0:00

2.5 Admins Episode 180. I'm Joe. I'm

0:05

Jim. And I'm Alan. And here we are again. And

0:08

before we get started, you want to plug the BSTCan

0:10

2024 call for papers Alan. Yes,

0:13

BSTCan 2024 is happening

0:16

in the end of May. So it's May 31st to

0:18

June 1st, plus the two

0:21

days before that for tutorials if you're interested. But

0:24

looking for submissions until February

0:26

12th for talks about

0:29

BST, networking, sysadmin, all

0:31

that kind of stuff. BSTCan is the

0:34

biggest, most fun conference of the year

0:36

on the BST stuff. So definitely we're

0:38

checking out and looking

0:40

forward to a bunch of interesting talks. Right,

0:42

well, Lincoln, this round-out says usual. In

0:45

major GAFF, hacked Microsoft test

0:47

account was assigned admin privileges.

0:50

Somebody at Microsoft has got to

0:53

be feeling like the biggest prat

0:55

imaginable. Assuming they're actually still with

0:57

Microsoft. I don't

0:59

mean as in getting fired for this. I

1:01

mean, as in, you know, this was a

1:03

long dormant test account that was left the

1:06

network security equivalent of CH mod 777 abandoned

1:08

in the closet to

1:10

rot. And, you know, attackers eventually

1:12

found it and they

1:15

had a really, really great day.

1:17

But when those kinds

1:19

of things get discovered frequently, the person

1:21

who made the mistake has

1:23

long been gone anyway, especially at a company like

1:26

Microsoft. Because, you know, if you work in the small

1:28

business world, you might be used to

1:30

thinking of, you know, a typical stint at a

1:33

company being anywhere from five

1:35

to 10 years. Enterprises

1:38

like Microsoft, yeah, you're averaging

1:40

frequently more like maybe

1:42

two to five. If you're not like

1:44

a rock star, kind of

1:46

the whole point of a lot of

1:48

modern software development practices, especially at enterprise

1:51

scale is to make sure that no

1:53

individual really much matters. So

1:55

you get more churn and the odds that the

1:58

person who did the bad thing is. still around

2:00

to slap their pee pee in

2:02

the door for it, decreases. Yeah, and in

2:05

an update, it turns out that Microsoft

2:07

wasn't the only one hit by this.

2:10

While looking into it, Microsoft's security

2:12

team discovered that Hewlett-Packard Enterprise, or

2:14

HPE, had been hacked

2:17

back in May but didn't

2:19

discover it or contain it until December.

2:22

It seems this compromise was via

2:24

password spraying, so just guessing common

2:27

passwords for common usernames, and

2:29

managed to access a test account, which is

2:31

normally restricted to a limited number of accounts

2:33

with a low number of attempts, to

2:36

access each one. They reduced its

2:38

malicious activity by conducting these

2:40

attacks over distributed residential proxy

2:43

infrastructure, so using lots of

2:45

individual people's computers rather than all one

2:47

obviously Russian IP address. And

2:50

we've seen that before, including the SolarWinds supply chain

2:52

attack and so on. This

2:54

attack carried out by a group that Microsoft

2:57

has decided to call Midnight Wizard?

3:01

By connecting to Target from IP addresses with

3:03

good reputations, and that weren't going to be

3:05

on a blacklist for having tried all these

3:08

passwords on all these different domains, they

3:10

managed to keep up the attack for longer. There's

3:13

no reason to doubt Microsoft when they say it

3:15

was a password spray attack. I mean, the thing

3:17

about password spray attacks are once you know you've

3:20

been attacked with one, it's not hard to confirm

3:22

in the logs, oh yeah. One

3:24

or possibly tons of different IP addresses were

3:26

trying to log into this particular set of

3:28

credentials with, you know, a whole string of

3:30

different passwords till when I'm got in. But

3:33

I think that it's kind of interesting

3:36

and points again to just the systemic

3:38

level of this failure, that

3:41

the password spray attack worked on

3:43

the bogus abandoned ignored test account,

3:45

which tells you that somebody not

3:48

only created a test account with

3:50

massive overprivileges, they

3:54

used a stupid password for it

3:56

that was either reused elsewhere or

3:58

just so bloody obvious that you

4:00

know, a simple dictionary attack got it. And

4:02

I would bet that somebody probably reused

4:04

one of their favorite personal passwords. I'm

4:07

guessing they used one of the ones

4:09

off a very popular list of popular

4:11

passwords, because that's what you do with

4:13

test accounts, right? Let's be clear

4:15

here. If you have a favorite password

4:17

you like to use on lots of sites,

4:19

that password is almost certainly on those lists.

4:22

It does not take long for

4:24

some site to get hacked and

4:26

dumped. And your creds to end

4:28

up on those lists, which is why Alan and

4:30

I, you know, are always harping on folks, do

4:33

not reuse passwords. And

4:36

I get that there are some exceptions.

4:38

And there may be a site that comes along

4:40

that you're just like, Oh, I have to create

4:42

an account and I don't care. And if

4:46

you're sure you don't care, well,

4:48

you can consider the whole favorite

4:50

password thing understanding that what you're

4:52

essentially doing, it's like taping a

4:54

key to your front door, right

4:57

next to the lock, you should think of

4:59

it that way. And there may be circumstance

5:01

where you're like, Yeah, I literally don't care

5:03

to the point that I would rather like

5:05

have a key on a chain dangling from

5:07

a padlock, you know, just to let people

5:09

get through it. Sometimes that can be a

5:11

valid choice. But you should understand what you're

5:14

doing. If you do that, you're saying, I

5:16

don't give a crap about any security beyond

5:18

the absolute most trivial here. Because

5:20

I used a password that I've used other

5:22

places. Yeah, and that's the biggest thing there

5:25

is while you might not care about

5:27

the site you're signing up for right now using

5:29

the common password. Remember that that's the site

5:31

that's going to expose that common password and screw

5:33

you over on every other place you used it.

5:36

And that's why you don't use the same password. That's

5:39

an excellent point and worth enumerating

5:41

the value of a single site that

5:43

you use a favorite throwaway password on

5:46

may be next to nothing. But

5:48

at some point, you also have to

5:50

keep an eye on what is the

5:52

aggregate value of all the sites I've

5:55

used this common throwaway password on. Because

5:57

once an attacker starts password spraying, they're

5:59

not just going to get you on

6:01

one site, they're going to get you on

6:03

pretty much the whole pool that you've done

6:05

that on. It may take a little while,

6:08

but that's really what's at stake, is every

6:10

site you've used that password on. Yeah, like

6:12

in this case, we're talking about them using

6:15

these proxies to appear to come from a bunch of different

6:17

places. But if you're targeting someone

6:19

specifically, if you've got the dumps from 10

6:21

different websites that have got hacked, and if

6:23

you haven't counted 100 websites, at least 10

6:25

of those have been dumped somewhere, then

6:28

especially they can come and say, oh

6:30

look, this email address used these three

6:32

different passwords, and now

6:34

they can be like, okay, we're going to try

6:36

that email address with each of those three passwords

6:38

on all 100 of these sites and get into

6:40

lots and lots of them. And

6:42

then, especially if they can get into one of

6:45

those that's the linchpin of some others, right? If

6:47

they get your email address, then they can just

6:49

reset the password on all the other sites you're

6:51

in. Or in the case of

6:54

this Microsoft attack, the test user had access

6:56

to just read every person in the domain's

6:58

email account, so they could reset the password

7:00

of anybody they wanted, including deleting the password

7:02

reset email afterwards, so that it doesn't show

7:05

up in the other person's inbox. Or if

7:07

they have admin, they can write mail flow

7:09

rules and say, hey, if you get an

7:11

email from passwordreset at some site.com, forward it

7:13

to my inbox instead of theirs, so it

7:16

never arrives in theirs and they never get

7:18

a notification on their phone. And

7:20

then you've reset their passwords and you own their

7:22

entire account. So yeah, I

7:25

understand test accounts normally don't have

7:27

QFA, but if you're going

7:29

to give it like super global admin privileges, it's

7:31

not a test account. It's a super global admin

7:33

account. And if it is a test account,

7:35

it should probably have an expiration date. Almost all modern

7:38

systems have the ability to say, this account will stop

7:40

working after this long. And the

7:42

best way to not forget about the test account

7:44

is to set that date to be not very

7:46

far in the future. Because if it's just for

7:48

test, you can always extend the date after, you

7:52

can't go back and stop the account from working

7:54

when the Russians are using it. And

7:56

if it's just for test, if it's

7:58

on the public... internet, you still can't

8:01

give it a stupid password. Yes. It's

8:03

one thing to very temporarily set up

8:05

an account on, you know, a trusted

8:07

local network that is only accessible from

8:10

the trusted local network with a very

8:12

stupid password while you get things worked

8:14

out, understanding that you're going to fix

8:16

that before you go in production with

8:18

it. But you can't even

8:21

do that much if like your test

8:23

environment is publicly accessible from the internet.

8:25

Like, that's the show. You

8:28

can't screw around if you're putting

8:30

things out there on the public internet for

8:32

literally the entire world to touch and poke

8:34

and prod at. No stupid

8:36

passwords, 2FA or not. You

8:39

can't do that. You just can't. Yeah.

8:41

And basically, if you're leaving anything that the temporary

8:43

password like that, you're just, you've set

8:45

a trap for yourself. And

8:48

you're gonna feel the bite of

8:50

that bear trap sooner or later. So just don't

8:53

use unique passwords, even on

8:55

the test accounts. Pixel phones

8:57

are broken again with critical storage

8:59

permission bug. This is

9:02

unbelievable that Google has allowed this

9:04

to happen again. Is it? Is

9:06

it really? Is it that unbelievable? In

9:09

2024 that a massive

9:12

corporation released crappy code and a crappy fix

9:14

that didn't fix the thing? Because I'm not

9:16

finding it that hard to believe. Yeah, it

9:18

sounds like just another day. Yeah, we live

9:20

in a world where everybody is connected to

9:22

everything at all times, which means you never

9:24

need to get it right. Fuck

9:26

it. Ship it out the door, make your manager happy,

9:28

make that deadline. Doesn't work. Well, you can

9:30

do it again a second time. It does

9:33

seem to be related to the last one

9:35

where people who had multiple profiles set up,

9:38

ended up being locked out of their

9:40

phone potentially completely. Some people in bootloops.

9:43

It very much appears to just be the

9:45

same bug that was not completely fixed

9:47

the first time. We still

9:49

don't have all the information about this bug

9:52

because essentially if we did, then it would

9:54

be fixed already and ain't fixed. For

9:57

end users, it basically boils down to if

9:59

you thought your problems were over, you

10:01

know, with multiple profile usage on Android. No,

10:03

they very much are not. And the recommendation

10:05

is still don't do that.

10:08

If you've got them and they're working

10:10

now, strongly consider disabling them because we're

10:12

still not sure exactly what triggers

10:15

the bug. But once you trigger

10:17

it, yeah, your phone is essentially

10:20

bricked. What's interesting this time is

10:22

that it was actually a Google Play system

10:24

update, which isn't

10:26

the OGA updates where you have to reboot

10:28

your phone and everything. This is just a

10:30

silent thing that happens in the background. Right.

10:33

Well, a lot of the reason that this

10:35

got moved into the Google Play updates

10:38

is because Google can

10:40

put stuff in that model and say, well, it's

10:42

not, you know, the open source part of Android

10:44

that we have to share with everybody. So

10:47

there has been a big push in

10:49

the last several years. Google has moved

10:51

more and more of the core functionality into

10:54

the Play system, which makes Android

10:56

without Google a lot less useful.

10:59

I mean, nobody from Google has reached out to

11:01

me and said, Hi, I'm a Google press representative.

11:03

And I want to let you know that the

11:05

reason we're doing this is to make core Android

11:07

less useful. So people are more dependent on the

11:09

proprietary Google Play services. But

11:11

I can't think of a whole lot of

11:13

other reasons for that either. I

11:16

think the one that I saw in the past, which

11:18

was part of the reason I got a Pixel phone,

11:21

was that my carrier would brand

11:23

and customize the OTA updates to

11:25

say their name and so on.

11:27

And so I always got the updates later

11:29

than everybody else, because my carrier took a long

11:32

time to do that. So having

11:34

come to the Play Store instead of as part of

11:36

the OS meant that I should get those security updates

11:39

without the carrier or, you know, if you

11:41

were buying a phone from a vendor who's

11:43

taking Google's thing and then customizing it, that

11:45

you're not having the same latency to get the updates

11:47

there. But I expect

11:50

the real reason is a lot closer to

11:52

what Jim was saying than just carriers are

11:54

slow. We're picking a different point

11:56

downstream of Google that Google is saying, No,

11:58

you don't get to have any control over this,

12:00

screw you. You use the thing the way we want you

12:02

to use it. The more charitable

12:05

interpretation is Alan's, where you're saying, oh, well,

12:07

Google wants to stop these OEMs from doing

12:09

crappy things that hurt end users, but

12:13

I doubt that Google has any

12:15

more love for folks like Salem

12:17

that are determinedly using F-Droid and

12:19

avoiding every Google branded everything they

12:22

possibly can on their Android device.

12:25

And I think Google is very

12:27

definitely not thrilled about most of

12:29

the Android, but not

12:31

really, things out there competing, like Amazon's

12:33

fire sticks and whatever, the more they

12:35

can make it to where you

12:38

don't actually get to just make your

12:40

own Android distribution, you either use Android

12:42

the way we want you to or

12:44

not, well, it's just, it's bringing control

12:47

back inside Google's walls, and I think

12:49

that's really ultimately what it comes down

12:51

to. I don't think Google sees

12:53

a lot of difference between the OEMs and you

12:55

as the end user, in either case, it's

12:58

somebody outside Google's control and they

13:01

don't like that. Well, in Amazon's case,

13:03

they've decided or not because they're moving away

13:05

from Android for their fire sticks now. Well,

13:08

because they've kind of had to because see

13:10

above. I mean, I don't think

13:12

Amazon was just chamfering at the bit to

13:14

reinvent everything. I think they were quite happy

13:16

to just fork Android and like

13:18

most of the hard work is done. And we

13:21

all know here, that's what Open Source is all about,

13:23

right? But this very much looks

13:25

to me just like a classic case of Open

13:27

Source company decides, you know what? F

13:30

that Open Source stuff for the most part, it's inconvenient, it

13:32

gets in the way of making money the way that we

13:34

want to make money, and we're gonna do our best to

13:37

pick up our ball and go home. We

13:39

took the early adopter Open Source advantage

13:41

and everybody thinking that we were great,

13:44

remember the do no evil days? Oh,

13:46

it's Open Source, I can trust it.

13:48

And then you build the base and

13:50

then you start trying to abandon those

13:53

Open Source ideals. It's just another instance

13:55

of the attract extract cycle.

13:58

First you attract them, and you extract all the

14:00

good stuff, then you've destroyed the

14:02

value of the property, but you've extracted tons

14:05

of value, so you just spin up something

14:07

new that isn't tainted with your bad

14:09

PR and you do it all over again. The

14:12

other problem is Google's only kind of

14:14

statement on this so far is we're looking into

14:16

it, which doesn't give users much guidance on how

14:18

they should deal with this in the meantime, especially

14:20

if their phone doesn't work. There's

14:22

certain steps I should avoid taking to make sure

14:24

I'm gonna get all my stuff back, but also

14:26

what can I do in the meantime and still

14:28

have access to my phone? And

14:31

really trying to avoid the problem, but

14:33

trying to avoid the update doesn't help

14:36

since like Joe said, it's not an

14:38

OTA update, it's the Google Play system

14:40

updates, which happen pretty ironically or get mixed

14:42

in with all the other app updates that happen on a regular

14:44

basis without a reboot of the phone. Ronald

14:46

Medea, who wrote the piece for ours,

14:48

suggests not rebooting your phone if

14:51

you haven't done it for a while, which I

14:53

was tempted to do it just to try, but then I thought

14:55

actually no, I don't want a phone that's broken. Also

14:58

says disabling any extra profiles like

15:00

your work profile or any other multi-user features, sounds

15:02

like a good idea if you can manage that

15:05

and then he has a link to some instructions.

15:09

Okay, this episode is sponsored by

15:11

people who support us with PayPal

15:13

and Patreon. Go to 2.5admins.com for

15:15

details of how you can support

15:17

us too. 2.5admins is

15:20

part of the Late Night Linux family, which means that for

15:22

$10 a month on Patreon you

15:24

get access to an RSS feed that

15:26

contains all the Late Night Linux family

15:28

shows without adverts like this. There's There's

15:30

also an option to get just this show ad-free for

15:32

$5 a month if you prefer. Some

15:35

of the episodes are even released a day or

15:37

so early for Patreon supporters. So if

15:39

you like what we do and can

15:41

afford it, it would be great if

15:43

you could support us at 2.5admins.com/support. Ours

15:47

technically used in malware campaign with

15:49

never before seen obfuscation. Now

15:51

I will say I think the never before

15:53

seen is a bit of a stretch, But

15:57

this was a really interesting attack. The

15:59

Long story short, Word is this was

16:01

one piece of a multi stage attack

16:03

that was clearly intended for very high

16:05

value targets and Arena say that is

16:08

because stage one of this attack was

16:10

Serbia seated us. Be rise of malware

16:12

on I'm but the malware on the

16:14

U S P drive is unlikely to

16:17

get detected as such because it doesn't

16:19

do anything obviously bad. What it does

16:21

is it begins checking and url trying

16:23

to look for the states to payload

16:26

and the states to payload. Is

16:28

based sixty four encoded inside a T

16:30

V Get variables. Now in the case

16:32

of Ars Technica, the East Be get

16:35

variable was tacked on to a user

16:37

profile image of just a random user

16:39

profile. So this is not something that

16:42

anybody would see and even if they

16:44

didn't click into that user's profile, they

16:46

would see the image displaying just fine.

16:48

And even if they click the image

16:51

it would go through to the original

16:53

image hosted it European See Again just

16:55

fine. But. Because there

16:57

are all had a needs to be

17:00

get variable not the kind worth the

17:02

end of H T T my side

17:04

my page. You've got a question mark

17:06

and you see like a variable one

17:08

equals one thing ampersand variable two equals

17:10

second thing ampersand saw them once Those

17:13

things are a to be get variables

17:15

you have set in a variable one

17:17

to equal thing one and a know

17:19

on down the line. So what the

17:21

malware would do is it would fetch

17:23

this url from this page. I

17:26

don't mean follow the url, I mean

17:28

literally just grab the contents of the

17:30

link and based sixty four encoded into

17:32

needs to be get variable is where

17:34

it actually needs to go to download

17:37

states three of the payload which is

17:39

the actual part that does the damage

17:41

whether it's you know, x, fill or

17:43

providing a back door for the attacker

17:45

to come in later. that part we

17:47

don't know but stage three is where

17:50

the bad things really happen. So the

17:52

interesting thing here is this was very

17:54

difficult attack because the initial us be

17:56

seated some drugs in the parking lot.

17:59

your Network detection is probably not going

18:01

to find malware on them because it's something

18:03

custom that does something quite innocuous. So it's

18:06

not going to get triggered off of known

18:08

signatures or off of known techniques. All the

18:10

thing is doing is fetching a web page.

18:13

The web page that it's fetching is

18:15

from a very well-known and well-respected site.

18:17

In this case, Ars Technica, the same

18:19

attackers, also used Vimeo for either the

18:22

same campaign or possibly another related one.

18:25

So now your high-value target –

18:27

and you know it's high value because you went to

18:29

all the time and effort to buy a bunch

18:31

of USB drives, load them up with malware,

18:33

and then seed them in parking lots. You

18:35

don't do that unless you're after somebody specific.

18:38

So your high-value target gets it, takes it to

18:41

work, plugs in the USB

18:43

drive, gets the malware on their computer

18:45

that looks innocuous so it doesn't get

18:47

detected. The innocuous appearing malware

18:49

goes to a user profile at

18:52

Ars Technica, which is not going

18:54

to show up as anything at

18:56

all strange by either automated or

18:58

live human Infosec Blue Teams. Then

19:01

it gets the base64 encoder drill from

19:03

those get variables and then finally goes

19:05

to the third site to get the

19:08

actual malicious payload. So I

19:10

thought this whole thing was pretty cool. It

19:12

was also interesting seeing the back and

19:15

forth in the comments section because it

19:17

was very clear that most people just

19:19

really aren't quite following through the logic of how

19:21

this would work and why you would do things

19:24

in this order. Hey Alan, you've

19:26

been around tech communities for a long time

19:28

and you've gone to a lot of IRL

19:30

meetups with people. Have you

19:32

ever, ever heard anyone else pronounce URL as

19:34

L? No. Okay. Not

19:36

just me then. I've

19:38

heard lots of other ones pronounced

19:41

that it generally seems to be

19:43

a consequence of learning a word

19:45

by reading it and going long enough without

19:47

ever hearing another person say it that you've

19:49

just come up with your own pronunciation. And

19:52

it generally just means that the person is

19:55

learned by reading, which is not a bad thing. Also

19:57

In this case, it's a person who is well

19:59

aware that... that most people say you are Elbrus

20:01

like screw that one syllable. This is a thing

20:03

that I have to talk about a lot. It's

20:05

an earl get used to it for for them.

20:08

To. Gyms point of a dispelling those misconceptions. The

20:11

of the many researchers were clear to point

20:13

out that. Just looking at this

20:15

image isn't going to hurt you. It's just

20:17

in the U R L for the image

20:19

to just encoded some information. That's when something

20:22

that's actively looking for that information can use.

20:24

it's know where I'm hiding. The next step.

20:26

Too. Busy allows him to hide the short

20:29

cut to their command and control system

20:31

or to their payload somewhere innocuous or

20:33

they can even go in and edited

20:35

in seem to notice him to notice

20:37

that the same to the U R

20:39

L of their profile picture i'm Ars

20:41

Technica forum but that that you around

20:44

is actually providing instructions to all the

20:46

infected machines on where to go get

20:48

the net due to the impulsive. For.

20:51

Like some said in the article there

20:53

was another one where basically in the

20:55

description of a video on Vimeo further

20:57

down in the party of doing more

20:59

to see there's just one of these

21:01

strings of doubling in the description so

21:03

the malware just goes to Vimeo to

21:06

that one video and looks at the

21:08

descriptions that oh there's the your l

21:10

to go get the secret next a

21:12

lot and we thought other versions of

21:14

this that we called fast Flux where

21:16

they would do some like this with

21:18

Earth and algorithms I would generate. Some

21:21

random letters be some like a date

21:23

and so they would go in like

21:25

register domains knowing that you're in two

21:27

weeks and now this malware will take

21:29

over to that date and will him

21:31

to this domain to get the next

21:33

it and other anything about this is

21:35

he don't have to bother registering the

21:37

domain as sounds pretty interesting because of

21:39

our it's the head moderator over the

21:41

arse forums you can volleyball about this

21:43

and he talked about how well the

21:45

we should numbers from again because of

21:47

lock down user profiles so that you

21:49

can't view a user profile. and lesser

21:51

law been so now in a random people

21:54

who aren't login ars technica even if they

21:56

have the stage one malware they won't be

21:58

able to you know see the

22:00

user profile that has the HTTP

22:02

get URL, you know, it just

22:04

all this nonsense. And

22:07

it's like, okay, but that actually

22:09

doesn't accomplish anything, because

22:11

you could just as easily make a comment

22:14

on a news article that, you know, just

22:16

has a one pixel transparent ping in it

22:18

that's got the same deal. You know, you

22:20

encode the third stage URL in base64 and

22:22

HTTP get variables, and you won't be able

22:25

to see it. You won't be able to

22:27

see that there's an image there. Everything will

22:29

just work. And then even

22:31

beyond that, like, okay, well, maybe you just

22:33

want to say, I'm going to disable images

22:35

entirely. Well, that

22:37

doesn't help either because you can create a

22:40

link and you can actually control the display

22:42

link text versus, you

22:44

know, where it goes to. So

22:46

you could paste in, for example, a link

22:49

to an article covering the same topic

22:51

as an artist news article from, let's

22:53

just say the Verge or CNET or

22:55

whatever. And what

22:57

you see on the screen is just the

22:59

raw text of the URL, apparently, but

23:02

the actual target, which you can put

23:04

in using the form software, is

23:07

the raw URL plus those HTTP

23:09

get variables. So all you

23:11

see is somebody helpfully linking to other

23:13

coverage of the same article, unless

23:15

you actually go through it and like go

23:18

into a web dev console and look at

23:20

it, at which point you'll see the real

23:22

target is the same thing, but includes the

23:24

extra get variables. And you

23:26

may actually have to open a web dev

23:28

console because guess what happens if you mouse

23:30

over it? Well, if you're using Chrome, it

23:32

will helpfully truncate the URL to no more

23:34

than, I think it's about like 20 characters,

23:37

which is not enough to get a

23:39

typical news URL in there entirely.

23:42

So again, you won't see the

23:44

get variables. Even If you

23:46

block HTML entirely, on the Vimeo case, they just

23:48

put it as plain text in the description, as

23:51

just some letters on the page. Yeah, Now the

23:53

win there with doing it. The way that they

23:55

did it at R is not the way they

23:57

did at Vimeo, is it's a lot harder to

23:59

detect. But some that one

24:01

of the things that was lean to

24:03

the arch has been very vocal in

24:05

that fled and another one the things

24:07

he said as he gets that he

24:09

doesn't do info sick for a living

24:11

but he doesn't understand why somebody would

24:13

want to use something at ours were

24:15

there is an active and you know

24:18

very technologically knowledgeable staff around that that

24:20

will detect in north such things and

24:22

you know as well. There are a

24:24

few reasons for that and one is

24:26

that you didn't notice this until somebody

24:28

tipped you off on it. And

24:30

sure when you didn't notice it, you

24:32

nursed it. But by that point how

24:35

many weeks or months had that been

24:37

up? And stage one again is of

24:39

us be thumb drive seated into a

24:42

parking lot which means that there's a

24:44

very tight window and each one of

24:46

those campaigns you only need that second

24:49

stage to be up for a couple

24:51

of weeks max at which point nobody's

24:53

organ encountered anymore. So this is not

24:56

really an issue that somebody hosting the

24:58

site where the second stage. Gets

25:00

dropped Can entirely fix. You.

25:02

Can say this is why we can't

25:04

have nice things in turn off every

25:06

kind of image and you know every

25:08

kind of link and anything that a

25:10

user can upload and they can still

25:12

put it in plain text. feel Alan

25:14

mission for the Vimeo, which that's more

25:16

likely get detected eventually, but. Honestly,

25:19

Even then, I mean how many times

25:21

do you see an obviously garbage link

25:24

stay up on very well trafficked, well

25:26

respected forums for weeks before they to

25:28

decide to do something more complicated and

25:30

basics before encoding an encoded in what

25:33

looks like a sentence of words or

25:35

something and just means they have to

25:37

try harder and. Once. you

25:39

take out of easy ways that sonos

25:42

are trying harder or they could use

25:44

stick an undersea to encode the the

25:46

url and an actual image and upload

25:49

the actual image and if you didn't

25:51

know the key you would have no

25:53

idea that there were a few extra

25:55

bites worth of information encoded into that

25:58

z peg of somebody dog at home

26:00

or whatever memory even a profile picture

26:02

on the forum. Because I expect, even

26:04

when ours strips down access to profile

26:06

pages to being logged in, people still

26:08

want their profile picture to show up in the comments when people

26:11

are reading the article. And some of

26:13

that you can maybe negate some of the secondography by

26:15

ours. When you upload a picture, they run it through

26:17

image magic or whatever and crunch it down a little

26:19

bit and do enough stuff to it that it

26:21

breaks the secondography. But that's a

26:24

lot of extra effort for maybe

26:26

stopping weird people from doing weird things

26:28

every once in a while. Let's

26:30

do some free consulting then. But first, just a quick

26:32

thank you to everyone who spots us with PayPal and

26:34

Patreon. We really do appreciate that. And if

26:36

you want to send any questions for Jim and Alan or

26:39

your feedback, you can email show at 2.5admins.com. Sam

26:42

says, I have a Windows 10 desktop

26:44

that is not Windows 11 compatible and

26:47

will need replacing come October 2025. I'm

26:50

worried that the prices are gonna shoot up in the

26:52

run up to the Windows 10 end date when

26:55

everyone realizes that they have months to sort their shit

26:57

out. Do you advise upgrading hardware

26:59

in good time? For example, this year. My

27:01

PC still has a good few years of life left

27:03

in it, so ideally, I'd leave it as late as

27:06

possible to upgrade. Unfortunately, I need Adobe

27:08

for Work, so I'm stuck on Windows. You

27:11

don't need to put that qualifier in, Sam. It's

27:13

fine to run Windows if you want to. Just

27:15

ask Alan. Yep. Well,

27:17

it made sense for Sam to include that

27:19

qualifier because it heads off any, well, just

27:21

ditch Windows and install Linux at the pass.

27:25

Presumably, Sam would love to do

27:27

that from the way Sam said

27:29

that, but I need Windows. I

27:32

get that. Every time I use Windows,

27:34

it's because I needed to, because

27:36

I wanted to. In this

27:38

particular case, Sam had either a sixth

27:40

or seventh generation CPU, which is

27:43

not Windows 11 compatible and won't be. Officially,

27:45

at least. Sure, not

27:47

officially. You may or may not be

27:50

able to hack your way into it, which I do

27:52

not recommend, unless that's the thing that

27:54

you just want to do on your own and deal

27:56

with any problems that you encounter yourself, and that's part

27:58

of the fun, in which case. Knock

28:00

yourself out, but I'm not going to give you any

28:02

advice on it because if you need advice, you shouldn't

28:04

do it. Before we get

28:06

into the rest of it, I do want to point out

28:09

that a lot of the folks who think their machines are

28:11

not Windows 11 compatible, it may be more compatible than you

28:13

think. One of the most common

28:15

issues that prevents the Windows compatibility checker from

28:17

saying, yep, you're good to go, is the

28:19

lack of a TPM, a

28:21

Trusted Platform Module. With

28:24

that said, most motherboards,

28:26

they offer a software-based

28:28

TPM. It just needs to be

28:30

enabled. It's one of those

28:32

bizarrely disabled by default options, kind of like

28:34

most consumer motherboards have virtualization disabled by default

28:37

for some freaking reason you end up having

28:39

to go in and turn it on. So

28:42

the same thing with the software TPM. So

28:44

if the TPM is the reason you can't

28:46

upgrade, be sure to go into your BIOS

28:48

and look around for a software TPM option.

28:51

It's very likely right there, and all you've got to do is

28:53

turn it on. As long as the

28:55

virtual TPM it offers is version 1.2 or higher, you'll

28:57

be good to go. Now

29:00

the other issue is some of these older boards,

29:02

they do offer a software TPM, but it's only

29:04

version 1.0, and that will not suffice. Anyway,

29:09

this wouldn't help Sam because Sam had

29:11

a 6th or 7th gen processor, but

29:14

my advice was there's probably not going to

29:16

be a big run-up in the last months

29:18

before the Windows 11 upgrade. But

29:21

I would say go ahead and make that upgrade

29:23

now anyway, because if you're still rocking a 6th

29:26

or 7th gen processor, now it might very well

29:28

be good enough for you for another several years

29:30

of use. However, when

29:32

you go buy a new processor, you

29:35

can actually go down a couple

29:37

or three performance rungs in your

29:39

preferred vendor's hierarchy of performance and

29:42

still just absolutely wipe the deck with that

29:44

old 6th or 7th gen CPU. I

29:47

mean, we're talking going from

29:49

an i7 down to an i5

29:51

or an i3 and having like

29:53

a 30% single thread performance boost and

29:55

like a 300 or 400% multi-thread boost.

30:00

Some cases. So. If

30:02

you're still rocking that six or something

30:04

processor and you're like should I go

30:06

ahead not grade or should I wait

30:08

I would suggest go ahead and do

30:10

it. Enjoy it, You'll get a real

30:12

benefit. This is not just the compliance

30:15

upgrade jazz and good to be a

30:17

things are reinforcements him said or. Did.

30:19

As I can be a rush for people to

30:22

upgrade because half the people don't know what is

30:24

magic. Twenty five Date: Right after the ten people

30:26

that are still running Windows Ten and Twenty Twenty

30:28

Five, they don't say that it is and it's

30:31

not going to make a difference to them though.

30:33

Going to his computer we may. Can.

30:35

Or one two, or whatever other.

30:38

Forcing. Function happens and so is not

30:40

going to be some run up to his

30:42

own. know if I don't upgrade I've I'm

30:44

gonna be second or unsupportive. Version of Windows

30:46

is not a thing people who don't work

30:48

and I t even think about there might

30:51

be a mild run on of like corporate

30:53

firms in one of the best sources for

30:55

for cheap computing for home or for in

30:57

a very small business is gone and get

30:59

in the that relatively cheap corporate refurbish the

31:02

come off or two or three year lease

31:04

so it's practically new machine enough way most

31:06

people would think about it. And

31:08

you can grab it for anywhere from D

31:10

O two thirds less than half the cost

31:12

of the same hardware. One is brand new

31:15

now. there may be a bit of a

31:17

run on those as you get closer that

31:19

when does Eleven. Yeah, well, but general parts

31:21

availability a month. seen it by October. Twenty

31:23

twenty. They're probably be a bunch of those.

31:26

That. Are new enough that they have windows Eleven battle

31:28

be for sale. Sure what I'm saying is the prices

31:30

on a more likely to shoot up because they're probably

31:32

will be a bit of a run on those. Are

31:34

you into of least corporate refurbished. So.

31:36

i don't think it would be enough that

31:39

you wouldn't be able to get one but

31:41

we saw the prices on those go way

31:43

up during the pandemic and we might see

31:45

a al the would be anywhere near as

31:48

big a version of that but you're liable

31:50

to see something similar in those last month

31:52

and and twenty twenty five so if your

31:54

plan is specifically grab and a corporate reefer

31:56

prettier then i would definitely advise do an

31:59

ad earlier but If you're just going to build yourself

32:01

a system, do it whenever you want

32:03

to. But again, I would say do it now

32:05

because holy crap, it's going to be so much

32:07

better than what you're using. Yeah. I didn't really

32:09

have that settle into me until I was looking

32:12

at it six months ago or so, my

32:14

home file server is a dual socket

32:16

Xeon V2. So it's technically,

32:18

I think third generation, but whatever. It's 20

32:21

cores of three gigahertz. And

32:24

I'm like, that's a massive machine. And then,

32:26

you know, look at the single and multi-threaded

32:28

performance of like a mid range

32:31

Ryzen in one of those little for

32:33

powering your TV boxes. And it's

32:36

got as much CPU power for like

32:38

$400 on Amazon. I'm

32:40

like, Oh, I think

32:43

it is time to do a hardware refresh

32:45

because I could get literally double the performance

32:47

by catching up a dozen generations from where

32:49

I am now and probably use way less

32:51

power at the same time or use the

32:53

same amount of power to get a lot

32:56

more out of it. A lot more out of it.

33:00

Right. Well, we better get out of here then. Remember show a

33:02

2.5 admins.com. If you want to

33:04

send any questions or feedback, you can find

33:06

me at jrs.com/mastodon. You can find

33:08

me at JRS dash s.net/social. And

33:10

I'm at Alan Jude. We'll see

33:12

you next week.