Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
2.5 Admins Episode 180. I'm Joe. I'm
0:05
Jim. And I'm Alan. And here we are again. And
0:08
before we get started, you want to plug the BSTCan
0:10
2024 call for papers Alan. Yes,
0:13
BSTCan 2024 is happening
0:16
in the end of May. So it's May 31st to
0:18
June 1st, plus the two
0:21
days before that for tutorials if you're interested. But
0:24
looking for submissions until February
0:26
12th for talks about
0:29
BST, networking, sysadmin, all
0:31
that kind of stuff. BSTCan is the
0:34
biggest, most fun conference of the year
0:36
on the BST stuff. So definitely we're
0:38
checking out and looking
0:40
forward to a bunch of interesting talks. Right,
0:42
well, Lincoln, this round-out says usual. In
0:45
major GAFF, hacked Microsoft test
0:47
account was assigned admin privileges.
0:50
Somebody at Microsoft has got to
0:53
be feeling like the biggest prat
0:55
imaginable. Assuming they're actually still with
0:57
Microsoft. I don't
0:59
mean as in getting fired for this. I
1:01
mean, as in, you know, this was a
1:03
long dormant test account that was left the
1:06
network security equivalent of CH mod 777 abandoned
1:08
in the closet to
1:10
rot. And, you know, attackers eventually
1:12
found it and they
1:15
had a really, really great day.
1:17
But when those kinds
1:19
of things get discovered frequently, the person
1:21
who made the mistake has
1:23
long been gone anyway, especially at a company like
1:26
Microsoft. Because, you know, if you work in the small
1:28
business world, you might be used to
1:30
thinking of, you know, a typical stint at a
1:33
company being anywhere from five
1:35
to 10 years. Enterprises
1:38
like Microsoft, yeah, you're averaging
1:40
frequently more like maybe
1:42
two to five. If you're not like
1:44
a rock star, kind of
1:46
the whole point of a lot of
1:48
modern software development practices, especially at enterprise
1:51
scale is to make sure that no
1:53
individual really much matters. So
1:55
you get more churn and the odds that the
1:58
person who did the bad thing is. still around
2:00
to slap their pee pee in
2:02
the door for it, decreases. Yeah, and in
2:05
an update, it turns out that Microsoft
2:07
wasn't the only one hit by this.
2:10
While looking into it, Microsoft's security
2:12
team discovered that Hewlett-Packard Enterprise, or
2:14
HPE, had been hacked
2:17
back in May but didn't
2:19
discover it or contain it until December.
2:22
It seems this compromise was via
2:24
password spraying, so just guessing common
2:27
passwords for common usernames, and
2:29
managed to access a test account, which is
2:31
normally restricted to a limited number of accounts
2:33
with a low number of attempts, to
2:36
access each one. They reduced its
2:38
malicious activity by conducting these
2:40
attacks over distributed residential proxy
2:43
infrastructure, so using lots of
2:45
individual people's computers rather than all one
2:47
obviously Russian IP address. And
2:50
we've seen that before, including the SolarWinds supply chain
2:52
attack and so on. This
2:54
attack carried out by a group that Microsoft
2:57
has decided to call Midnight Wizard?
3:01
By connecting to Target from IP addresses with
3:03
good reputations, and that weren't going to be
3:05
on a blacklist for having tried all these
3:08
passwords on all these different domains, they
3:10
managed to keep up the attack for longer. There's
3:13
no reason to doubt Microsoft when they say it
3:15
was a password spray attack. I mean, the thing
3:17
about password spray attacks are once you know you've
3:20
been attacked with one, it's not hard to confirm
3:22
in the logs, oh yeah. One
3:24
or possibly tons of different IP addresses were
3:26
trying to log into this particular set of
3:28
credentials with, you know, a whole string of
3:30
different passwords till when I'm got in. But
3:33
I think that it's kind of interesting
3:36
and points again to just the systemic
3:38
level of this failure, that
3:41
the password spray attack worked on
3:43
the bogus abandoned ignored test account,
3:45
which tells you that somebody not
3:48
only created a test account with
3:50
massive overprivileges, they
3:54
used a stupid password for it
3:56
that was either reused elsewhere or
3:58
just so bloody obvious that you
4:00
know, a simple dictionary attack got it. And
4:02
I would bet that somebody probably reused
4:04
one of their favorite personal passwords. I'm
4:07
guessing they used one of the ones
4:09
off a very popular list of popular
4:11
passwords, because that's what you do with
4:13
test accounts, right? Let's be clear
4:15
here. If you have a favorite password
4:17
you like to use on lots of sites,
4:19
that password is almost certainly on those lists.
4:22
It does not take long for
4:24
some site to get hacked and
4:26
dumped. And your creds to end
4:28
up on those lists, which is why Alan and
4:30
I, you know, are always harping on folks, do
4:33
not reuse passwords. And
4:36
I get that there are some exceptions.
4:38
And there may be a site that comes along
4:40
that you're just like, Oh, I have to create
4:42
an account and I don't care. And if
4:46
you're sure you don't care, well,
4:48
you can consider the whole favorite
4:50
password thing understanding that what you're
4:52
essentially doing, it's like taping a
4:54
key to your front door, right
4:57
next to the lock, you should think of
4:59
it that way. And there may be circumstance
5:01
where you're like, Yeah, I literally don't care
5:03
to the point that I would rather like
5:05
have a key on a chain dangling from
5:07
a padlock, you know, just to let people
5:09
get through it. Sometimes that can be a
5:11
valid choice. But you should understand what you're
5:14
doing. If you do that, you're saying, I
5:16
don't give a crap about any security beyond
5:18
the absolute most trivial here. Because
5:20
I used a password that I've used other
5:22
places. Yeah, and that's the biggest thing there
5:25
is while you might not care about
5:27
the site you're signing up for right now using
5:29
the common password. Remember that that's the site
5:31
that's going to expose that common password and screw
5:33
you over on every other place you used it.
5:36
And that's why you don't use the same password. That's
5:39
an excellent point and worth enumerating
5:41
the value of a single site that
5:43
you use a favorite throwaway password on
5:46
may be next to nothing. But
5:48
at some point, you also have to
5:50
keep an eye on what is the
5:52
aggregate value of all the sites I've
5:55
used this common throwaway password on. Because
5:57
once an attacker starts password spraying, they're
5:59
not just going to get you on
6:01
one site, they're going to get you on
6:03
pretty much the whole pool that you've done
6:05
that on. It may take a little while,
6:08
but that's really what's at stake, is every
6:10
site you've used that password on. Yeah, like
6:12
in this case, we're talking about them using
6:15
these proxies to appear to come from a bunch of different
6:17
places. But if you're targeting someone
6:19
specifically, if you've got the dumps from 10
6:21
different websites that have got hacked, and if
6:23
you haven't counted 100 websites, at least 10
6:25
of those have been dumped somewhere, then
6:28
especially they can come and say, oh
6:30
look, this email address used these three
6:32
different passwords, and now
6:34
they can be like, okay, we're going to try
6:36
that email address with each of those three passwords
6:38
on all 100 of these sites and get into
6:40
lots and lots of them. And
6:42
then, especially if they can get into one of
6:45
those that's the linchpin of some others, right? If
6:47
they get your email address, then they can just
6:49
reset the password on all the other sites you're
6:51
in. Or in the case of
6:54
this Microsoft attack, the test user had access
6:56
to just read every person in the domain's
6:58
email account, so they could reset the password
7:00
of anybody they wanted, including deleting the password
7:02
reset email afterwards, so that it doesn't show
7:05
up in the other person's inbox. Or if
7:07
they have admin, they can write mail flow
7:09
rules and say, hey, if you get an
7:11
email from passwordreset at some site.com, forward it
7:13
to my inbox instead of theirs, so it
7:16
never arrives in theirs and they never get
7:18
a notification on their phone. And
7:20
then you've reset their passwords and you own their
7:22
entire account. So yeah, I
7:25
understand test accounts normally don't have
7:27
QFA, but if you're going
7:29
to give it like super global admin privileges, it's
7:31
not a test account. It's a super global admin
7:33
account. And if it is a test account,
7:35
it should probably have an expiration date. Almost all modern
7:38
systems have the ability to say, this account will stop
7:40
working after this long. And the
7:42
best way to not forget about the test account
7:44
is to set that date to be not very
7:46
far in the future. Because if it's just for
7:48
test, you can always extend the date after, you
7:52
can't go back and stop the account from working
7:54
when the Russians are using it. And
7:56
if it's just for test, if it's
7:58
on the public... internet, you still can't
8:01
give it a stupid password. Yes. It's
8:03
one thing to very temporarily set up
8:05
an account on, you know, a trusted
8:07
local network that is only accessible from
8:10
the trusted local network with a very
8:12
stupid password while you get things worked
8:14
out, understanding that you're going to fix
8:16
that before you go in production with
8:18
it. But you can't even
8:21
do that much if like your test
8:23
environment is publicly accessible from the internet.
8:25
Like, that's the show. You
8:28
can't screw around if you're putting
8:30
things out there on the public internet for
8:32
literally the entire world to touch and poke
8:34
and prod at. No stupid
8:36
passwords, 2FA or not. You
8:39
can't do that. You just can't. Yeah.
8:41
And basically, if you're leaving anything that the temporary
8:43
password like that, you're just, you've set
8:45
a trap for yourself. And
8:48
you're gonna feel the bite of
8:50
that bear trap sooner or later. So just don't
8:53
use unique passwords, even on
8:55
the test accounts. Pixel phones
8:57
are broken again with critical storage
8:59
permission bug. This is
9:02
unbelievable that Google has allowed this
9:04
to happen again. Is it? Is
9:06
it really? Is it that unbelievable? In
9:09
2024 that a massive
9:12
corporation released crappy code and a crappy fix
9:14
that didn't fix the thing? Because I'm not
9:16
finding it that hard to believe. Yeah, it
9:18
sounds like just another day. Yeah, we live
9:20
in a world where everybody is connected to
9:22
everything at all times, which means you never
9:24
need to get it right. Fuck
9:26
it. Ship it out the door, make your manager happy,
9:28
make that deadline. Doesn't work. Well, you can
9:30
do it again a second time. It does
9:33
seem to be related to the last one
9:35
where people who had multiple profiles set up,
9:38
ended up being locked out of their
9:40
phone potentially completely. Some people in bootloops.
9:43
It very much appears to just be the
9:45
same bug that was not completely fixed
9:47
the first time. We still
9:49
don't have all the information about this bug
9:52
because essentially if we did, then it would
9:54
be fixed already and ain't fixed. For
9:57
end users, it basically boils down to if
9:59
you thought your problems were over, you
10:01
know, with multiple profile usage on Android. No,
10:03
they very much are not. And the recommendation
10:05
is still don't do that.
10:08
If you've got them and they're working
10:10
now, strongly consider disabling them because we're
10:12
still not sure exactly what triggers
10:15
the bug. But once you trigger
10:17
it, yeah, your phone is essentially
10:20
bricked. What's interesting this time is
10:22
that it was actually a Google Play system
10:24
update, which isn't
10:26
the OGA updates where you have to reboot
10:28
your phone and everything. This is just a
10:30
silent thing that happens in the background. Right.
10:33
Well, a lot of the reason that this
10:35
got moved into the Google Play updates
10:38
is because Google can
10:40
put stuff in that model and say, well, it's
10:42
not, you know, the open source part of Android
10:44
that we have to share with everybody. So
10:47
there has been a big push in
10:49
the last several years. Google has moved
10:51
more and more of the core functionality into
10:54
the Play system, which makes Android
10:56
without Google a lot less useful.
10:59
I mean, nobody from Google has reached out to
11:01
me and said, Hi, I'm a Google press representative.
11:03
And I want to let you know that the
11:05
reason we're doing this is to make core Android
11:07
less useful. So people are more dependent on the
11:09
proprietary Google Play services. But
11:11
I can't think of a whole lot of
11:13
other reasons for that either. I
11:16
think the one that I saw in the past, which
11:18
was part of the reason I got a Pixel phone,
11:21
was that my carrier would brand
11:23
and customize the OTA updates to
11:25
say their name and so on.
11:27
And so I always got the updates later
11:29
than everybody else, because my carrier took a long
11:32
time to do that. So having
11:34
come to the Play Store instead of as part of
11:36
the OS meant that I should get those security updates
11:39
without the carrier or, you know, if you
11:41
were buying a phone from a vendor who's
11:43
taking Google's thing and then customizing it, that
11:45
you're not having the same latency to get the updates
11:47
there. But I expect
11:50
the real reason is a lot closer to
11:52
what Jim was saying than just carriers are
11:54
slow. We're picking a different point
11:56
downstream of Google that Google is saying, No,
11:58
you don't get to have any control over this,
12:00
screw you. You use the thing the way we want you
12:02
to use it. The more charitable
12:05
interpretation is Alan's, where you're saying, oh, well,
12:07
Google wants to stop these OEMs from doing
12:09
crappy things that hurt end users, but
12:13
I doubt that Google has any
12:15
more love for folks like Salem
12:17
that are determinedly using F-Droid and
12:19
avoiding every Google branded everything they
12:22
possibly can on their Android device.
12:25
And I think Google is very
12:27
definitely not thrilled about most of
12:29
the Android, but not
12:31
really, things out there competing, like Amazon's
12:33
fire sticks and whatever, the more they
12:35
can make it to where you
12:38
don't actually get to just make your
12:40
own Android distribution, you either use Android
12:42
the way we want you to or
12:44
not, well, it's just, it's bringing control
12:47
back inside Google's walls, and I think
12:49
that's really ultimately what it comes down
12:51
to. I don't think Google sees
12:53
a lot of difference between the OEMs and you
12:55
as the end user, in either case, it's
12:58
somebody outside Google's control and they
13:01
don't like that. Well, in Amazon's case,
13:03
they've decided or not because they're moving away
13:05
from Android for their fire sticks now. Well,
13:08
because they've kind of had to because see
13:10
above. I mean, I don't think
13:12
Amazon was just chamfering at the bit to
13:14
reinvent everything. I think they were quite happy
13:16
to just fork Android and like
13:18
most of the hard work is done. And we
13:21
all know here, that's what Open Source is all about,
13:23
right? But this very much looks
13:25
to me just like a classic case of Open
13:27
Source company decides, you know what? F
13:30
that Open Source stuff for the most part, it's inconvenient, it
13:32
gets in the way of making money the way that we
13:34
want to make money, and we're gonna do our best to
13:37
pick up our ball and go home. We
13:39
took the early adopter Open Source advantage
13:41
and everybody thinking that we were great,
13:44
remember the do no evil days? Oh,
13:46
it's Open Source, I can trust it.
13:48
And then you build the base and
13:50
then you start trying to abandon those
13:53
Open Source ideals. It's just another instance
13:55
of the attract extract cycle.
13:58
First you attract them, and you extract all the
14:00
good stuff, then you've destroyed the
14:02
value of the property, but you've extracted tons
14:05
of value, so you just spin up something
14:07
new that isn't tainted with your bad
14:09
PR and you do it all over again. The
14:12
other problem is Google's only kind of
14:14
statement on this so far is we're looking into
14:16
it, which doesn't give users much guidance on how
14:18
they should deal with this in the meantime, especially
14:20
if their phone doesn't work. There's
14:22
certain steps I should avoid taking to make sure
14:24
I'm gonna get all my stuff back, but also
14:26
what can I do in the meantime and still
14:28
have access to my phone? And
14:31
really trying to avoid the problem, but
14:33
trying to avoid the update doesn't help
14:36
since like Joe said, it's not an
14:38
OTA update, it's the Google Play system
14:40
updates, which happen pretty ironically or get mixed
14:42
in with all the other app updates that happen on a regular
14:44
basis without a reboot of the phone. Ronald
14:46
Medea, who wrote the piece for ours,
14:48
suggests not rebooting your phone if
14:51
you haven't done it for a while, which I
14:53
was tempted to do it just to try, but then I thought
14:55
actually no, I don't want a phone that's broken. Also
14:58
says disabling any extra profiles like
15:00
your work profile or any other multi-user features, sounds
15:02
like a good idea if you can manage that
15:05
and then he has a link to some instructions.
15:09
Okay, this episode is sponsored by
15:11
people who support us with PayPal
15:13
and Patreon. Go to 2.5admins.com for
15:15
details of how you can support
15:17
us too. 2.5admins is
15:20
part of the Late Night Linux family, which means that for
15:22
$10 a month on Patreon you
15:24
get access to an RSS feed that
15:26
contains all the Late Night Linux family
15:28
shows without adverts like this. There's There's
15:30
also an option to get just this show ad-free for
15:32
$5 a month if you prefer. Some
15:35
of the episodes are even released a day or
15:37
so early for Patreon supporters. So if
15:39
you like what we do and can
15:41
afford it, it would be great if
15:43
you could support us at 2.5admins.com/support. Ours
15:47
technically used in malware campaign with
15:49
never before seen obfuscation. Now
15:51
I will say I think the never before
15:53
seen is a bit of a stretch, But
15:57
this was a really interesting attack. The
15:59
Long story short, Word is this was
16:01
one piece of a multi stage attack
16:03
that was clearly intended for very high
16:05
value targets and Arena say that is
16:08
because stage one of this attack was
16:10
Serbia seated us. Be rise of malware
16:12
on I'm but the malware on the
16:14
U S P drive is unlikely to
16:17
get detected as such because it doesn't
16:19
do anything obviously bad. What it does
16:21
is it begins checking and url trying
16:23
to look for the states to payload
16:26
and the states to payload. Is
16:28
based sixty four encoded inside a T
16:30
V Get variables. Now in the case
16:32
of Ars Technica, the East Be get
16:35
variable was tacked on to a user
16:37
profile image of just a random user
16:39
profile. So this is not something that
16:42
anybody would see and even if they
16:44
didn't click into that user's profile, they
16:46
would see the image displaying just fine.
16:48
And even if they click the image
16:51
it would go through to the original
16:53
image hosted it European See Again just
16:55
fine. But. Because there
16:57
are all had a needs to be
17:00
get variable not the kind worth the
17:02
end of H T T my side
17:04
my page. You've got a question mark
17:06
and you see like a variable one
17:08
equals one thing ampersand variable two equals
17:10
second thing ampersand saw them once Those
17:13
things are a to be get variables
17:15
you have set in a variable one
17:17
to equal thing one and a know
17:19
on down the line. So what the
17:21
malware would do is it would fetch
17:23
this url from this page. I
17:26
don't mean follow the url, I mean
17:28
literally just grab the contents of the
17:30
link and based sixty four encoded into
17:32
needs to be get variable is where
17:34
it actually needs to go to download
17:37
states three of the payload which is
17:39
the actual part that does the damage
17:41
whether it's you know, x, fill or
17:43
providing a back door for the attacker
17:45
to come in later. that part we
17:47
don't know but stage three is where
17:50
the bad things really happen. So the
17:52
interesting thing here is this was very
17:54
difficult attack because the initial us be
17:56
seated some drugs in the parking lot.
17:59
your Network detection is probably not going
18:01
to find malware on them because it's something
18:03
custom that does something quite innocuous. So it's
18:06
not going to get triggered off of known
18:08
signatures or off of known techniques. All the
18:10
thing is doing is fetching a web page.
18:13
The web page that it's fetching is
18:15
from a very well-known and well-respected site.
18:17
In this case, Ars Technica, the same
18:19
attackers, also used Vimeo for either the
18:22
same campaign or possibly another related one.
18:25
So now your high-value target –
18:27
and you know it's high value because you went to
18:29
all the time and effort to buy a bunch
18:31
of USB drives, load them up with malware,
18:33
and then seed them in parking lots. You
18:35
don't do that unless you're after somebody specific.
18:38
So your high-value target gets it, takes it to
18:41
work, plugs in the USB
18:43
drive, gets the malware on their computer
18:45
that looks innocuous so it doesn't get
18:47
detected. The innocuous appearing malware
18:49
goes to a user profile at
18:52
Ars Technica, which is not going
18:54
to show up as anything at
18:56
all strange by either automated or
18:58
live human Infosec Blue Teams. Then
19:01
it gets the base64 encoder drill from
19:03
those get variables and then finally goes
19:05
to the third site to get the
19:08
actual malicious payload. So I
19:10
thought this whole thing was pretty cool. It
19:12
was also interesting seeing the back and
19:15
forth in the comments section because it
19:17
was very clear that most people just
19:19
really aren't quite following through the logic of how
19:21
this would work and why you would do things
19:24
in this order. Hey Alan, you've
19:26
been around tech communities for a long time
19:28
and you've gone to a lot of IRL
19:30
meetups with people. Have you
19:32
ever, ever heard anyone else pronounce URL as
19:34
L? No. Okay. Not
19:36
just me then. I've
19:38
heard lots of other ones pronounced
19:41
that it generally seems to be
19:43
a consequence of learning a word
19:45
by reading it and going long enough without
19:47
ever hearing another person say it that you've
19:49
just come up with your own pronunciation. And
19:52
it generally just means that the person is
19:55
learned by reading, which is not a bad thing. Also
19:57
In this case, it's a person who is well
19:59
aware that... that most people say you are Elbrus
20:01
like screw that one syllable. This is a thing
20:03
that I have to talk about a lot. It's
20:05
an earl get used to it for for them.
20:08
To. Gyms point of a dispelling those misconceptions. The
20:11
of the many researchers were clear to point
20:13
out that. Just looking at this
20:15
image isn't going to hurt you. It's just
20:17
in the U R L for the image
20:19
to just encoded some information. That's when something
20:22
that's actively looking for that information can use.
20:24
it's know where I'm hiding. The next step.
20:26
Too. Busy allows him to hide the short
20:29
cut to their command and control system
20:31
or to their payload somewhere innocuous or
20:33
they can even go in and edited
20:35
in seem to notice him to notice
20:37
that the same to the U R
20:39
L of their profile picture i'm Ars
20:41
Technica forum but that that you around
20:44
is actually providing instructions to all the
20:46
infected machines on where to go get
20:48
the net due to the impulsive. For.
20:51
Like some said in the article there
20:53
was another one where basically in the
20:55
description of a video on Vimeo further
20:57
down in the party of doing more
20:59
to see there's just one of these
21:01
strings of doubling in the description so
21:03
the malware just goes to Vimeo to
21:06
that one video and looks at the
21:08
descriptions that oh there's the your l
21:10
to go get the secret next a
21:12
lot and we thought other versions of
21:14
this that we called fast Flux where
21:16
they would do some like this with
21:18
Earth and algorithms I would generate. Some
21:21
random letters be some like a date
21:23
and so they would go in like
21:25
register domains knowing that you're in two
21:27
weeks and now this malware will take
21:29
over to that date and will him
21:31
to this domain to get the next
21:33
it and other anything about this is
21:35
he don't have to bother registering the
21:37
domain as sounds pretty interesting because of
21:39
our it's the head moderator over the
21:41
arse forums you can volleyball about this
21:43
and he talked about how well the
21:45
we should numbers from again because of
21:47
lock down user profiles so that you
21:49
can't view a user profile. and lesser
21:51
law been so now in a random people
21:54
who aren't login ars technica even if they
21:56
have the stage one malware they won't be
21:58
able to you know see the
22:00
user profile that has the HTTP
22:02
get URL, you know, it just
22:04
all this nonsense. And
22:07
it's like, okay, but that actually
22:09
doesn't accomplish anything, because
22:11
you could just as easily make a comment
22:14
on a news article that, you know, just
22:16
has a one pixel transparent ping in it
22:18
that's got the same deal. You know, you
22:20
encode the third stage URL in base64 and
22:22
HTTP get variables, and you won't be able
22:25
to see it. You won't be able to
22:27
see that there's an image there. Everything will
22:29
just work. And then even
22:31
beyond that, like, okay, well, maybe you just
22:33
want to say, I'm going to disable images
22:35
entirely. Well, that
22:37
doesn't help either because you can create a
22:40
link and you can actually control the display
22:42
link text versus, you
22:44
know, where it goes to. So
22:46
you could paste in, for example, a link
22:49
to an article covering the same topic
22:51
as an artist news article from, let's
22:53
just say the Verge or CNET or
22:55
whatever. And what
22:57
you see on the screen is just the
22:59
raw text of the URL, apparently, but
23:02
the actual target, which you can put
23:04
in using the form software, is
23:07
the raw URL plus those HTTP
23:09
get variables. So all you
23:11
see is somebody helpfully linking to other
23:13
coverage of the same article, unless
23:15
you actually go through it and like go
23:18
into a web dev console and look at
23:20
it, at which point you'll see the real
23:22
target is the same thing, but includes the
23:24
extra get variables. And you
23:26
may actually have to open a web dev
23:28
console because guess what happens if you mouse
23:30
over it? Well, if you're using Chrome, it
23:32
will helpfully truncate the URL to no more
23:34
than, I think it's about like 20 characters,
23:37
which is not enough to get a
23:39
typical news URL in there entirely.
23:42
So again, you won't see the
23:44
get variables. Even If you
23:46
block HTML entirely, on the Vimeo case, they just
23:48
put it as plain text in the description, as
23:51
just some letters on the page. Yeah, Now the
23:53
win there with doing it. The way that they
23:55
did it at R is not the way they
23:57
did at Vimeo, is it's a lot harder to
23:59
detect. But some that one
24:01
of the things that was lean to
24:03
the arch has been very vocal in
24:05
that fled and another one the things
24:07
he said as he gets that he
24:09
doesn't do info sick for a living
24:11
but he doesn't understand why somebody would
24:13
want to use something at ours were
24:15
there is an active and you know
24:18
very technologically knowledgeable staff around that that
24:20
will detect in north such things and
24:22
you know as well. There are a
24:24
few reasons for that and one is
24:26
that you didn't notice this until somebody
24:28
tipped you off on it. And
24:30
sure when you didn't notice it, you
24:32
nursed it. But by that point how
24:35
many weeks or months had that been
24:37
up? And stage one again is of
24:39
us be thumb drive seated into a
24:42
parking lot which means that there's a
24:44
very tight window and each one of
24:46
those campaigns you only need that second
24:49
stage to be up for a couple
24:51
of weeks max at which point nobody's
24:53
organ encountered anymore. So this is not
24:56
really an issue that somebody hosting the
24:58
site where the second stage. Gets
25:00
dropped Can entirely fix. You.
25:02
Can say this is why we can't
25:04
have nice things in turn off every
25:06
kind of image and you know every
25:08
kind of link and anything that a
25:10
user can upload and they can still
25:12
put it in plain text. feel Alan
25:14
mission for the Vimeo, which that's more
25:16
likely get detected eventually, but. Honestly,
25:19
Even then, I mean how many times
25:21
do you see an obviously garbage link
25:24
stay up on very well trafficked, well
25:26
respected forums for weeks before they to
25:28
decide to do something more complicated and
25:30
basics before encoding an encoded in what
25:33
looks like a sentence of words or
25:35
something and just means they have to
25:37
try harder and. Once. you
25:39
take out of easy ways that sonos
25:42
are trying harder or they could use
25:44
stick an undersea to encode the the
25:46
url and an actual image and upload
25:49
the actual image and if you didn't
25:51
know the key you would have no
25:53
idea that there were a few extra
25:55
bites worth of information encoded into that
25:58
z peg of somebody dog at home
26:00
or whatever memory even a profile picture
26:02
on the forum. Because I expect, even
26:04
when ours strips down access to profile
26:06
pages to being logged in, people still
26:08
want their profile picture to show up in the comments when people
26:11
are reading the article. And some of
26:13
that you can maybe negate some of the secondography by
26:15
ours. When you upload a picture, they run it through
26:17
image magic or whatever and crunch it down a little
26:19
bit and do enough stuff to it that it
26:21
breaks the secondography. But that's a
26:24
lot of extra effort for maybe
26:26
stopping weird people from doing weird things
26:28
every once in a while. Let's
26:30
do some free consulting then. But first, just a quick
26:32
thank you to everyone who spots us with PayPal and
26:34
Patreon. We really do appreciate that. And if
26:36
you want to send any questions for Jim and Alan or
26:39
your feedback, you can email show at 2.5admins.com. Sam
26:42
says, I have a Windows 10 desktop
26:44
that is not Windows 11 compatible and
26:47
will need replacing come October 2025. I'm
26:50
worried that the prices are gonna shoot up in the
26:52
run up to the Windows 10 end date when
26:55
everyone realizes that they have months to sort their shit
26:57
out. Do you advise upgrading hardware
26:59
in good time? For example, this year. My
27:01
PC still has a good few years of life left
27:03
in it, so ideally, I'd leave it as late as
27:06
possible to upgrade. Unfortunately, I need Adobe
27:08
for Work, so I'm stuck on Windows. You
27:11
don't need to put that qualifier in, Sam. It's
27:13
fine to run Windows if you want to. Just
27:15
ask Alan. Yep. Well,
27:17
it made sense for Sam to include that
27:19
qualifier because it heads off any, well, just
27:21
ditch Windows and install Linux at the pass.
27:25
Presumably, Sam would love to do
27:27
that from the way Sam said
27:29
that, but I need Windows. I
27:32
get that. Every time I use Windows,
27:34
it's because I needed to, because
27:36
I wanted to. In this
27:38
particular case, Sam had either a sixth
27:40
or seventh generation CPU, which is
27:43
not Windows 11 compatible and won't be. Officially,
27:45
at least. Sure, not
27:47
officially. You may or may not be
27:50
able to hack your way into it, which I do
27:52
not recommend, unless that's the thing that
27:54
you just want to do on your own and deal
27:56
with any problems that you encounter yourself, and that's part
27:58
of the fun, in which case. Knock
28:00
yourself out, but I'm not going to give you any
28:02
advice on it because if you need advice, you shouldn't
28:04
do it. Before we get
28:06
into the rest of it, I do want to point out
28:09
that a lot of the folks who think their machines are
28:11
not Windows 11 compatible, it may be more compatible than you
28:13
think. One of the most common
28:15
issues that prevents the Windows compatibility checker from
28:17
saying, yep, you're good to go, is the
28:19
lack of a TPM, a
28:21
Trusted Platform Module. With
28:24
that said, most motherboards,
28:26
they offer a software-based
28:28
TPM. It just needs to be
28:30
enabled. It's one of those
28:32
bizarrely disabled by default options, kind of like
28:34
most consumer motherboards have virtualization disabled by default
28:37
for some freaking reason you end up having
28:39
to go in and turn it on. So
28:42
the same thing with the software TPM. So
28:44
if the TPM is the reason you can't
28:46
upgrade, be sure to go into your BIOS
28:48
and look around for a software TPM option.
28:51
It's very likely right there, and all you've got to do is
28:53
turn it on. As long as the
28:55
virtual TPM it offers is version 1.2 or higher, you'll
28:57
be good to go. Now
29:00
the other issue is some of these older boards,
29:02
they do offer a software TPM, but it's only
29:04
version 1.0, and that will not suffice. Anyway,
29:09
this wouldn't help Sam because Sam had
29:11
a 6th or 7th gen processor, but
29:14
my advice was there's probably not going to
29:16
be a big run-up in the last months
29:18
before the Windows 11 upgrade. But
29:21
I would say go ahead and make that upgrade
29:23
now anyway, because if you're still rocking a 6th
29:26
or 7th gen processor, now it might very well
29:28
be good enough for you for another several years
29:30
of use. However, when
29:32
you go buy a new processor, you
29:35
can actually go down a couple
29:37
or three performance rungs in your
29:39
preferred vendor's hierarchy of performance and
29:42
still just absolutely wipe the deck with that
29:44
old 6th or 7th gen CPU. I
29:47
mean, we're talking going from
29:49
an i7 down to an i5
29:51
or an i3 and having like
29:53
a 30% single thread performance boost and
29:55
like a 300 or 400% multi-thread boost.
30:00
Some cases. So. If
30:02
you're still rocking that six or something
30:04
processor and you're like should I go
30:06
ahead not grade or should I wait
30:08
I would suggest go ahead and do
30:10
it. Enjoy it, You'll get a real
30:12
benefit. This is not just the compliance
30:15
upgrade jazz and good to be a
30:17
things are reinforcements him said or. Did.
30:19
As I can be a rush for people to
30:22
upgrade because half the people don't know what is
30:24
magic. Twenty five Date: Right after the ten people
30:26
that are still running Windows Ten and Twenty Twenty
30:28
Five, they don't say that it is and it's
30:31
not going to make a difference to them though.
30:33
Going to his computer we may. Can.
30:35
Or one two, or whatever other.
30:38
Forcing. Function happens and so is not
30:40
going to be some run up to his
30:42
own. know if I don't upgrade I've I'm
30:44
gonna be second or unsupportive. Version of Windows
30:46
is not a thing people who don't work
30:48
and I t even think about there might
30:51
be a mild run on of like corporate
30:53
firms in one of the best sources for
30:55
for cheap computing for home or for in
30:57
a very small business is gone and get
30:59
in the that relatively cheap corporate refurbish the
31:02
come off or two or three year lease
31:04
so it's practically new machine enough way most
31:06
people would think about it. And
31:08
you can grab it for anywhere from D
31:10
O two thirds less than half the cost
31:12
of the same hardware. One is brand new
31:15
now. there may be a bit of a
31:17
run on those as you get closer that
31:19
when does Eleven. Yeah, well, but general parts
31:21
availability a month. seen it by October. Twenty
31:23
twenty. They're probably be a bunch of those.
31:26
That. Are new enough that they have windows Eleven battle
31:28
be for sale. Sure what I'm saying is the prices
31:30
on a more likely to shoot up because they're probably
31:32
will be a bit of a run on those. Are
31:34
you into of least corporate refurbished. So.
31:36
i don't think it would be enough that
31:39
you wouldn't be able to get one but
31:41
we saw the prices on those go way
31:43
up during the pandemic and we might see
31:45
a al the would be anywhere near as
31:48
big a version of that but you're liable
31:50
to see something similar in those last month
31:52
and and twenty twenty five so if your
31:54
plan is specifically grab and a corporate reefer
31:56
prettier then i would definitely advise do an
31:59
ad earlier but If you're just going to build yourself
32:01
a system, do it whenever you want
32:03
to. But again, I would say do it now
32:05
because holy crap, it's going to be so much
32:07
better than what you're using. Yeah. I didn't really
32:09
have that settle into me until I was looking
32:12
at it six months ago or so, my
32:14
home file server is a dual socket
32:16
Xeon V2. So it's technically,
32:18
I think third generation, but whatever. It's 20
32:21
cores of three gigahertz. And
32:24
I'm like, that's a massive machine. And then,
32:26
you know, look at the single and multi-threaded
32:28
performance of like a mid range
32:31
Ryzen in one of those little for
32:33
powering your TV boxes. And it's
32:36
got as much CPU power for like
32:38
$400 on Amazon. I'm
32:40
like, Oh, I think
32:43
it is time to do a hardware refresh
32:45
because I could get literally double the performance
32:47
by catching up a dozen generations from where
32:49
I am now and probably use way less
32:51
power at the same time or use the
32:53
same amount of power to get a lot
32:56
more out of it. A lot more out of it.
33:00
Right. Well, we better get out of here then. Remember show a
33:02
2.5 admins.com. If you want to
33:04
send any questions or feedback, you can find
33:06
me at jrs.com/mastodon. You can find
33:08
me at JRS dash s.net/social. And
33:10
I'm at Alan Jude. We'll see
33:12
you next week.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More