Steven Spielberg and Martin Scorsese are the most famous working directors of the last several decades, but that doesn't mean that they're in competition. In fact, the two filmmakers are fans of each other's work. Spielberg is particularly fond of Scorsese's 1990 mob movie, the widely acclaimed modern classic, "Goodfellas." And who can blame him? What's not to like? But "Goodfellas" is more than just a good movie to Spielberg — it's a master class in directing.
"Henry Hill, Jimmy the Gent, Tommy DeVito, Paulie, Karen, Billy Batts, the Lufthansa heist ... all someone has to do is mention some of these names and I get the sudden and irresistible urge to watch Martin Scorsese's 'Goodfellas' again," the director reminisced in an interview with Variety. "I've lost count of how many times I've experienced this epic cinematic masterpiece, which includes a brilliant screenplay by Nicholas Pileggi and Scorsese, and one of cinema history's greatest acting ensembles."
The "Jaws" director goes on to list some of the greatest actors in Hollywood history, including Robert De Niro, a Scorsese movie regular. He also points out the abundance of talent in the supporting cast members, from "Pulp Fiction" star Samuel L. Jackson to "The Sopranos" veteran Michael Imperioli.
If you're interested in making movies, don't let the film's long runtime deter you from watching it. Spielberg insists that "Goodfellas" will not be a waste of your time.
"It's no longer a guilty pleasure to sit for 2 hours and 26 minutes," the three-time Academy Award winner explained, "but rather a master class for any aspiring filmmaker who wants to see a breathtaking balancing act of multiple storylines, timelines, shocking violence and violent humor."
Goodfellas Is Spielberg's Favorite Scorsese Film
"Goodfellas" may not have made Spielberg's list of favorite movies in IndieWire, but it did earn a comparison to some incredible Hollywood classics, including one of the names on Spielberg's list.
Scorsese's 1990 film had "the greatest needle-drop score since 'American Graffiti,'" Spielberg told Variety, "and the best spoken narrative since Billy Wilder's 'Double Indemnity.'" The "E.T." director also compared "Goodfellas" to "The Godfather," one of his favorite films of all time.
"Everyone has a favorite Scorsese picture, and this is the one for me," Spielberg concluded, "in a photo finish with my other favorite picture of his, 'Raging Bull.'"
Scorsese and Spielberg started making films around the same time and achieved major success within a few years of one another. They were friends early on in their careers and have remained friends to this day. They discussed Spielberg's newest venture, "The Fabelmans," in an interview at the DGA Theater in 2022.
The "Taxi Driver" director, meanwhile, was friends with Spielberg when he was making his breakout horror film, "Jaws," and he remembers the obstacles that the young filmmaker was up against. "I remember when Steven was in production on 'Jaws,' the word around town and in the L.A. Times was that it was folly and that it was gonna be a disaster," Scorsese recalled in the 2017 documentary "Spielberg."
"I remember the night 'Jaws' opened I was with Steven," Scorsese recalled. "I said, 'Let's go and see the lines.' And we were looking and going by all the lines by Westwood and places like that, and I said 'This is it. This is gonna be a major change.'"
Scorsese Has A Lot Of Respect For Spielberg, Too
The two filmmakers have a mutual adoration and respect for one another. Scorsese is as much a fan of Spielberg's directorial talents as Spielberg is a fan of his. "Steven's able to walk into a room, look for a second or two say 'Here, here, move that here, give me a 25mm here, put it this way, face forward, move it, silhouette here. Two takes, three takes, that's enough thanks, let's move on,'" the "Goodfellas" director recalled. "It was amazing."
They may be peers, but Scorsese believes that Spielberg is one of the greatest directors in Hollywood history. "He has a dynamic sense of real filmmaking," Scorsese insisted. "I'm talking about narrative filmmaking in the great narrative tradition of American cinema."
Just as Spielberg wasn't afraid to compare "Goodfellas" with "The Godfather," Scorsese has no qualms about putting Spielberg in the same class as cinematic legends like John Cassavetes, best known for starring in "Rosemary's Baby" and directing gritty New Hollywood films like "The Killing of a Chinese Bookie." "Cassavetes has said, if you want to be a real filmmaker, you can't be afraid of anything or anybody," said Scorsese, "and Steven isn't."
Spielberg's latest work has taken a more autobiographical turn, but Scorsese has always appreciated the more "personal" elements of Spielberg's work. One of Scorsese's first films was "Italian-American," a documentary about his own two parents. In many ways, it mirrors the sentiments of Spielberg's latest production, "The Fabelmans," a story about his own family life. "I don't think there's any doubt that Steven's work deals with specific themes in his life, which makes him a real personal filmmaker," Scorsese concluded.
The way that these two filmmakers speak about one another's work is proof that, no matter how talented you are, you can still learn from your peers.
An anonymous reader quotes a report from Ars Technica: As a smartphone operating system, Android strives to be a lightweight OS so it can run on a variety of hardware. The first version of the OS had to squeeze into the T-Mobile G1, with only a measly 256MB of internal storage for Android and all your apps, and ever since then, the idea has been to use as few resources as possible. Unless you have the latest Samsung phone, where Android somehow takes up an incredible 60GB of storage. Yes, the Galaxy S23 is slowly trickling out to the masses, and, as Esper's senior technical editor Mishaal Rahman highlights in a storage space survey, Samsung's new phone is way out of line with most of the ecosystem. Several users report the phone uses around 60GB for the system partition right out of the box. If you have a 128GB phone, that's nearly half your storage for the Android OS and packed-in apps. That's four times the size of the normal Pixel 7 Pro system partition, which is 15GB. It's the size of two Windows 11 installs, side by side. What could Samsung possibly be putting in there?!
We can take a few guesses as to why things are so big. First, Samsung is notorious for having a shoddy software division that pumps out low-quality code. The company tends to change everything in Android just for change's sake, and it's hard to imagine those changes are very good. Second, Samsung may want to give the appearance of having its own non-Google ecosystem, and to do that, it clones every Google app that comes with its devices. Samsung is contractually obligated to include the Google apps, so you get both the Google and Samsung versions. That means two app stores, two browsers, two voice assistants, two text messaging apps, two keyboard apps, and on and on. These all get added to the system partition and often aren't removable.
Unlike the clean OSes you'd get from Google or Apple, Samsung sells space in its devices to the highest bidder via pre-installed crapware. A company like Facebook will buy a spot on Samsung's system partition, where it can get more intrusive system permissions that aren't granted to app store apps, letting it more effectively spy on users. You'll also usually find Netflix, Microsoft Office, Spotify, Linkedin, and who knows what else. Another round of crapware will also be included if you buy a phone from a carrier, i.e., all the Verizon apps and whatever space they want to sell to third parties. The average amount users are reporting is 60GB, but crapware deals change across carriers and countries, so it will be different for everyone.
So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are the same way, regardless of whether they're meant for red- or blue-team efforts; the driving factor behind them is often the list of tools embedded within the distribution. For example, the Kali Linux site says that it has "All the tools you need". If you go to the SANS SIFT Workstation site, you'll see the description that includes, "...a collection of free and open-source incident response and forensic tools." Here's a Github site that lists "blue team tools"...but that's it, just a list.
Okay, so what's up with lists, you ask? What's the "so, what?"
Lists are great...they often show us new tools that we'd hadn't seen or heard about, possibly tools that might be more effective or efficient for us and our workflows. Maybe a data source has been updated and there's a tool that addresses that new format, or maybe you're run across a case that includes the use of a different web browser, and there's a tool that parses the history for you. So, having lists is good, and familiar...because that's the way we've always done it, right? A lot of folks developing these lists came into the industry themselves at one point, looked around, and saw others posting lists. As such, the general consensus seems to be, "share lists"...either share a list you found, or share a list you've added to.
Lists, particularly checklists, can be useful. They can ensure that we don't forget something that's part of a necessary process, and if we intentionally and purposely manage and maintain that checklist, it can be our documentation; rather than writing out each step in our checklist as part of our case notes/documentation, we can just say, "...followed/completed the checklist version xx.xx, as of Y date...", noting any discrepancies or places we diverged. The value of a checklist depends upon how it's used...if it's downloaded and used because it's "cool", and it's not managed and never updated, then it's pretty useless.
Are lists enough?
I recently ran across a specific kind of list...the "cheat sheet". This specific cheat sheet was a list of Windows Event Log record event IDs. It was different from some other similar cheat sheets I'd seen because it was broken down by Windows Event Log file, with the "event IDs of interest" listed beneath each heading. However, it was still just a list, with the event IDs listed along with a brief description of what they meant.
However, even though this cheat sheet was "different", it was still just a list and it still wasn't sufficient for analysis today.
Why is that?
Because a simple list doesn't give you the how, nor does it give you the why. Great, so I found a record with that event ID, and someone's list said it was "important", but that list doesn't tell me how this event ID is important to nor used in my investigation, nor how I can leverage that event ID to answer my investigative questions. The cheat sheet didn't tell me anything about how that specific event ID
We have our lists, we have our cheat sheets, and now it's time to move beyond these and start developing the how and why; how to use the entry in an investigation, and why it's important. We need to focus less on simple lists and more on developing investigative goals and artifact constellations, so that we can understand what that entry means within the overall context of our investigation, and what it means when the entry is absent.
We need to share more about how the various items on our lists are leveraged to reach or further our investigative goals. Instead of a list of tools to use, talk about how you've used one of those tools as part of your investigative process, to achieve your investigative goals.
Having lists or cheat sheets like those we've been seeing perpetuates the belief that it's sufficient to examine data sources in isolation from each other, and that's one of the biggest failings of these lists. As a community, and as an industry, we need to move beyond these ideas of isolation and sufficiency; while they seem to bring about an immediate answer or immediate findings, the simple fact is that neither serves us well when it comes to finding accurate and complete answers.
My mother's favourite game on Linux is without a doubt Frozen Bubble. It is a casual game in all of the best ways; one you can dive into and learn at your own pace thanks to its simple but repeatable formula. Consider this to be a snapshot in time back to 2002, from right before the game was to take the world by storm.
Achieving continued success in Hollywood is never easy, and ultimately comes down to relationships. Director Chad Stahleski has been at the helm of every entry in the "John Wick" franchise including the upcoming "John Wick: Chapter 4," but his connection to star Keanu Reeves dates all the way back to "The Matrix." Stahleski worked as Reeves's stunt double in the original sci-fi action epic, also standing in as Neo in "Reloaded" and "Revolutions," then continuing to double the actor in the football comedy "The Replacements" and 2005's "Constantine." Stahleski was also the martial arts choreographer for Reeves's directorial debut "The Man of Tai Chi" — the movie responsible for gifting us with the memorable line "You owe me a life."
Reeves returned the favor when Stahleski stepped behind the camera to direct "John Wick." The revenge-fueled neo-noir epic helped redefine American action films, spawning four sequels by the time John Wick's story wraps up in the fifth (and final?) installment. With a spinoff called "Ballerina" in the works starring Reeves, Ana de Armas and Norman Reedus, as well as the prequel TV series "Continental," the hitman universe Reeves and Stahleski have worked so hard to build shows no signs of slowing down.
After experiencing a brutal fall from the top of the Continental Hotel at the end of "John Wick 3 -- Parabellum," Reeves's unstoppable assassin probably can't take much more abuse. He's not made of Teflon, and the series as a whole is in danger of turning Wick invincible, which would take away from his dogged determination to right the wrongs he's been dealt. His story has to end somewhere. The past has to catch up with him eventually. Both Reeves and Stahleski both seem to agree that the end is near.
'There's No Happy Ending'
"Keanu and I have never, from one to two, two to three, ever expected to do a sequel or a follow-up," Stahleski surprisingly told Indiewire in an interview timed to the release of "John Wick 3." The ending of "Parabellum" is about as close to a cliffhanger as you can get! Wick cut off one of his own digits to appease the High Table's Elder in the last film, but in an age where the sequel is king, Lionsgate would probably greenlight sequels until the world's greatest killer only had his thumb and trigger finger left. As it stands, the franchise is over after "Chapter 5," and Stahleski warned fans that the character is in for a dark fate. "John may survive all this sh*t, but at the end of it, there's no happy ending. He's got nowhere to go."
The franchise as a whole has always maintained some semblance of reality, which hopefully won't be abandoned in "Chapter 4" considering that Reeves has already said that he was pushed to the limits this time around. "'John Wick: Chapter 4' was the hardest physical role I've ever had in my career so far," Reeves told Total Film. One "Car-fu" sequence, in particular, that takes place in Paris with the Arc de Triomphe as a backdrop, should test the human limits of the character like never before.
The introduction of legendary judo and ju-jitsu practitioner Dave Camarillo should also take John Wick to the brink. That's before you factor in the inclusion of actor Hiroyuki Sanada and Hong Kong action icon Donnie Yen as a new antagonist named Caine. So, how is it possible to make it out of a fourth movie alive?
How Should The Franchise End?
Stahleski seems to be acutely aware that the future of John Wick looks grim. "Honestly, I challenge you right now, here's a question to you: How do you f***ing want me to end it?" It's just not realistic for a character with such a dark past to ever have a chance at contentment. That opportunity was already ruined during the first opening minutes of the first film. Stahleski broke it down in brutal fashion, telling Indiewire:
"Do you think he's going to ride off into the f***ing sunset? He's killed 300 f***ing people and he's just going to [walk away], everything's okay? He's just going to fall in love with a love interest? If you're this f***ing guy, if this guy really exist[ed], how is this guy's day going to end?"
That's a very blunt way of putting it, but Stahleski isn't wrong. No matter what happens by the time the franchise wraps up, John Wick is a marked man. "John Wick: Chapter 4" plans to trot around the globe and introduce multiple storylines, while also premiering what are sure to be some of the greatest action set pieces seen in recent history. A crossroads is coming, however. Do we, as an audience, care more about the mythology or the man? Reeves has elevated this character because of his relatability. We root for him, even if he knows deep down that there is no going back. Stahleski knows it, too. "He's f***ed for the rest of his life. It's just a matter of time." The Baba Yaga may have finally met his match when "John Wick: Chapter 4" fires its way into theaters on March 24, 2023.
Horror fans are no strangers to the curse of deleted scenes and the seemingly arbitrary nature of the MPAA. Genre heavyweights like Brandon Cronenberg must contend with a rating system that can make or break a film, while studios cut R-rated features, endeavoring to garner that more accessible, ever-so-profitable PG-13. Throughout horror history, there are hundreds of excised scenes, some of which, including the now infamous baboon from "The Fly," are readily available, with others, such as many "Friday the 13th" deaths, relegated to the annals of "could have been."
Even more curious, however, are ideas so brutal they were never filmed, to begin with. While brutality at times seems to be the genre's core attraction (there are nine "Saw" movies, after all), there are times when, either at the behest of a studio or filmmaker, planned scenes are scrapped. While the reasons differ from production to production, here we'll be looking at six ideas from famous horror movies that were too brutal to put on film.
The Meg's R-Rated Cut
"The Meg" wasn't the disaster it easily could have been. While not exactly a critical darling, "The Meg" performed well enough to merit a sequel, the forthcoming "Meg 2: The Trench" from "Kill List" director Ben Wheatley. A bonafide popcorn movie, "The Meg" had a hard road getting to theaters, eventually becoming a U.S.-China co-production. Consequently, there were a lot of hands involved all the way through to ensure "The Meg" performed well both domestically and in China.
One of the clearest decisions was making "The Meg" PG-13. While fans of the source material were likely disappointed to see their favorite giant shark neutered for profits, the decision doesn't hamper the film that much. An R-rated cut would be cool, though, according to director Jon Turteltaub, audiences will never have a chance to see it. In an exclusive interview with Bloody Disgusting, Turteltaub recounts plans for a much more violent megalodon, with some scenes either being filmed or in the beginning stages of visual effects development. According to Turteltaub, "It's too fun a movie to not let people who don't like blood and people who are under, say, 14 years old into the theater." He later explains that within the constraints of modern filmmaking, those few scenes filmed still aren't available since the cost of completing the VFX simply wouldn't be worth it. For anyone with children, thank them the next time you watch "The Meg."
Alien's Alternate Ending
Even avowed fans of certain movies can learn a little tidbit that completely recontextualizes their attitude toward one of their favorites. There's no denying Ridley Scott's "Alien" is an absolute masterpiece. One of the scariest films ever made, Scott's attempt to make a haunted house movie in space, swapping ghosts for a nasty, slimy alien, is historic. With a longstanding and ongoing franchise (the FX series premieres in 2024), the first "Alien" was the little Xenomorph that could. Only, it almost didn't — if Scott's original scripted ending had been used.
In both the theatrical and director's cuts, Sigourney Weaver's Ellen Ripley defeats the Xenomorph before entering stasis, setting up the events of James Cameron's "Aliens." In an interview with Entertainment Weekly, Ridley Scott revealed his original, brutal ending that had executives threatening to fire him if he proceeded with the grim plan. In her final battle with the Xenomorph, Ripley was poised to lose. The alien was to strike at her, impaling her space helmet and ripping her head clean off. It would have been a brutal way to end the film, one that would have effectively killed the entire franchise.
Dawn Of The Dead's Grim Ending
George A. Romero's "Dawn of the Dead" is one of the greatest zombie movies ever made. It's abounding in gory deaths, sick social commentary, and plenty of undead tension, which undoubtedly continue to influence zombie cinema. While "Night of the Living Dead" kindled the fire, "Dawn of the Dead" ignited it. In "Dawn of the Dead," survivors of a zombie outbreak barricade themselves in a shopping mall, taking on both consumerism and the undead as they endeavor to survive for as long as possible. In the filmed ending, Peter (Ken Foree) and Fran (Gaylen Ross) successfully escape the mall by helicopter.
As outlined by Little White Lies, Romero originally scripted a much darker conclusion that would have seen Peter dying by suicide off-screen (a decision he chooses not to make in the filmed version) and Fran, now without hope, thrusting her head into the helicopter's spinning blades. Speculatively, Romero was said to be so attached to the characters by the time they began to film the end that he couldn't in good conscience have them killed so brutally. Disparate accounts exist as to whether the ending was shot, though as it stands, Fran and Peter survive and fly off into an uncertain, zombie-filled future.
If you or anyone you know is having suicidal thoughts, please call the National Suicide Prevention Lifeline by dialing 988 or by calling 1-800-273-TALK (8255).
King Kong's Spider Pit
The "King Kong" cinematic universe is no stranger to deleted scenes. Peter Jackson's 2005 revitalization of the iconic property features a lengthy deleted scene that sees the core cast battling a monstrous, piranha-esque creature in the rivers of Skull Island. The scene is available on YouTube, with close-to-finished audio and visuals, though the sequence was unfortunately excised from the theatrical cut. Perhaps most infamous, however, is the missing spider pit from Merian C. Cooper and Ernest B. Schoedsack's 1933 original. While Jackson would pay homage to the sequence almost a century later, the original scene remains the subject of intense scrutiny and speculation.
For the uninitiated, the original 1933 film had planned a spider pit sequence that would see Jack Driscoll (Bruce Cabot) and company falling into a pit of arachnoid creatures after King Kong shakes them from a log. In the released cut, the film seamlessly transitions to Jack's escape from the pit, with the other sailors presumably dying from the fall. The plan, however, was to have them devoured by spiders living at the bottom of the pit. Some speculate the scene was scrapped before filming, while others contend footage does exist, though it was scrapped after test audiences deemed it too brutal (which is reasonable). Whether it exists or not, there is some comfort in knowing that, at some point, the 1933 Fay Wray masterpiece might well have been considerably more brutal.
Slender Man's Violent Cut
"Slender Man" sort of came and went. Like the creepypasta phenomenon itself, Slender Man is a mid-aughts artifact, a digital specter of online urban legends and chatroom spookshows (see Marble Hornets). While it would have made considerably more sense for studios to capitalize on the craze when Slender Man was in the zeitgeist, that didn't happen. As a result, "Slender Man" arrived too little, too late, with the added controversy of releasing in an environment where Slender Man was in the news for very different reasons.
According to Bloody Disgusting, Screen Gems radically reworked "Slender Man." First, for a more teen-friendly tone, David Birke's screenplay was rewritten, scrapping the more adult content for something more accessibly PG-13. Compounding the problems was a real-life case of a "Slender Man" stabbing. Both Sony and Screen Gems opted to cut several key scenes, including a few glimpsed in "Slender Man'" trailer, to sidestep the controversy of ostensibly exploiting a real-life crime. As Bloody Disgusting contends, the combination of script changes and cut scenes results in a movie that doesn't feel much like a movie at all. Whatever "Slender Man's" legacy should have been, this is certainly not it.
Terrifier 2's Balloon Animal Anatomy
Much like the first "Terrifier," Damien Leone's "Terrifier 2" revels in brutality, so much so the sequel had audiences walking out of the theater, some sick to their stomachs because of the violence on display (just thinking about that salt scene is nauseating). Yet, for as brutal as "Terrifier 2" is, for as much as it seems filmmaker Leone doesn't have a single line he's not willing to cross, there is one taboo, and it involves a little bit of male anatomy.
In the released cut, Art the Clown (David Howard Thornton) stabs Jeff (Charlie McElveen) directly in the junk. It's a brutal scene, and audiences might wonder how the graphic death could have been any worse. In an interview with Variety, Leone remarked how the scene was originally scripted as much worse, with Art "possibly making a balloon animal out of it." Leone passed on the idea once filming began, worried the death was taking things considerably too far. It was likely the right call, too. Despite the uber-violence and 138-minute runtime, "Terrifier 2" was a staggering success. There's a delicate balance with making a slasher of this violent scale work, and balloon animal genitalia might have been a step too far.
Thomas Mahler, the CEO of Ori developer Moon Studios, has taken to Twitter to talk about the studio's next game.
Moon Studios is currently actively working on a new game, which, according to Mahler, will be a "full-blown ARPG". Work on the project began following the release of Ori and the Blind Forest in 2015 but was given more time in the oven in order to work on Ori and the Will of the Wisps. Interestingly, Mahler initially called the Ori franchise, the studio's 'Mario', while its upcoming new title was believed to be the studio's 'Zelda', thereby referring to Nintendo first making a platformer before making an adventure game.
Ori was our 'Mario', this is our 'Zelda'.
That was my thought when I first started prototyping our new project back in 2015.
We then committed to Wisps, which allowed us to give this project more time in the oven so that we'd then be able to turn it into a full-blown ARPG.
Published by Xbox Game Studios, Ori and the Blind Forest as well as Ori and the Will of the Wisps initially launched for Xbox and PC but were later also released for the Nintendo Switch. Unfortunately, those on PlayStation platforms were never able to enjoy these amazing Metroidvania's. According to the Ori director, he's actually not that fond of exclusive titles, and this was one of the main reasons that Moon Studios teamed up with Take-Two Interactive’s indie label, Private Division back in 2020.
That was the main reasons we signed this title with @PrivateDivision!
Despite your name, I'm not into 'exclusives', at least for our studio. I want everyone to be able to play our games!
As for Moon Studios' upcoming new action RPG, Mahler believes that the team will be able to further improve upon the standards for open-world RPG game design set by FromSoftware's Elden Ring and The Legend of Zelda: Breath of the Wild.
"Even BotW and Elden Ring had 'empty spots' due to the way they did their open worlds", Mahler writes on Twitter. "I think we can improve that a bit And yeah, we're definitely taking cues from Diablo 2, Ultima Online, Souls, etc. We're not making an Action-Adventure, but a full-blown ARPG!"
Interesting details from Mahler for sure. Moon Studios' next game has yet to receive a release date, but we'll update you as soon as more information comes in.
The latest game to get the reverse-engineering treatment is The Legend of Zelda: A Link to the Past, Neowinhas reported. A GitHub user called snesrev has fully ported the game to PC using over 80,000 lines of code, while adding some extra enhancements. Those include support for enhanced aspect ratios and pixel shaders, a higher quality world map, secondary item slots and more.
The version was re-engineered in C code, and requires libraries from the SNES emulator LakeSNES. It features all the same levels, enemies and puzzles of the original game, and can even run the original machine code alongside the ported C version. Another GitHub user, xander-haj, showed exactly how it works compared to an emulation in a YouTube video from last year.
The ported version of Link joins other recent projects, notably Star Wars: Dark Forces, that have been fully ported to PC. Unlike emulation, which effectively transforms your PC into an old console, reverse-engineered games are rebuilt from scratch, which allows for added features like the widescreen and pixel shades inserted by snesrev.
Savvy users could create this build on Windows, Mac, Linux and even the Nintendo Switch, with more platforms potentially doable down the road. It's on shaky legal ground, however. For example, after someone did a very cool PC port of the classic Super Mario 64, Nintendo cracked down and links to the download disappeared from file-hosting websites.
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month.
The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia,
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Zero Trust and Identity and Access Management (IAM) – Zero trust is not a replacement for identity and access management (IAM), it is an extension in extremis. It is the extension of IAM principles from people to everyone and everything, everywhere and anytime. The difficulties in IAM are retained but are complicated by the complexity of installing it everywhere.
Nevertheless, zero trust is widely seen as an important part of effective cybersecurity. In 2023 we will see more vendors touting a complete zero trust product and/or methodology, and more businesses attempting its implementation.
Here we examine how this might progress through 2023.
Background
Zero trust is a natural evolution from the realization that company networks no longer have a perimeter that can be defended. With no perimeter to defend, every asset needs to be individually protected, and every access needs to be individually verified. Location means nothing – access to anything from anywhere must always be verified before it is granted.
It is a short step from this to realize such verification should apply within the network as well as from outside: east-west (where it is also called ‘microsegmentation’) as well as north-south. Achieve this, and you have fulfilled the journey to zero trust.
Zero trust is the replacement of a defensible data center perimeter with individual defensible asset perimeters – from one to potentially millions.
The DoD Zero Trust Reference Architecture, referred to in an OMB memorandum in January 2022, describes the concept: “Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Zero trust requires designing a consolidated and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.”
The OMB memorandum goes on to state, “This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.” Two things are immediately apparent: firstly, there will be extensive activity within federal agencies through 2023 to fulfill this requirement (and associated vendor activity to help them achieve this); and secondly, it is no simple task. The trickle-down effect of federal mandates will ensure that adequately resourced private industry will follow.
“Zero trust represents a fundamental shift in the way in which organizations view and approach risk (and in turn security),” explains Chris Denbigh-White, cybersecurity strategist at Next DLP. “Moving through 2023 many organizations are going to realize that zero trust is not so much a destination as a means of conducting the journey of information security. Yes, technology will play a vital role in this journey but should never be confused with the end of the conversation, or indeed the end of the journey.”
It is worth noting that some vendors call their preferred route to zero trust ‘zero trust network access’ (ZTNA). You can get further details on ZTNA here – but within this article we will treat the two terms (zero trust and ZTNA) indiscriminately.
Problems and issues for 2023
“The most common mistake organizations make deploying zero trust or microsegmentation is underestimating the complexity of their network,” says John Yun, VP of product strategy at ColorTokens. “An effective zero trust implementation requires the knowledge of all servers, applications that run on the servers, and users authorized to use those applications.”
Matthew Carroll, CEO and co-founder of Immuta, warns that zero trust should not be considered a complete solution on its own. The problem that it seeks to solve is partly due to the massive increase in data sharing that has arisen through the growth of cloud-based SaaS infrastructures. This will result in an increase in data processing agreements (DPA) between companies and SaaS providers. “In 2023, we’ll see DPAs become a standard element of SaaS contracts and data sharing negotiations.”
He still fears that zero trust alone will not provide adequate security. “In 2023 we’ll see a major shift in data security architecture. This will include proper access controls that effectively balance access and security.” But he adds, “Zero trust won’t work using traditional approaches because there are too many endpoints.” Implementing a zero trust approach for access must still be integrated with adequate anomaly detection – zero trust for access should not be at the expense of internal visibility.
The effect of Covid-19 has increased the importance of a zero trust architecture. “The Covid-19 pandemic ushered in a new era of remote and hybrid working,” says Craig Lurey, CTO and co-founder at Keeper Security. “The explosion in the sheer number of endpoints, with an increasing amount of them accessed remotely, requires a higher level of security to tackle growing online threats. Under this new normal, zero trust is now the only realistic and comprehensive framework for securing modern, cloud-based data environments and distributed workforces.”
Joseph Carson, chief security scientist at Delinea, adds, “A zero trust approach will become more essential than ever as the transformation continues. Employees should have access only to what they need to efficiently do their job. This will ensure that an attacker’s ability to move within the larger business network is limited and the attack surface reduced.” But he also notes that this could raise privacy issues if employers impose conditions on personally owned computers.
“It appears remote work is here to stay and will increase into 2023,” says John McClurg, SVP and CISO at BlackBerry. “Enterprises should look to adopt a zero trust architecture and security model to truly secure their remote workforces. This model is defined by trusting no one and absolutely nothing by default – including users inside an actual network. By assuming every user, device or network is hostile, zero trust security forces everyone to prove who they are before access is authorized.”
The urgency of the pandemic and the consequent rush to implement remote working is in many cases causing problems for the integration of an overarching zero trust solution. “The majority of organizations today still struggle with allowing explicit access to applications and enforcing zero trust policies across their business. In fact, over 80% of organizations have found it difficult to implement a zero trust model, and that has a lot to do with the fact that many organizations have hybrid IT architectures,” explains Peter Newton, senior director of products at Fortinet.
The problem is that it is too cumbersome to have one set of policies for on premises and an entirely different set of policies for the cloud. Consequently, he says, “In 2023 we will see more IT teams shift to incorporate ZTNA across the entire network – from cloud to on-premises – for universal coverage under a single solution. And as ZTNA begins to go mainstream in the enterprise, we’ll start to see organizations transition away from a pay-per-user model and start to bake ZTNA directly into their security architecture for a more seamless and consistent user and management experience.”
At its root, zero trust is a major extension of identity and access management (IAM) – but IAM itself is a problem that has never yet been completely solved. “Organizations are still learning the concept of identity sprawl and the scale of their technical debt, which means that companies are just starting to realize the scale of the challenge,” comments Wade Ellery, field CTO at Radiant Logic.
“In 2023, we are going to see more and more businesses slow down to speed up –they’ll recognize they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.”
For zero trust, he added, “As we move into 2023, senior decision-makers and security teams are discussing how they can achieve a granular-approach in real-time, and ultimately, they will come back to the issue of identity data management.”
More and more companies are recognizing the theoretical security benefits of zero trust and are starting their own journeys. In 2023, the difficulties in doing so will become more apparent – but it’s not all doom and gloom. “To a certain extent, factors such as internal politics, talent shortages, and economic conditions play a role in any IT project,” comments Hendra Hendrawan, security technical councilor at the Info-Tech Research Group. “Still, organizations with a good IT or cybersecurity strategy should embark on the zero trust journey with fewer frictions.”
At a high level, he says a successful IT implementation generally consists of well-documented processes, good selections of technology, and great talents. “Couple these with a solid security strategy, and achieving a zero trust architecture should not be a question of how but of when.”
That ‘when’ will be many years in the making. “Zero trust is a security model, not a product. Adopting zero trust across an enterprise requires careful planning and the use of complementary, multi-vendor solutions,” warns Torsten Staab, principal engineering fellow at Raytheon Intelligence and Space. “For many organizations, adopting zero trust security will be a multi-year journey. Establishing a solid zero trust strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful zero trust implementation.” But for 2023, he added, “Look for additional zero trust implementation guidance and recommendations from NIST and CISA.”
Foundational to implementing zero trust will be solving the existing IAM problems – and that will not be easy. The traditional approach has been to implement basic MFA involving a second-factor token delivered via a mobile phone – but such MFA is frequently broken by hackers.
“My prediction for 2023,” says Ben Brigida, director of SOC operations at Expel, “is that we will witness an increase in MFA push notification fatigue attacks. Why? Because they’re working. More and more, organizations are turning to cloud access identity providers for single sign-on capabilities. Attackers know that if they can get their hands on credentials for these platforms, they’ll get access to critical business applications—not just email. So, they’re sending multiple push notification requests to users and hoping the user will just approve one to make the notifications stop.”
Chris Vaughan, VP technical account management, EMEA and South Asia at Tanium, calls this an MFA push exhaustion attack. “This is where an attacker sends a large number of MFA acceptance prompts to users’ phone which may cause them to click accept to stop the barrage of requests. This has been largely successful in gaining access to user data and accessing IT environments.”
“Once considered a ‘silver bullet’ in the fight against credential stuffing,” adds Marcus Fowler, CEO of federal government for Darktrace, “it hasn’t taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023.”
John Stevenson, senior product director at Cyren, expands on the problem: “Phishing will remain an unsolved problem leading to countless account takeover attacks. As businesses enable MFA, phishers will update their tactics to defeat additional verification steps like one-time codes sent to phones or email addresses. So-called strong authentication methods that rely on mobile phones and email accounts (that were never intended to be identities) will be the first to prove insecure for high-risk use cases. Passwordless authentication won’t yet solve these issues due to insufficient lifecycle management solutions and incompatibility with legacy systems.”
John Pescatore, director of emerging security trends at SANS, sees an additional phone-based threat to identity management. “While mobile phones are more secure than desktops,” he comments, “we will also see a greater volume of stalkerware included in downloaded apps that target consumers.”
Pegasus spyware is a prime example of this threat – it can install itself on iOS and Android devices with zero clicks. Hackers are also creating malicious stalkerware apps and hiding them in app stores.
“As people become more accustomed to downloading family tracking software and giving away app permissions, the risk of having their keystrokes, locations, voice, and even photos and videos recorded for financial theft and other nefarious purposes will also increase.”
If second-factor one-time codes and passwordless authentication are not the solution to the IAM issue. an alternative must be found. Many have been suggested, from physical biometrics (including touchless fingerprinting) to behavioral biometrics and more.
“Touchless fingerprinting will emerge as the top authentication method,” claims Chace Hatcher, VP of technology and innovation at Telos. “In 2023, organizations with a pre-existing fingerprint database infrastructure will increasingly turn to touchless fingerprinting to perform remote biometric identity verification”, he says. “With regards to authentication, we’ll see identity platforms backed by multi-modal true biometrics face and fingerprint and ‘convenience biometrics’ embedded mobile solutions like faceID and touchID emerge.”
“In 2023, more people will protect their critical accounts with methods other than logins and passwords,” adds Ricardo Amper, founder and CEO at Incode. “When creating accounts, they will provide multiple factors such as biometrics, government-issued identity documents, and information from reliable sources to prove their identities. When authenticating access to these accounts, they will use biometrics, providing more security for their private data.”
Donnie Scott, CEO at Idemia, has a more specific US identity prediction for 2023. “In 2023, every jurisdiction that issues an identity will have deployed, be in the process of deploying, or considering the deployment of a digital form of mobile identity/mobile-driver’s license. Arizona was the first US state to adopt mobile IDs followed by Oklahoma, Delaware, and Mississippi. Up to 30 states, including Colorado, Hawaii, Ohio, and the territory of Puerto Rico, are in the process of making mobile IDs available to their residents. We will only see this increase.”
He is very upbeat about the potential. “The benefits of this model, where biometrics meets identity, are a citizen-controlled assertion of identity, backed by the Government’s high standard of proof against who that person is. This combination results in a high assurance, privacy protected model.”
But the problem for this, and virtually every other means of remote identification, is that ultimately it identifies a mobile phone and not necessarily the owner or current user of that phone. A compromised phone can still lead to a compromised identity. Absolute proof of personal identity for perfect zero trust is very difficult.
And we haven’t even mentioned machine identities, which are equally important in a zero trust architecture, and present their own problems.
Summary
“Modern security solutions that remove the implicit trust from users, devices, services, and workloads, regardless of the location will become the norm,” says Stefan Schachinger, product manager network security at Barracuda. “The ‘context’ of who, what, when, where, and how will become key security components in a world of continuous zero trust evaluation that will defend against ever more stealthy threats. In 2023, just detecting and blocking malicious events will no longer be sufficient. You need to investigate and remediate everything.”
Achieving a solid zero trust architecture won’t happen overnight. It’s not a product you can buy and run. It will require the integration of different security solutions – some of which may already be present while others will need to be purchased, implemented, and integrated, seamlessly. Many companies will start the journey in 2023, and many others will make progress – but getting close to the destination will probably take years.
Nevertheless, “Zero trust represents a new cybersecurity paradigm that offers numerous benefits to organizations of all sizes and industries. Deploying a zero trust approach to access management can be especially effective, creating a virtual ‘locking of shields’ between governments and the private sector,” says McClurg. “This allows for closer cooperation to better protect critically important infrastructure and services.”
“I like to keep this stuff abstract,” Steve Riley, field CTO at Netskope, told SecurityWeek. “I want to eliminate implicit trust from every layer: from the network, from applications, from virtual machines and from the data objects. Instead, I want the situation where every interaction is mediated by something, and the level of confidence in that interaction is measured by the context and the signal surrounding.”
Bruce-O-RamaCult favorite genre film star (Evil Dead, Bubba Ho-Tep, Spider-Man) and popular host of “Last Fan Standing” Bruce Campbell hits the road this spring with a 22-city tour, BRUCE-O-RAMA starring Bruce Campbell, starting Wednesday, April 5.
Recognizing his god-like status in the horror and fantasy worlds – best-loved for the Evil Dead franchise as chainsaw-wielding Ash Williams (voted the greatest horror movie character ever by Empire magazine) – the Wall Street Journal calls Bruce Campbell “the consummate celebrity of the Comic-Con circuit,” while Esquire crows that he “has become America’s new favorite game show host!” Evil Dead Rise, the fifth installment of the franchise which Campbell executive produced, comes out on April 21, 2023.
A two-part evening of indulgent fun, BRUCE-O-RAMA begins with “Last Fan Standing,” the only interactive game show exclusively for fans of pop culture. Praised by Variety as “an unrivaled celebration of pop culture obsession and fan engagement,” “Last Fan Standing” is a fast-paced trivia game that tests superfan knowledge about the things that really matter: fantasy, horror, sci-fi, superheroes and gaming. Everyone in the audience gets to play, guided by the hosting prowess of Bruce Campbell and producer Steve Sellery. In the second half, Bruce will introduce a cult film favorite he’s starred in and take questions before the screening in a lively half-hour of anecdotes, insults, and random cash giveaways.
For a few thousand lucky fans, BRUCE-O-RAMA is set to hit the following markets this spring:
April 5: Greenville, SC (Gunter Theatre @ The Peace Center)
April 6: Cincinnati, OH (The Taft Theatre)
April 7: Pelham, TN (The Caverns)
April 8: Atlanta, GA (Variety Playhouse)
April 10: Durham, NC (Carolina Theatre-Fletcher Hall)
April 11: Richmond, VA (The National)
April 12: Reading, PA (Santander Performing Arts Center)
April 13: Rockville, MD (Robert E. Parilla Performing Arts Center)
April 14: Glenside, PA (Keswick Theatre)
April 15: Patchogue, NY (Patchogue Theatre)
April 16: Beverly, MA (Cabot Theatre)
April 18: Buffalo, NY (Buffalo Riverworks)
April 19: Pittsburgh, PA (Stage AE)
April 20: Cleveland, OH (Agora Theater & Ballroom)
April 21: Columbus, OH (KEMBA Live!)
April 23: Royal Oak, MI (Royal Oak Music Theatre)
April 24: Indianapolis, IN (Clowes Memorial Hall)
April 25: Chicago (The Vic Theatre)
April 26: Des Moines, IA (Hoyt Sherman Place)
April 27: Kansas City, MO (Uptown Theatre)
April 29: Oklahoma City, OK (Tower Theatre)
April 30: Dallas, TX (Texas Theatre)
Tickets for each location are available at www.bruceorama.com. VIP tickets are available including preferred seating, photo-op with Bruce and signed tour poster. In select markets, there will also be an “Ultimate Fan Package,” which additionally includes a Bruce-autographed chainsaw!
OpenTTD v13.0 is released. OpenTTD is an open source simulation game based upon the popular Microprose game "Transport Tycoon Deluxe", written by Chris Sawyer. It attempts to mimic the original game as closely as possible while extending it with new features....More
A security vulnerability report claimed that a particular program did not store its saved passwords in the Windows Credential Manager securely:
Microsoft’s Contoso program does not encrypt user passwords before saving them in the Windows Credential Manager. As a result, any program that runs with the user’s credentials can read the passwords. The Contoso program should save encrypted passwords in the Credential Manager.
There was another report that put the blame on Credential Manager:
Credential Manager should require administrator privileges to read a user’s saved credentials.
The perceived issue here is that one program can read the passwords saved by another program, and that other program should encrypt its paswords so that they can be decrypted only by that program. Rogue programs enumerating the contents of the user’s saved credentials would be stymied because they don’t know how to decrypt the data.
But if you have gained the ability to execute code in the context of the victim, then you’ve already won. You can do anything the victim can do!
It’s like saying, “I am a bad guy from a 1960’s spy movie. I have successfully hypnotized the victim into obeying all of my commands, while nevertheless behaving perfectly normally. I tell the victim to go to the bank, withdraw all their money, and bring it to me. This is a security flaw in the bank. It should not allow hypnotized people to withdraw money!”
The bank did its job, which is to confirm the identity of the person withdrawing the money. The person at the counter did nothing to draw suspicion, and all the paperwork checked out, so they got their money.
The system sees that there is a process running as the user, and that process is asking for the password that the user had saved earlier. Now, certainly, users are permitted to access the passwords that they had saved (that being the point of saving the password), and the Credential Manager is correct in returning those saved passwords to that user. The information is not being disclosed to other users: Users can access their own saved passwords, but they cannot access the saved passwords of other users.
Encrypting the data before putting it in the password cache sounds like it would stop an attacker, but it doesn’t. Since the original program must be able to decrypt the data, the attacker can analyze the original program and re-run the decryption function. In the attacker is being lazy, they can just run the original program and set a breakpoint immediately after it decrypts the password.
You might think that you could protect yourself from hypnosis-induced bank withdrawal by telling the bank, “Before giving me any money, make sure to ask me this secret security question.” But that doesn’t help, because even though you’ve been hypnotized, you still know the answer to the secret security question. The hypnotized-you goes to the bank, the bank teller asks the security question, you answer it, get your money, and give it to the 1960’s evil bad guy.
And of course requiring administrator privileges to retrieve your own saved passwords would be a non-starter. Every time you want to use a saved password, you have to call your administrator to get it for you?
Allowing users to retrieve their own saved passwords is perfectly normal behavior. No security boundary is crossed, and the information is disclosed only to the user to put the information there in the first place.
If you let someone run arbitrary programs under your identity, you have handed over control of everything tied to your identity, and that includes your saved passwords.
Bonus bogus vulnerability: Suppose you create a shortcut to the command line runas /savecred /user:.\administrator someprogram.exe, and you run the shortcut, and an administrator comes over and types their password when prompted. A security vulnerability report claimed that there is an elevation of privilege vulnerability because an attacker can edit the shortcut to read runas /savecred /user:.\administrator cmd.exe and gain an administrative command prompt.
That’s true, but that’s also the whole point of /savecred.
The /savecred option means “Use the saved credentials from the Credential Manager, or prompt for credentials (and save them in the Credential Manager).” They are not saved in the shortcut at all. Not that saving them in the shortcut is even an option, because you can run runas from a command prompt, and in that case there’s no shortcut.
If you call over an administrator and get them to type their password into your system, then you found yourself a gullible administrator. In this case, what you tricked them into doing is adding their password to your password cache. It’s like calling an administrator to your Web browser and asking them to type their password into a Web site. That password is going to be saved in to your Web browser password cache, and you can now extract it from that cache and reuse it for anything you like.
The point of /savecred is to let you save your own credentials so you don’t have the hassle of typing them over and over into places you use often. If you can trick an administrator into putting their password into your saved credential cache, then more power to you (and shame on the administrator).
It's taken a bit of time for "Star Trek: Picard" to circle back to the series that started it all. Fans of "Star Trek: The Next Generation" naturally expected "Picard" to serve as a reunion of sorts, bringing Patrick Stewart's Picard and his Enterprise crew back together for some 25th Century adventures. But with the exception of old friends like Data (Brent Spiner), William Riker (Jonathan Frakes), and Deanna Troi (Marina Sirtis), the past two seasons of "Picard" have been all about the titular Starfleet admiral and his new crew.
Executive producers Alex Kurtzman and Akiva Goldsman were likely keen to explore new territory, which was probably the best decision. But with "Picard" moving into its third (and final) season, showrunner Terry Matalas naturally wanted to end things on a high note. That meant bringing back the original "Next Generation" cast for one last adventure. It felt like a natural progression for sure — but even so, Matalas wasn't sure how Stewart himself was going to receive the pitch.
'After A Bottle Of Wine, We Were Off To The Races'
Matalas spoke to SFX (via CBR) about his decision to turn season 3 of "Picard" into a "Next Generation" reunion — as well as his reservations with pitching it to his leading man. Matalas became showrunner shortly before season 2, and learned then that Kurtzman and Goldsman "were always thinking about each one of these seasons being a different story." When it came time to start building out the story for season 3, Matalas knew he wanted to go big. "I had certainly always wanted to do one final Star Trek: The Next Generation adventure, but wasn't certain that Patrick would be up for it," he continued. In hindsight though, he needn't have worried: once Stewart sat down to hear the pitch, it seemed to be smooth sailing:
"I sat down with Patrick at his dining room table and took him through what I thought was the final story of Picard, and some arcs that I felt needed to be paid off for his character and some relationships and some storylines and, after a bottle of wine, we were off to the races."
Clearly, Matalas got his wish in a major way. While this could potentially be the last we see of Picard, at least fans will be treated to a reunion before it all ends. Season 3 of "Picard" will see Stewart reunite with Jonathan Frakes, Michael Dorn, Marina Sirtis, LeVar Burton, and Gates McFadden for their first adventure in 20 years — and it may never have happened if Matalas hadn't presented his own idea to Stewart himself.
An anonymous reader shares a report from Ars Technica:
The month before Dwarf Fortress was released on Steam (and Itch.io), the brothers Zach and Tarn Adams made $15,635 in revenue, mostly from donations for their 16-year freeware project. The month after the game's commercial debut, they made $7,230,123, or 462 times that amount....
Tarn Adams noted that "a little less than half will go to taxes," and that other people and expenses must be paid. But enough of it will reach the brothers themselves that "we've solved the main issues of health/retirement that are troubling for independent people." It also means that Putnam, a longtime modder and scripter and community member, can continue their work on the Dwarf Fortress code base, having been hired in December.
The "issues of health/retirement" became very real to the brothers in 2019 when Zach had to seek treatment for skin cancer. The $10,000 cost, mostly covered through his wife's employer-provided insurance, made them realize the need for more robust sustainability. "You're not just going to run GoFundMes until you can't and then die when you're 50," Tarn told The Guardian in late 2022. "That is not cool." This realization pushed them toward a (relatively) more accessible commercial release with traditional graphics, music, and tutorials.
Dell is eliminating about 6,650 roles as it faces plummeting demand for personal computers, becoming the latest technology company to announce thousands of job cuts. From a report: The reduction amounts to about 5% of Dell's global workforce, the company said in a regulatory filing early Monday. Dell is experiencing market conditions that "continue to erode with an uncertain future," Co-Chief Operating Officer Jeff Clarke wrote in memo viewed by Bloomberg.
Much has been made of "The Thing," John Carpenter's 1982 box office bomb-turned-genre darling. Whether it's Bill Lancaster's adapted script of John W. Campbell Jr.'s 1938 novella "Who Goes There?," Rob Bottin's gnarly special effects (with an assist from dog-Thing creature designer Stan Winston), or Carpenter's meticulous direction that's light on the jump scares and heavy on the dread, the result is now considered one of the great gargoyles in the horror movie pantheon. Though the story is about an alien organism infiltrating an Arctic research post, and though there are plenty of tentacles about, the narrative is largely character-driven as paranoia and mistrust grow among the isolated cadre of men, led by Kurt Russell's pilot, R.J. MacReady.
A 2016 LA Weekly interview with the cast and crew yields insights from the film's production. Therein, Carpenter called the shoot "intimidating," as he had to wrangle multiple accomplished actors — some of whom, like Keith David and Donald Moffat, came from the theatrical stage. It would be during a half-month of rehearsals prior to filming that these actors fine-tuned their characters further than Lancaster's script or Carpenter's extensive storyboards had. Naturally, they turned to their captain for direction. Carpenter told LA Weekly:
"I didn't have experience working with an ensemble cast. So I brought an actor into my office and talked with him about his process. That conversation didn't give me any specific ideas for the movie, but it got me thinking about what my job is: Giving the actors whatever they need to give a good performance. So for two weeks I rehearsed with all of these guys. I asked questions of them, and they asked questions of me."
For some, the chief question was just where the line of delineation lies between the Thing's consciousness and the person it occupies.
If I Was An Imitation, A Perfect Imitation, How Would You Know If It Was Really Me?
In the movie, senior biologist Blair (A. Wilford Brimley) and physician Copper (Richard Dysart) address the mechanics of the Thing, albeit in a limited way. "What we're talkin' about here is an organism that imitates other lifeforms," observes Blair, "and it imitates 'em perfectly." It attacks, absorbs, and shapes itself as a carbon copy of its host, indistinguishable from the person it targets. You don't need a whole taxonomy classification to understand that; as Richard Masur's Clark says, "It's weird and pissed off, whatever it is."
The Thing can't be detected unless it's compelled to reveal itself (such as in the celebrated blood test scene), and several cast members questioned if and when their characters knew they were infected. David Clennon, who plays assistant mechanic and resident stoner, Palmer, recalled hours of rehearsal time spent "discussing f***ing metaphysics" about the infection:
"Some of the actors were obsessed with this question: When you become the Thing — when the alien takes over your mind and body — do you know that you've become the Thing? Or do you just go on thinking that you are your old self? I couldn't see the point of solving that silly riddle."
Carpenter remembered Russell as being the most persistent with this question. He told LA Weekly:
"The big question that kept coming to me was: If you were a Thing, would you know? I think Kurt Russell started that one. I said, 'I think you would.' But he kept asking that question, so I don't think that answer was sufficient."
It's an answer /Film's Eric Vespe keeps in mind as he explores the theory that MacReady was not only infected at some point, but he knew it. Dive down that rabbit hole here.
In a franchise inching towards double-digit entries and with as big of a cast as "Fast & Furious," where it's not a guarantee that everyone in the audience has watched (or remembers) all the previous installments, it's important to give each character a quirk that makes them instantly memorable. People who missed the second movie might not know the name of Tyrese Gibson's smartass, but his constant wisecracks make us care about him anyway on a film-to-film basis, even if he's rarely the main focus of any given scene.
Likewise, those who missed out on "Tokyo Drift" may not understand how Han Lue (Sung Kang) came in, but it's still easy to keep track of him as that guy who's always snacking on something. (He's also the guy fans rooted to bring back.) Not only is it a relatable character trait — who among us would not like to have a snack on hand throughout any given situation? — but it's one that is consistent with his backstory and personality. As a former chain smoker, Han needs to be doing something with his hands to avoid the temptation to relapse. He's also perhaps the most laid-back person in the crew, and nothing says laid-back like someone hanging out in the corner, just eating his chips.
But for director Justin Lin -- who first joined the franchise with "Tokyo Drift" and stuck around for the fourth, fifth, sixth, and ninth films -- every choice about Han's snacking is made far less casually than you would think.
'We Cannot Fake Han's Snacks'
"It just can't be a regular snack," Justin Lin told Collider in an interview in 2021, ahead of the Blu-ray release of F9. "And talking to Sung, I think they had to go — like, they had to import those crackers, you know? And I was adamant, I was like, 'We cannot fake Han's snacks. It doesn't matter.'" This is why you never see Han eating Cheez-its or M&Ms; he's always munching on something you wouldn't typically find in an American vending machine. For a character who hails from Japan, he's got Japanese snacks like Kameda Seika Kakinotane Rice Crackers or Meiji Hello Panda Cookies. Lin added: "Having worked with Sung, like even the way he tosses it, you know, it had to be natural. So I remember that was a big thing."
While all of this may sound ridiculous, it's part of the authenticity that helps sell the character. While most viewers may not notice, you can expect Japanese audiences to question what's going on. It's a similar kind of attention to detail that inspired William Hartnell, the first Doctor on "Doctor Who," to decide the exact function of every button and lever on the TARDIS control panel and keep it consistent (via "About Time"). Keen-eyed viewers might have picked up on the fact that he was pressing buttons at random, and it would've made the show feel a little less authentic.
As cartoonish and absurd as "Fast & Furious" has gotten over the years -- in the latest entry, they ended up in space -- the franchise has always seemed to understand that when it comes to the little things that make a character seem real, being authentic and consistent is still crucial.
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware.
"The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a
When SaaS applications started growing in popularity, it was unclear who was responsible for securing the data. Today, most security and IT teams understand the shared responsibility model, in which the SaaS vendor is responsible for securing the application, while the organization is responsible for securing their data.
What’s far murkier, however, is where the data responsibility lies on the
DOStodon is a Mastodon client for DOS. It is implemented in Javascript and relies on (a yet unreleased version of) DOjS to run. The latest version includes these changes: + Changed some colors for a better color scheme + Improved thread view with colors + Select entries in thread-view + Thread view now stacks + You can now change settings in the config dialog. Get the new version from DOStodon on GitHub.
When a filmmaker writes and directs their own script, they run the risk of comparing their strengths and weaknesses. Take Zack Snyder — few would say he can wield a pen as well as he can a camera. On the flip side, there's Joss Whedon; his writing has shaped pop culture, for better or worse, but his visual craftsmanship never grew beyond 1990s network TV.
Quentin Tarantino is aware of this dichotomy and it has motivated him to push himself as an artist. In the wake of his breakout run in the 1990s, "Reservoir Dogs," "Pulp Fiction," and "Jackie Brown," Tarantino was especially praised for his dialogue. With conversations littered with pop culture ephemera, Tarantino's characters don't sound much like real people, but they certainly argue like them. Unlike many other writers famous for stylized dialogue (see the aforementioned Whedon), he gives all of his characters distinct voices too.
But Tarantino felt limited by this praise: "It was like, 'Am I the director that I want to be?" Or do you just do what you've done before because that was just fine? 'You write really good dialogue. Stick with that, buddy. But stay out of [great, cinematic directors'] park, because ultimately you can't cut it." That's why he decided to make "Kill Bill," to see if he could cut it as a great filmmaker, not just a great writer.
'I've Always Adored Action Filmmakers'
Speaking to Rolling Stone in 2003, Tarantino called "Kill Bill," "[His] first action movie." Here's where we make an important distinction between violence and action; Tarantino's films always had the former, but not the latter. When guns are fired in "Reservoir Dogs" and "Pulp Fiction," it always happens in short bursts. The violence and bloodshed aren't meant to look especially cool, at least compared to the sword fights in "Kill Bill." The closest thing to action in the former two movies is the chase scene in "Reservoir Dogs" when Mr. Pink (Steve Buscemi) flees the police. "Jackie Brown," on the other hand, has no action and little violence, which helps explain why Tarantino swung hard in the opposite direction for his next film.
Tarantino explained why he went to action to buff up his filmmaking bona fides. As he put it:
"I've always adored action filmmakers. And those are actually what I consider the real cinematic directors. And so if I'm going to throw my hat in that ring, I want to be one of the best that ever lived. I don't want to do an OK job. I want to rock everybody's f***ing world."
Tarantino is also a known aficionado of Southeast Asian cinema. When listing his favorite movies from 1992 to 2009, he included Japanese action films such as "Battle Royale" and "The Blade." He recruited Sonny Chiba, a Japanese martial artist and genre star, to cameo in "Kill Bill." The finale of "Kill Bill Volume 1," where the Bride (Uma Thurman) and O-Ren Ishii (Lucy Liu) duel in the snow, resembles "Lady Snowblood." With these influences, it makes sense that when Tarantino set out to make an action movie, he wound up making a samurai movie.
The Ceiling Of Your Talent
When trying something new, you always risk failing. When doing so publicly, the potential fallout is magnified threefold. Quentin Tarantino directed "Kill Bill" not in spite of that risk, but because of it. He explained to Rolling Stone: "I have an expression that I call "hitting your head on the ceiling of your talent. I wanted to find out where that ceiling was for me. I actually wanted to risk failing."
"Kill Bill" was split into two movies; knowing why Tarantino made the movie helps explain his structural decisions. The action is front-loaded in "Volume 1," from the opening where the Bride kills Vernita Green/Copperhead (Vivica A. Fox) to the bloody spectacular finale, where the Bride invades the House of Blue Leaves with the intention to kill O-Ren, slaughtering her entire Yakuza organization along the way. "Volume 2," on the other hand, is closer to Tarantino's usual oeuvre, relying more on dialogue-driven suspense. In any case, Tarantino's risk paid off; "Kill Bill" was a financial and critical success.
After "Kill Bill," I'd argue that Tarantino has made only one other pure action movie: "Django Unchained," a Spaghetti Western set in the antebellum south. Tarantino is known for unconventional story structure, so seeing him tell a straightforward hero's journey like "Django" practically becomes subversive. Though ultimately heavier on the talking than the shooting, "Inglourious Basterds" comes close to an action movie as well.
Even if he didn't totally reinvent himself, Tarantino definitely took the lessons about how to make violence look cool from "Kill Bill."
Many times, in the course of our work as analysts (SOC, DFIR, etc.), we run tools...and that's it. But do we often stop to think about why we're running that tool, as opposed to some other tool? Is it because that's the tool everyone we know uses, and we just never thought to ask about another? Not so much the how, but do we really think about the why?
The big question, however, is...do we validate our tools? Do we verify that the tools are doing what they are supposed to, what they should be doing, or do we simply accept the output of the tool without question or critical thought? Do we validate our tools against our investigative goals?
Back when Chris Pogue and I were working PCI cases as part of the IBM ISS X-Force ERS team, we ran across an instance where we really had to dig in and verify our toolset. Because we were a larger team, with varying skill levels, we developed a process for all of the required searches, scans and checks (search for credit card numbers, scans for file names, paths, hashes, etc.) based on Guidance Software's EnCase product, which was in common usage across the team. As part of the searches for credit card numbers (CCNs), we were using the built-in function isValidCreditCard(). Not long after establishing this process, we had a case where JCB and Discover credit cards had been used, but these weren't popping up in our searches.
Chris and I decided to take a look at this issue, and we went to the brands and got test card numbers...card numbers that would pass the necessary checks (BIN, length, Luhn check), but were not actual cards used by consumers. We ran test after test, and none using the isValidCreditCard() returned the card numbers. We tried reaching out via the user portal, and didn't get much in the way of a response that was useful. Eventually, we determined that those two card brands were simply not considered "valid" by the built-in function, so we overrode that function with one of our one, one that included 7 regexes in order to find all valid credit card numbers, which we verified with some help from a friend.
We learned a hard lesson from this exercise, one that really cemented the adage, "verify your tools". If you're seeing (or not, as the case may be) something that you don't expect to see in the output of your tools, verify the tool. Do not assume that the tool is correct, that the tool author knew everything about the data they were dealing with and had accounted for edge cases. This is not to say that tool authors aren't smart and don't know what they're doing...not at all. In fact, it's quite the opposite, because what can often happen is that the data changes over time (we see this a LOT with Windows...), or there are edge cases that the tool simply doesn't handle well.
So we're not just asking about the general "verify your tools" adage; what we're really asking about is, "do you verify your tools against your investigative goals?". The flip side of this is that if you can't articulate your investigative goals, why are you running any tools in the first place?
Not long ago, I was working with someone who was using a toolset built out of open source and free tools. This toolset included a data collection component, middleware (parsed the data), and a backend component for engaging with and displaying the parsed data. The data collection component included retrieving a copy of the WMI repository, and I asked the analyst if they saw any use of WMI persistence, to which they said, "no". In this particular case, open reporting indicated that these threat actors had been observed using WMI for persistence. While the data collection component retrieved the WMI repository, the middleware component did not include the necessary code to parse that repository, and as such, one could not expect to see artifacts related to WMI persistence in the backend, even if they did exist in the repository.
The issue was that we often expect the tools or toolset to be complete in serving our needs, without really understanding those "needs", nor the full scope of the toolset itself. Investigative needs or goals may not be determined or articulated, and the toolset was not validated against investigative goals, so assumptions were made, including ones that would lead to incomplete or incorrect reporting to customers.
Going Beyond Tool Validation to Process Validation
Not long ago, I included a question in one of my tweet responses: "how would you use RegRipper to check to see if Run key values were disabled?" The point of me asking that question was to determine who was just running RegRipper because it was cool, and who was doing so because they were trying to answer investigative questions. After several days of not getting any responses to the question (I'd asked the same question on LinkedIn), I posed the question directly to Dr. Ali Hadi, who responded by posting a YouTube video demonstrating how to use RegRipper. Dr. Hadi then posted a second YouTube video, asking, "did the program truly run or not?", addressing the issue of the StartupApproved\Run key.
The point is, if you're running RegRipper (or any other tool for that matter), why are you running it? Not how...that comes later. If you're running RegRipper thinking that it's going to address all of your investigative needs, then how do you know? What are your "investigative needs"? Are you trying to determine program execution? If so, the plugin Dr. Hadi illustrated in both videos is a great place to start, but it's nowhere near complete.
You see, the plugin will extract values from the keys listed in the plugin (which Dr. Hadi illustrated in one of the videos). That version includes the StartupApproved\Run key in the plugin, as well, as it was added before I had a really good chance to conduct some more comprehensive testing with respect to that key and it's values. I've since removed the key (and the other associated keys) from the run.pl plugin and moved them to a separate plugin, with associated MITRE ATT&CK mapping and analysis tips.
As you can see from Dr. Hadi's YouTube video, it would be pretty elementary for a threat actor to drop a malware executable in a folder, and create a Run key value that points to it. Then, create a StartupApproved\Run key value that disables the Run key entry so that it doesn't run. What would be the point of doing this? Well, for one, to create a distraction so that the responder's attention is focused elsewhere, similar to what happened with this engagement.
If you are looking to determine program execution and you're examining the contents of the Run keys, then you'd also want to include the Microsoft-Windows-Shell-Core%4Operational Event Log, as well, as the event records indicate when the key contents are processed, as well as when execution of individual programs (pointed to by the values) began and completed. This is a great way to determine program execution (not just "maybe it ran"), as well as to see what may have been run via the RunOnce key, as well.
The investigative goal is to verify program execution via the Run/RunOnce keys, from both the Software and NTUSER.DAT hives. A tool was can use is RegRipper, but even so, this will not allow us to actually validate program execution; for that, we need a process that includes incorporating the Microsoft-Windows-Shell-Core%4Operational Event Log, as well as the Application Event Log, looking for Windows Error Reporting or Application Popup events. For any specific programs we are interested in, we'd need to look at artifacts that included "toolmarks" of that program, looking for any file system, Registry, or other impacts on the system.
Conclusion If you're going to use a tool in SOC or DFIR work, understand the why; what investigative questions or goals will the tool help you answer/achieve? Then, validate that the tool will actually meet those needs. Would those investigative goals be better served by a process, one that addresses multiple aspects of the goal? For example, if you're interested in IP addresses in a memory dump, searching for the IP address (or IP addresses, in general) via keyword or regex searches will not be comprehensive, and will lead to inaccurate reporting. In such cases, you'd want to use Volatility, as well as bulk_extractor, to look for indications of network connections and communications.
David Cronenberg knows what he likes. He's made a career out of sticking doggedly to his own twisted visions of humanity and churning out some of the most provocative films of the past few decades. But while they're sometimes dismissed as gratuitous body horror fests, Cronenberg's films have often interrogated complex societal issues. That was the case with his 2012 effort "Cosmopolis," which provided an unsettling insight into the cold detachment of society's elite, played out almost entirely inside a limo by Robert Pattinson. And while Pattinson, fresh off his "Twilight Saga" stardom, was understandably nervous and terrified going into "Cosmopolis," he seems to have left a lasting impression on Cronenberg.
A decade later, Pattinson would end up playing the lead role in Matt Reeves's superhero film "The Batman," stepping into what is the "Cosmopolis" director's arguably least favorite genre. In the past, Cronenberg has had some pretty harsh words for superhero films. Asked about Christopher Nolan's "The Dark Knight Rises" back in 2012, he said: "I think it's still Batman running around in a stupid cape. I just don't think it's elevated. Christopher Nolan's best movie is 'Memento,' and that is an interesting movie. I don't think his Batman movies are half as interesting."
According to the filmmaker, superhero movies are "by definition [...] for kids." That's an opinion he doubled down on in 2020 when he told Vulture: "The version of genre [film] that is most forceful in Hollywood right now — the superhero thing — has never appealed to me much. [...] To me, it's too formulaic, and too adolescent in its emotional understanding."
Despite all that, the "Shivers" director chose to sit through Pattinson's foray into the genre for which he has so much disdain.
Pattinson Was 'An Honorable Batman'
Yes, David Cronenberg, who thought anyone who said "The Dark Knight Rises" was "supreme cinema art" didn't know "what the f**k they're talking about," has watched "The Batman." Last June, he sat down for an interview with The New Yorker, in the lead-up to his most recent nauseating effort, "Crimes of the Future," which saw him return to body horror. (It's not a bad entry in the Cronenberg canon, even if it doesn't represent any significant evolution in his style.)
The Canadian filmmaker revealed he had screened Matt Reeves's noirish take on the Caped Crusader simply due to his affection for Robert Pattinson. And it seems the star of "The Batman" got about as good an appraisal as he could expect from Cronenberg, who felt Pattinson was "an honorable Batman." He added:
"I don't want to say anything more than that, because I've already made my position on superhero movies clear and been attacked for it [...] It's basically an adolescent power fantasy, and that's its essence. You can't get away from that, and it limits it in terms of emotion and power and intellect."
Cronenberg almost managed to stay positive there, but quickly righted himself to heap some more scorn on the genre that so effortlessly offends him. Oh well, for now, Pattinson can rest easy knowing he at least has the distinction of making David Cronenberg sit through a film with "a stupid cape."
When shaken and chilled to minus 320 degrees Fahrenheit, ordinary frozen water "turns into something different," reports the New York Times, "a newly discovered form of ice made of a jumble of molecules with unique properties."
The ice of our everyday lives consists of water molecules lined up in a hexagonal pattern, and those hexagonal lattices neatly stack on top of each other.... With permutations of temperature and pressure outside what generally occurs on Earth, water molecules can be pushed into other crystal structures.
"This is completely unexpected and very surprising," said Christoph Salzmann, a chemistry professor at University College London in England and an author of a paper published on Thursday in the journal Science that described the ice.... The new discovery shows, once again, that water, a molecule without which life is not known to be able to exist, is still hiding scientific surprises yet to be revealed. This experiment employed relatively simple, inexpensive equipment to reveal a form of ice that could exist elsewhere in the solar system and throughout the universe.
And according to LiveScience, the new form of ice has some unusual properties:
Among them, Salzmann said, is that when the researchers compressed the medium-density ice and heated it to minus 185 F (minus 120 C), the ice recrystallized, releasing a large amount of heat. "With other forms of [amorphous] ice, if you compress them and you release the pressure, it's like nothing happened," Salzmann said. "But the MDA [medium-density amorphous ice] somehow has this ability to store the mechanical energy and release it through heating."
Medium-density amorphous ice might occur naturally on the ice moons of gas giant planets, Salzmann said, where the gravitational forces of the enormous worlds compress and shear the moons' ice. If so, the mechanical energy stored in this form of ice could influence the tectonics on these Hoth-like moons....
Scientists still debate the nature of water at extremely low temperatures. Any debate now needs to take into account medium-density amorphous ice, Salzmann said.
Thanks to long-time Slashdot reader fahrbot-bot for submitting the article.
Neowin reports on "a potentially dangerous exploit capable of completely unenrolling enterprise-managed Chromebooks from their respective organizations" called SH1MMER.
The Register explains where the name came from — and how it works:
A shim is Google-signed software used by hardware service vendors for Chromebook diagnostics and repairs. With a shim that has been processed and patched, managed Chromebooks can be booted from a suitably prepared recovery drive in a way that allows the device setup to be altered via the SH1MMER recovery screen menu....
In a statement provided to The Register, a Google spokesperson said, "We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it."
"Google added that it will keep the community closely updated when it ships out a fix," reports SC Magazine, "but did not specify a timetable."
"What we're talking about here is jailbreaking a device," said Mike Hamilton, founder and chief information security office of Critical Insight, and a former CISO for the city of Seattle who consults with many school districts. "For school districts, they probably have to be concerned about a tech-savvy student looking to exercise their skills...."
Hamilton said Google will need to modify the firmware on the Chromebooks. He said they have to get the firmware to check for cryptographic signatures on the rest of the authorization functions, not just the kernel functions — "because that's where the crack is created to exploit it. I think Google will fix this quickly and schools need to develop a policy on jailbreaking your Chromebook device and some kind of penalty for that to make it real," said Hamilton. "Schools also have to make sure they can detect when a device goes out of policy. The danger here is if a student does this and there's no endpoint security and the school doesn't detect it and lock out the student, then some kind of malware could be introduced. I'm not going to call this a 'nothingburger,' but I'd be very surprised if it showed up at any scale."
Thanks to Slashdot reader segaboy81 for submitting the story.
And yeah, we're definitely taking cues from Diablo 2, Ultima Online, Souls, etc. We're not making an Action-Adventure, but a full-blown ARPG!"
![[News] Bruce Campbell Launching BRUCE-O-RAMA 22-City Tour](https://i0.wp.com/www.nightmarishconjurings.com/wp-content/uploads/2023/02/bruce-o-rama.png?resize=492%2C566&ssl=1)
