EDMONTON – Premier Danielle Smith fought back tears today as she announced that at least 30-50% of the town of Jasper, Alberta has been severely damaged by wildfires but she was adamant that all is not lost, because the Alberta oil industry is still going strong. “This event has been utterly devastating for the residents […]
The post Danielle Smith: The loss of Jasper is tragic, but we can all take comfort in how much money the oil industry is still making appeared first on The Beaverton.
TAMPA, FL—Explaining that his plate was positioned perpendicular to, rather than parallel with, his mouth, local man Dominic Worley told reporters Thursday that his delight at being served breakfast in bed was greatly mitigated by the difficulty of eating while horizontal. “Naturally, I was thrilled to wake up and…
A surprise eruption in Yellowstone National Park shot steam, water, and dark-colored rocks and dirt high into the sky, sending alarmed sightseers running for safety. What do you think?
MONTRÉAL – The government of Québec has confirmed that inspectors from the Office Québécois de la Langue Française have been monitoring conversations at a local hospital to ensure that patients dying in an underfunded healthcare system were doing so in the province’s official language. In a statement, Health Minister Christian Dubé clarified: “At a time […]
The post Québec language inspectors check that patients are dying in French appeared first on The Beaverton.
“Ms. Harris, 59, could be inclined to turn to someone from a swing state that the party needs to win. She is also likely to turn to a male running mate, Democrats said, to give the ticket balance.”- The New York Times
1. Reliable White
2. Nice White
3. Polite White
4. Incredible White
5. Spare White
6. Smart White
7. Pearly White
8. Conservative Gray
9. Antique White
10. Gorgeous White
11. Natural Choice
Answer Key
1. Sherwin-Williams #6091 and North Carolina Governor Roy Cooper
2. Sherwin-Williams #6063 and Michigan Governor Gretchen Whitmer
3. Sherwin-Williams #6056 and Kentucky Governor Andy Beshear
4. Sherwin-Williams #7028 and Arizona Senator Mark Kelly
5. Sherwin-Williams #6203 and Illinois Governor J. B. Pritzker
6. Sherwin-Williams #6007 and Secretary of Transportation Pete Buttigieg
7. Sherwin-Williams #7009 and California Governor Gavin Newsom
8. Sherwin-Williams #6183 and Utah Senator Mitt Romney
9. Sherwin-Williams #6119 and Vermont Senator Bernie Sanders
10. Sherwin-Williams #6049 and Actor George Clooney
11. Sherwin-Williams #7011 and Pennsylvania Governor Josh Shapiro
Cowboy Who?I was just through there last month. I'm super sad for everyone there.
A wildfire that roared into the community of Jasper, Alta., late Wednesday, incinerating vast stretches of the townsite, has grown to 36,000 hectares.
Hovertext:
The only downside is you have to go in every six months to get spun up.
Cowboy Who?This makes me sad.
Southwest President and CEO Bob Jordan says research shows passengers “overwhelmingly prefer” an assigned-seat system. He also pledged to improve the airline's financial performance.
(Image credit: Brandon Bell)
Det.-Sgt. Shane Donovan, who was with the Niagara Regional Police Service, was acquitted this spring of perjury — the last charge linked to the six-year saga with Const. Nathan Parker that involved multiple police agencies, investigations and trials.
This post was written by Alison Green and published on Ask a Manager.
It’s five answers to five questions. Here we go…
1. I’m biased toward midwestern candidates
At the east coast company I work at, I’m frequently on hiring committees for competitive positions that typically include a wide range of candidates from all over the U.S. I recently noticed a concerning pattern in the candidates that I have advocated for hire. Essentially, when other qualifications are relatively equal, I nearly always prefer the midwestern candidate. (I am from the midwest and work remotely from the midwest) for their personability and communication style. And generally, my opinion holds a strong sway for who ends up being hired. While I’ve never advocated for a midwest hire who isn’t one of top candidates in terms of objective qualifications and interview responses, I still don’t think this is a great look.
What can I (and the company in general) do to reduce this type of bias during hiring? Should I just hold my opinion if we are between a handful of candidates and I prefer the midwestern one?
A quick caveat: I am, unfortunately, amazing at recognizing midwestern accents, especially in people from the Great Lakes regions (or from the city of Chicago).
Yeah, “like me” bias is really common in hiring, and it’s good that you’re recognizing it! We (often) naturally prefer people who remind us of ourselves and feel comfortable/familiar to us. It’s especially telling that you noted your preference is based on their “personability” and communication style, because those are two things that are really subjective and can be big sources of bias.
So how do you mitigate it? First and foremost, make sure that you’re assessing all candidates on the same list of must-have and nice-to-have traits, and that you’re clearly defining what each of those looks like and not just “I know it when I see it.” For example, you might assess communication style and personability through metrics like: enthusiasm for engaging with people; conveying points clearly; listening carefully and asking questions to understand others’ perspectives; and being able to put people at ease, especially people different from themselves (that last part is key). Also, involve diverse voices in your hiring process (and make sure you get aligned with them about the must-have’s and how to assess those so that everyone is measuring against the same bar; otherwise people will default to their own criteria). Ask people to fill out written assessments independently, so they’re not overly influenced by what you or others think, and ask them to peg their ratings to observable behaviors, not gut feelings.
Those two things won’t solve it entirely — bias is a huge and complicated thing that takes significant work to mitigate — but they should help significantly, and should also surface places where earlier you might have been influenced by bias without even realizing it.
2. The right way to clean up after a reply-all email storm
My inbox was victimized by an external email storm yesterday, and it made me curious about how you’d advise the organization at the center to proceed in the aftermath. A university career center recently launched a new hiring platform to connect students and employers, and they sent a webinar invitation to recruiters across the region — corporate, public sector, school districts, etc. Something went wrong in the system and an automatically generated reply went to everyone, which then generated a service ticket email that also went to everyone. Enter Corporate Recruiter A, who responded, “I’m not sure why I’m on this service ticket.” For some reason this email also generated a subsequent service ticket email. Enter Corporate Recruiter B, who responded, “Same here.” (HELPFUL. Are both of you new to email? And technological systems in general?) City Employee chimed in, “I am getting multiple emails from this. Is there something you need from me?” And then Corporate Recruiter C opened the floodgates with, “Please remove me from your mailing list.” Cue hundreds of recruiters from the region asking to be removed from the list, followed by a handful of well-intentioned folks with the “STOP REPLYING” directives. Every one of these emails generated a separate service ticket email, so it was like the BOGO of email storms.
800 emails later, it has finally stopped. If you were the university, would you ignore all those requests from recruiters to be removed, since you need them to be recruiting your students and they were most unwittingly responding to one specific event? Or are you obligated to honor their request? Do you dare send a follow-up email to explain and apologize? Do you do personal outreach to the recruiters who participated in the melee to mend relations? Just to recruiters from high-value contacts, e.g. Fortune 500 companies and major local employers? Cut the registration fee for your next career fair as a mea culpa?
The emails were annoying, of course, but I mainly felt sorry and frustrated for the university employees. If I were them and I were instructed to send an apology email, I’m not sure I could stop myself from including some “electronic mail guidance for noobs” on how to disengage from an email storm…
Eh, people asking to be removed in that context usually mean “remove me from this shitstorm,” not necessarily “never contact me again.” I don’t think you’d need to unsubscribe all of them, as long as you’re very, very sure that the problem has been solved. You could send an email a day or so later apologizing and assuring people the problem has been fixed and won’t recur (make sure that’s true! the last thing you need is for that email to set up a whole new flood) and offering an unsubscribe link for people who want it. (That said, you’d want to look at CAN-SPAM and any other applicable laws to make sure you’re in compliance.)
I don’t think anyone would expect you to cut the registration fee or call people personally to apologize. (I’d actually be more annoyed by a phone call about it, in an “I still can’t get away from this?” kind of way.)
Related:
the burnt bagel, the excessive candor, and other reply-all email catastrophes
3. How open should I be about family stress that may affect me at work?
I’m tangentially connected to an ongoing family issue which is apparently on the verge of boiling over and causing some irrevocable damage to the extended family. There’s a high likelihood of my brother and his wife divorcing, and they have two kids under 10. There was a deliberate attempt to conceal the issues from me, up to and including lying to my face about how things are with them.
This affects my work only slightly: My work is pure physical labor. I deliberately made more work for myself when counting new stock as a healthy way to vent my frustrations and distract myself, and I explained my reasoning for doing that. At what point am I giving too much information, or at what point is giving specific details that there is an issue ongoing necessary?
Hmmm, it really depends on the details. If no one will even notice that you’re doing something differently to get more of a physical outlet, you don’t need to say anything at all. If it’s going to be noticeable, sure, say, “I”m working out some family stress on these boxes right now!” But there’s a fairly narrow window for how much of that is okay at work — tackling boxes extra vigorously is fine, but if it comes close to looking like hostile aggression (even though it’s directed toward inanimate objects, not another person), it’s inappropriate for work. If someone would be nervous about coming near you, you’ve crossed a line. Regardless, though, people don’t really need to know the details of what’s going on with your family.
(For what it’s worth, and I realize I’m saying this knowing almost nothing about the situation: avoid judging other people’s marriages and divorces as much as you can. Divorce is sad, especially when kids are involved — but lots of grown children, including me, will tell you firsthand that the damage to kids when their parents don’t divorce but should can be harder on them than a split would have been. Your brother also didn’t owe you a full account of what was happening within his marriage before he was ready to share. Again, I don’t know the details and certainly there are situations that would enrage any reasonable bystander — but when your feelings about someone else’s marriage are looming this large, it’s worth questioning.)
4. Do I owe a previous employer help with their questions now?
I gave two weeks notice at my job. My manager, the owner of the company, sent a message to all the team leads that I would be leaving and I sent the team leads and the other person on my team a message that I had cleared my calendar and would be happy to meet with them to facilitate my departure. I also created a document outlining several tasks that remained and where I was with each of them.
The other person on my team, Sara, set up a meeting with our accounting firm and participated in several meetings in which the managing owner and she were present but I was excluded. Which is fine, but I did not have any insight into what decisions were reached, so I assumed they had everything in hand. I had one meeting with the two owners and Sara, where they said they felt my procedures were excessive and overdone and instead of learning them, they said there was a better way to do my job. (That was fine with me — I was leaving anyway.) I also asked Sara if she wanted to set a time to go over procedures and how to do tasks, as most would fall on her plate, but she insisted she already knew. No one got in touch, no one asked questions, no one showed any interest in anything I had to share. I completed the document, wished everyone the best, and went on my way. No hard feelings, just excitement for my new role.
A couple weeks after I left, I received a message from Sara with questions — where things were, if I had finished a report, etc. etc. I did not feel like I had any responsibility to answer. I don’t have hard feelings, but I feel like no one wanted my help while I was leaving and now I don’t owe them anything further. I don’t think of myself as bitter or angry, just happy to move on. Am I wrong? Should I have answered all the questions?
You’re right on the principle of it: you tried repeatedly to help with the transition while you were still there and they made it clear that they didn’t want your help and felt they knew better. So it’s particularly irritating that they’re coming back to you now.
That said, it generally makes sense to be willing to answer one or two simple questions after you’re gone if you can do so very quickly, simply for the purpose of maintaining good will. But I’m talking about things like “do you remember where the X report is?” not “can you walk me through the history of this client and all the strategies we’ve tried with them in the past” — and also only one or two, not endless or ongoing contact. So if it would have taken only a minute or two to respond to Sara, I’d advise just doing it. You don’t have to, though; it also would have been fine to let the message sit for a week and then reply with, “Hmmm, I don’t know off the top of my head, but check the documentation I left.” (Or even not reply at all.)
5. I have no idea who to give my resignation to
I’ve decided to quit my job! However, I’m not sure who to give my notice to. My boss has left, and her boss is a C-suite executive I’ve never met. I’m sure I’m overthinking this, but I’m in a very senior role with no clear redundancy / transition plan for my responsibilities, and want to make sure I’m setting my team up for continued success after I’m gone. So who do I talk to about all of this? What are the appropriate protocols here?
Who are you going to for other management things right now? If there were a crisis in your department, who would you talk to? That’s probably the right person to resign to. If there’s no clear answer to that, then default to your ex-boss’s boss. If that’s impractical, head to HR, explain the situation, and let them straighten it out.
Sales for Hillbilly Elegy, the 2016 memoir written by J.D. Vance, are soaring again after the Ohio senator was selected as Donald Trump’s running mate. The Onion revisits and fact-checks the bestseller.
CAPE BRETON REGIONAL MUNICIPALITY – In a surprise move, the residents of Cape Breton island in Nova Scotia have announced that as early as next year, Cape Breton will have its own small and incredibly annoying time zone right between the Atlantic Time Zone and the Newfoundland Time Zone. “For too long, Cape Breton has […]
The post Cape Breton to create new, more annoying time zone between Atlantic and Newfoundland time appeared first on The Beaverton.
Israeli prime minister Benjamin Netanyahu spoke in front of Congress at the invitation of House Speaker Mike Johnson, marking the his first visit to Washington in almost four years and first trip abroad since the war in Gaza began. What do you think?
President Joe Biden ended his reelection bid and endorsed Vice President Kamala Harris to succeed him, saying in a statement posted to his official X account that, “It has been the greatest honor of [his] life to serve as your President.” What do you think?
This post was written by Alison Green and published on Ask a Manager.
A reader writes:
I just left my job. I had worked at the same small company for six years. Over the years, I have seen admin staff leave with little notice and staff who gave notice but did not actually work through it. My boss, Amanda, told me that she actually did not want them to work those two weeks, so she gave them the option to leave immediately. I was not there for those conversations, so I only had her word. I also know from past interactions that she is not someone who is open to criticism.
When I left, I was the only employee. I did my job (which is a client-facing job and if something is missed, it can open the business up to liability) plus a large share of the administrative work. Amanda worked partial days while I worked extra hours to get everything done. I was vital to the company running smoothly.
Amanda had asked me multiple times if I planned on staying with the company. I always said yes, because I felt like I could not leave without damaging the business and that she would not be receptive if I told her I didn’t plan to stay.
But one day, I had a terrible day at work and all of the frustrations of the job just boiled over. I felt unsupported, used, and frankly like I was drowning in mismanagement. After a tearful phone call about how stressed I was, my fiance suggested that I look for jobs in his area, about two hours away. We had talked about it before, but now I was ready to leave. It was not a full-time search but I was keeping an eye open. I applied for two jobs. Within a week of submitting my second application, I was interviewed and hired. I told them that I would need a delayed start date so that the transition would be smooth. They agreed.
Amanda did not take the news well. When I gave her my resignation, I told her I could stay at least three to four weeks for a smooth transition. She said okay and walked away. A few minutes later, she told me to be done at the end of the week. I again offered to stay longer, but she said she “would figure it out.” The next day we had the conversation again. I even suggested she look at the calendar before she made a decision because some big events were upcoming. I thought she just needed some time to process the resignation. But she said the same thing, so I called my new employer and set my start date for two weeks later so that I would not be without a pay check for a month.
The next day, Amanda called me in tears and asked me to come in to help out on days when she would be busy. I told I could not do that. I explained that I had offered to stay four weeks and she declined, so I was starting at the new job sooner and would not be available. I told her I would leave her detailed notes and be available for questions. She cried and told me that I was screwing her over by not telling her that I had been looking for a new job. I told her I was not trying to upset her and that I offered to stay on longer for that reason, and every version of “its not you, it’s me” I could think of.
I know that I was a vital employee. I thought I was doing the right thing while still protecting myself. But now I’m not sure. Was I in the wrong? Should I have told her that my plans changed and I had put in applications somewhere else? Could I have handled this better?
No.
You never, ever need to warn your boss that you are job-searching.
Okay, maybe in some very outlier edge cases, like your boss is about to invest significant time and money in training you to take over while she’ll be on leave to donate an organ, has asked you to level with her if you’re not the right person for it, and has done the work to create an environment where you know you could safely say you were considering leaving. Or your boss is about to spend significant capital getting you something you want and, again, has done the work to create an environment where you know you could safely say you were considering leaving.
But usually, you don’t warn your boss you’re job-searching. You don’t warn them because if you do, you risk being pushed out earlier than you want to leave, or sidelined from projects you want to work on, or because you might change your mind and don’t want to permanently be seen as having one foot out the door. You also don’t warn them because it’s simply not the professional convention to expect that you would. Reasonable managers understand the power dynamics involved in the relationship and know they’re not entitled to a heads-up, even if it would make their lives easier to get one. Reasonable managers also know that anyone could be job-searching at any time — or could be crushed by a boulder when they leave their house tomorrow, or have a too-good-to-pass-up offer fall in their lap unexpectedly, or win Powerball, or all sorts of other things — and so they plan for contingencies. A business that relies on everyone staying forever unless they give a ton of notice is a business that’s precarious and poorly run.
And all of that goes double for Amanda for two reasons: One, you’ve seen people leaving without working their whole notice periods and in some of those cases she told you she was part of that decision, so you had good reason to fear being pushed out earlier than you wanted to go. Two, you were the lone employee and playing a vital role, which made it all the more important that she have contingencies in place. If she didn’t, that’s on her, not you.
Not only did you not screw over Amanda, but you actually went above and beyond when you resigned. You offered more than two weeks notice to try to help her, and you were generous enough to extend that offer again after she had already rejected it once.
Amanda wants to be petulant in the moment (“No, leave this week, I don’t need you”) and then be able to retract that once reality sets in. But that’s not how business works. You are a person with your own interests and your own commitments that you can’t walk back just because she’s done sulking now.
You tried to tell her “It’s not you, it’s me.” But it’s her. It’s definitely, definitely her.
You did nothing wrong.
In brief: Although the coast has largely been spared heavy rainfall for the last two days, it now appears that the axis of strongest storms will shift there on Wednesday and Thursday. Due to this heightened threat for widespread street flooding, we are elevating coastal counties to a Stage 2 flood alert for now through Thursday evening.
As the Houston region has fallen into a very wet pattern over the last two days, the heaviest rains have fallen north of the city. Some locations in The Woodlands, for example, have received in excess of 9 inches of rainfall, and areas near Kingwood have received 4 to 6 inches. These heaviest rains have been fairly isolated, however, as most of the Houston region has picked up 1 to 2 inches so far.
We have a couple of more days during which the threat of heavy rainfall is high, so what will happen next? The majority of our modeling guidance suggests the threat will shift southward, particularly from southern Brazoria County up the coast through Galveston Island and all the way to Beaumont-Port Arthur. For this reason, we are elevating our flood alert for coastal counties to Stage 2 on our flood scale.
This means that for coastal counties—Brazoria, Galveston, Chambers, Jefferson, and Orange—there is the threat of flash flooding today, tonight, and on Thursday. Under Stage 2 conditions we generally expect widespread street flooding, and the potential for some localized flooding of homes and businesses. For the rest of the Houston metro area, and particularly areas along and inland of Interstate 10, lesser impacts are expected. We are maintaining a Stage 1 flood alert there.
Just before sunrise this morning we are seeing moderate showers across much of the Houston area, and for now these are totally manageable. But there is a line of showers and thunderstorms just off the coast that is more menacing. There is a fairly good chance this line will slowly lift northward into the coast, including Galveston Island, this morning. This will pose a distinct threat to flood streets.
These showers will gradually spread inland today, but based on our latest modeling they should gradually have a reduced impact and weaken some as they do so. Due to widespread showers and mostly cloudy skies, we can expect highs today to top out in the the low- to mid-80s for most locations.
The most likely scenario is that we see a similar pattern tonight. Some time after midnight another line of showers and thunderstorms appears likely to congeal offshore and then push into Galveston, Chambers, and Jefferson counties during the wee hours. This may spark another round of flooding for areas along and near the coast through Thursday morning. These showers should move inland during the daytime, albeit with likely reduced intensity.
All told, most locations south of Interstate 10 should receive at least 2 to 6 inches of rainfall on Wednesday and Thursday. My concern, and the reason for a heightened flood scale alert, is the possibility for some of these storms to dump 10+ inches of rainfall right along the coast. The models are increasingly highlighting this threat for places such as Galveston Island and the Beaumont-Port Arthur area.
The threat of very heavy rainfall should end by Thursday evening or so, but that does not mean our wet pattern will end. Rather, we’ll continue to see a healthy chance of showers through the weekend. We don’t expect to see the kinds of storms that will produce significant flooding, but there look to be fairly widespread showers. If you have outdoor activities planned, especially for Saturday, I would not feel great about them.
Highs for this period will range from the upper 80s to lower 90s, with partly to mostly cloudy skies. There is a chance of some sunshine by Sunday afternoon, however.
As high pressure starts to build into the area, next week should be hotter. Starting Monday, I expect we’ll reach at least the low-90s, and by midweek I expect Houston to be solidly in the mid-90s with lots of sunshine. We cannot rule out a stray shower here or there along the sea breeze, but these should not result in any serious accumulations.
We will have an addtional update later this afternoon or early evening to keep tabs on the situation.
Hovertext:
Okay, but you should see the thing that gets 2 minutes.
NEW YORK—Pleading with the individual to think rationally, onlookers reportedly urged suicidal jumper Harrison Zwillet to leap from a higher floor Wednesday. “No! Please! Go higher!” called out just one good Samaritan from the ground below, doing her best to deter the distressed stranger from jumping from such a…
EDMONTON – The Edmonton Oilers announced the hiring of Stan Bowman, the Blackhawks executive who helped cover up the sexual abuse of Kyle Beach by assistant coach Brad Aldrich, as part of their ongoing plan to become the league’s most hated team. “We started in a bad spot. We had a passionate, dedicated fan base […]
The post Franchise with amazing fans, likeable superstars determined to become league villains appeared first on The Beaverton.
Some time ago, my colleague Aaron Margosis wrote about how most “Unquoted Service Paths” findings are unnecessarily alarmist. But that doesn’t stop people from reporting it anyway.
Usually from people who don’t actually know what they’re doing.
We often get unquoted service path vulnerability reports. Sometimes they go like this:
We have identified an unquoted service path: The XYZ service has a listed service path of C:\Program Files\Windows Xyz\XyzSvc.exe with no quotation marks to protect the spaces.
Attached find a proof of concept. Copy this program to C:\Program.exe or C:\Program Files\Windows.exe, then use the Services MMC snap-in to stop the XYZ service, then start it. The proof of concept program will run.
As with most unquoted service path vulnerabilities, this one requires that the attacker be on the other side of the airtight hatchway: Creating files in C:\ or in C:\Program Files already requires administrator privilege, so this attack presupposes that the attacker has gained administrator access. It is not surprising that an attacker with administrator access can gain administrator access.
Nevertheless, when we resolve the issue as “Not exploitable, fix in next version”, the finder intended to go public and sent us a preliminary copy of a blog entry they intended to publish.
The blog entry admitted that a default-configured system is not vulnerable due to the inability of non-administrative users to plant Program.exe in an exploitable directory, but noted that a system administrator might misconfigure the system to grant write access to those sensitive directories.
Of course, we have now wandered into the realm of creating an insecure system and then being surprised that it’s insecure.
As far as I can tell, the finder never published that blog entry.
But at least this is a case where the finder actually understood the issues. Often we’re not so lucky, and the finder just spits out some tool output without providing any diagnosable information.
The XYZ service has an unquoted service path, which could allow a user to gain SYSTEM privileges. Attached please find screen shots demonstrating the issue.
The screen shots are heavily redacted captures from some unknown vulnerability scanning software.
| Service name | Vulnerable systems |
|
|
|
|
|
|
| Xyz | 7 |
That’s nice, but there’s nothing diagnosable here. The finder did include a screen shot of the scanning software reporting a non-vulnerable service, but that doesn’t help us identify the vulnerable one.
After some back and forth with the finder, we were able to obtain the path to the vulnerable service, and it was of the form C:\ProgramData\Microsoft\Windows Xyz\XyzSvc.exe, which is not exploitable because it requires administrator privileges to write to the C:\ProgramData\Microsoft\Windows directory.
Quoting service paths is a best practice. If you forget, most of the time, other defense in depth measures prevent it from being exploitable. It’s still good to fix them even though they aren’t exploitable, because you don’t want to rely on the kindness of others. However, you don’t have to fix them with the urgency of a security vulnerability.
Another example of an alleged unquoted service path vulnerability is this one:
The lack of proper quotation marks around the service path for the XYZ service means that this vulnerability could be exploited to achieve privilege escalation. I found this on multiple systems after running a Contoso security scan.
C:\Windows\system32\svchost.exe -k xyz
In this case, the finder ran a commercial scanning tool with a free trial, and the tool reportedly claimed that this service path was unquoted.
While it’s true that the path is unquoted, it’s also true that quotation marks aren’t needed because there are no spaces in the path.
The path is C:\Windows\system32\svchost.exe. The extra -k xyz are command line arguments to the program. They aren’t part of the path-with-spaces. In other words, this service is not trying to run a program with the funny name svchost.exe -k xyz.exe in the C:\Windows\system32 directory. The intention is to run the C:\Windows\system32\svchost.exe program. The lack of quotation marks is the intended interpretation.
Some script kiddies try to supplement their report with breathless prose cobbled together from fragments of other vulnerability reports they found on the Internet.¹
This unquoted path can lead the system to access resources in a parent path. A local attacker can place an executable file in the path of the service. When the service starts or restarts, the malicious file is executed instead of the intended service.
It’s not clear what “place an executable file in the path of the service” means here. If they mean insert an executable file in the same directory as the service, then that doesn’t work. The system will still run the intended file.
If they mean to put a file in a directory in the service’s PATH environment variable, that still doesn’t work, because the service is registered with a full path. (And even if the service were register with an unqualified path, attacking the PATH directories is not fruitful because all of those directories by default are writable only by administrators anyway.)
If they mean to overwrite the service executable with another executable, well, quotation marks won’t do anything to block that.
In this particular report, their so-called “repro steps” didn’t actually repro any attack. All they did in the repro steps was enable the service. They never planted any file to trigger unauthorized code execution. All we can do is guess what they meant; we can’t try to infer it from their proof of concept.
But the clincher was the output of their alleged repro steps:
C:\> sc query xyz
SERVICE_NAME: xyz
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Microsoft Xyz\XyzSvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Microsoft XYZ Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The reportedly unquoted service path is quoted!
Bonus chatter: When the security vulnerability reports reach the engineering team, the identifying information about the finder has often been removed. I’m guessing that this is done to remove sources of bias that could be introduced by recognizing, “Oh no, it’s this guy again,” and not giving the report due consideration because of its source.
That said, it’s still possible to identify that two reports came from the same person. The writing styles may match up (and sometimes the two reports are word-for-word identical, just with a service name changed). And one time, I noticed that the proof of concept video that was included with the report had exactly the same wallpaper and desktop icons as another report.
¹ Sometimes the breathless prose is outright wrong.
An attacker could place a malicious executable in a directory whose name contains a space.
As noted above, the attack vector is not placing a malicious executable in a directory whose name contains a space. It’s placing a malicious execute in a directory whose name is a truncation of the unquoted path.
The post Unquoted service paths: The new frontier in script kiddie security vulnerability reports appeared first on The Old New Thing.
“MAGA Republicans are subjecting Vice President Kamala Harris to a barrage of racist and sexist attacks as she has stormed out in front as the likely 2024 nominee…GOP Rep. Tim Burchett of Tennessee said that “100 percent, she was a DEI hire” insisting of Biden’s choice of Harris: “When you go down that route, you get mediocrity.” — Rolling Stone, 7/22/24
With Joe Biden dropping out of the race, Vice President Kamala Harris is now the presumptive nominee for the Democratic Party. As a conservative, it’s clear to me that Harris is a DEI hire who hasn’t earned the credentials necessary to be president. This is especially true compared to Donald Trump, who has never been handed anything in his life.
Donald Trump is nothing if not a self-made man. In 1966, Trump chose to transfer from Fordham University to the more prestigious Wharton School of Finance. He attended the transfer interview with his father, Fred Trump, by his side for support, the way any normal student would. And, though we have yet to see his grades, we can only assume they were stellar.
Meanwhile, Kamala Harris did her undergraduate at Howard University, likely taking a spot from one of the millions of White and Asian students who apply to Howard every year.
After graduating, Donald Trump got his first job at Trump Management, his father’s real estate company. Nobody in their right mind could argue that Donald Trump got that job as part of a “diversity initiative” or “underrepresented talent incubator.” He then started several businesses with nothing more than a dream and a few small loans from his father. And he led six of those businesses all the way from start to finish. Donald Trump is the candidate with the most experience seeing ideas all the way through to the end, whether it’s a casino or American democracy.
Kamala Harris was seemingly plucked out of obscurity for the VP pick in 2020. Her only prior experience in public service was as the District Attorney of San Francisco, the Attorney General of California, and as a United States Senator. And the only reason she got the job was because 81 million people mistakenly believed she was qualified.
Donald Trump, on the other hand, earned the presidency in 2016 by getting the second-most votes out of any of the candidates in contention. It’s a good thing the electoral college was structured in a way that Hillary Clinton couldn’t be handed the presidency simply because she was a woman.
DEI is running amok in this country. White men make up around 31 percent of the United States population, yet make up only 55 percent of Fortune 500 corporate board seats and hold only 62 percent of elected offices. The presidency is one of the few occupations that has remained (mostly) untainted from diversity hires. And after a brief period in which white men made up only 97.73 percent of United States presidents, it’s good to see that number has climbed back up to 97.83 percent. A drop down to 95.74 percent would be nothing short of catastrophic. We cannot afford to repeat the mistake of electing woefully unqualified candidates like Barack Obama rather than people who earned it by making a name for themselves, like George W. Bush.
Between Kamala Harris and Donald Trump, it’s clear who has benefitted the most from their race and gender. And the American people deserve a president who hasn’t gained massive advantages in life from policies that gave preference to one group of people over another.
This post was written by Alison Green and published on Ask a Manager.
A reader writes:
I’d be really interested to hear your take on a situation that cropped up for me while I was attending an internal job interview this week.
I’d been asked to prepare a presentation of “no longer than” 10 minutes. I practiced plenty in advance and was generally coming in at 8 minutes, 30 seconds, so comfortably within.
On the day of the interview, I was halfway through presenting my slide deck when one of the interview panel interrupted with a question, which I answered. This turned into three or four minutes of other queries and broader chat amongst the panel members — all very positive about the content — before they asked me to continue. I’d barely got any further when I was warned that I had less than a minute left: They hadn’t stopped the clock for their conversational detour. As a result, I had to push through the final couple of points far more swiftly than I’d intended.
Fortunately the rest of the interview went well, though ultimately I didn’t get the role. During the call to inform me, the interviewer explained that another candidate had more management experience than me (fair). But upon asking for any other feedback, I was told that I should have had more confidence when presenting, particularly during the last minute or so, and that I could have planned the timing better.
I thanked them for the feedback but I’ve been left wondering what I can really do with this for next time? I was hardly in a position to ban any questions, but putting my foot down and demanding extra presentation time to make up for their interruption sounds like a guaranteed way to lose the job. How can I work on this feedback?
It’s unlikely they wanted you to demand extra time to make up for the interruption.
But it’s very possible they assessed you in part on how well you handled the interruptions, like whether you were able to diplomatically regain control over the presentation and keep going — especially if presenting was a core function of the job. (In fact, if it was, they may have even interrupted intentionally to see how you handled it.) This isn’t necessarily 100% fair, because a lot of job candidates wouldn’t feel comfortable redirecting their interviewers — and if they wanted to assess that, they’d get better results by telling you beforehand that they wanted to see you demonstrate those skills, so you’d understand they were role-playing audience members and not worry as much about “interrupting” your job interviewers.
Or, if not that, they might have assessed you on whether you were able to recover smoothly and adjust on the fly in the time you had remaining.
Or they might not have intended to assess you on any of that, but a different candidate handled those things really well and that gave them an advantage.
It’s also possible the feedback means nothing at all — that when you asked for additional feedback beyond what they’d already offered, the person you were talking to just grasped for something without it being a factor that mattered much in their decision.
It’s hard to know whether there’s really anything here that would be useful to work on — but if you’re looking for something, I’d say it’s planning for audience interruptions and adapting in real time when they happen.
GRAND RAPIDS, MI—Addressing supporters at his latest rally, former President Donald Trump vowed over the weekend to unite the nation against the common enemy of other Americans. “We must come together to defeat the scourge that is our fellow Americans,” said the Republican presidential nominee, who reportedly spoke…
SAN FRANCISCO—Pledging to never leave behind the many millionaires and billionaires from the region who helped shape him into the person he is now, vice presidential candidate J.D. Vance vowed in a speech Tuesday that he would always fight for the forgotten communities in Silicon Valley. “Many of the Democratic …