b9:2e:5c:df:39:                 a3:47:07:96:5a:ed:be:14:71:42:58:6b:53:77:a2:                 af:0a:6d:c3:57:ba:e0:95:ed:55:78:2f:21:cc:af:                 95:e7:de:50:3d:7d:7e:29:4e:ed:bf:9e:14:36:0e:                 71:a3:e4:79:03:12:cd:55:c3:77:00:0f:02:2d:d1:                 e6:2f:a5:b0:3e:62:76:4e:bd:2a:33:56:76:8f:8d:                 2f:b5             Exponent: 65537 (0x10001)     Attributes:     Requested Extensions:         X509v3 Key Usage:              Key Encipherment, Data Encipherment         X509v3 Extended Key Usage:              TLS Web Server Authentication         X509v3 Subject Alternative Name:              DNS:172.28.4.89, DNS:rit5.mycompany.com, DNS:rit5 Signature Algorithm: sha512WithRSAEncryption      17:18:63:dc:d9:84:90:da:de:b6:8e:82:ce:84:6a:a3:5d:11:      87:37:2b:e7:56:6e:e5:ea:42:11:4c:8f:66:28:8b:44:4f:0a:      b9:89:d9:67:86:f4:0f:8a:44:b8:b2:87:62:65:c2:9c:7a:08:      bf:74:4a:b3:f4:35:82:45:50:7f:3f:ab:c4:97:60:59:99:8c:      8e:8b:12:0f:3b:dd:2a:6d:a9:be:06:8a:70:e7:e6:08:22:57:      89:e8:c0:86:f1:26:dc:23:08:aa:ab:2f:07:0d:0b:78:0b:3d:      d9:ce:ac:92:32:80:81:18:25:17:d4:04:22:e2:f9:f2:96:b1:      be:76:96:0c:70:39:cf:64:d3:7d:66:b9:f8:b5:20:18:17:66:      a4:f8:26:a7:02:42:0e:9f:6f:1e:4c:19:1d:d5:19:7b:17:0c:      64:45:34:d0:12:af:e1:8e:9d:e1:ce:84:49:54:87:78:c9:ba:      10:f0:65:5b:0e:f4:4f:3f:91:de:cc:46:36:fa:45:ff:0d:7a:      a4:c7:9b:b7:82:f6:b0:3b:c4:f3:9f:45:94:43:a8:ad:ae:e2:      e2:a2:66:59:d1:5e:b2:ee:a6:55:90:27:4c:57:c8:04:4b:30:      bd:02:bf:e5:3e:7c:b1:c6:0f:04:50:f5:96:76:37:bb:ed:7a:      ba:3c:7c:07 

The config file I used to create the csr and key is here

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no  [req_distinguished_name] C = US ST = TX L = Austin O = MYCOMPANY OU = MYUNIT CN = 172.28.4.89  [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 172.28.4.89 DNS.2 = rit5.mycompany.com DNS.3 = rit5 

To generate the csr I used the following command

openssl req -new -out my.csr -newkey rsa:2048 -nodes -sha512 -keyout my-private-key.pem -config ssl.ext 

To self sign it used the following command

 openssl x509 \         -signkey my-private-key.pem \         -in my.csr \         -req -days 365 -out my-public-key-cert.pem 

I’m at my wits end. Any help would be appreciated. The certificate is generated without the SANs.

Certificate:     Data:         Version: 1 (0x0)         Serial Number:             c7:af:ad:c2:98:be:7b:c1     Signature Algorithm: sha256WithRSAEncryption         Issuer: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89         Validity             Not Before: Jun  5 20:26:00 2020 GMT             Not After : Jun  5 20:26:00 2021 GMT         Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89         Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus:                     00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:                     54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:                     ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:                     f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01: 

Mysql, Getting all rows in which field ends in a specific character, and another field exists that is the same but doesn’t end in that character

I need to get all rows which end in a specific character, P for example, but in which a similar key sans the P exists. I have no idea how to approach this one in MySQL.

This is very small example, my actual data is huge with other columns also.

+------------+ |    key     | +------------+ | value_100  | | value_100P | | value_101  | | value_101  | | value_102  | | value_102P | | value_103P | | value_104P | +------------+ 

The query would output,

+------------+ |    key     | +------------+ | value_100P | | value_102P | +------------+ 

How to quickly find out what the threat nature of a password protected archive without getting infected?

I have recently received an e-mail from an existing support group e-mail box with the following characteristics:

  • written in the language used in company’s HQ (different from English which is the primary communication language)
  • had a zip attachment
  • provides a clear password for the attachment
  • is a reply of a legitimate e-mail I have received from a colleague a few months ago

This seems to be similar to what is described here, so there is very high chance to have received an infected file. After a couple of hours, our security department sent an e-mail related to similar cases happening inside the company.

I am wondering about how to find out the exact nature of the threat in a secure way. I have tried the following (only the first step inside the company, the rest within a VM):

  • checked on VirusTotal, but received 0% detection which makes sense since the engines cannot scan the encrypted archive
  • Checked with the Nanoav which boast about scanning password protected archives, but it does not allow to input the password
  • opened the archive with 7zip and saw a document inside
  • extracted the file using 7zip and uploaded the document to VirusTotal => 13+ engines detected something weird.

Do previewing and extracting the archive impose any security risk or is it only the document inside that can be infected? (in this case it seems to employ a macro).

Question: How to quickly find out what exactly the threat nature of a password protected archive without getting infected?