• ek



    Viewing 15 replies - 16 through 30 (of 34 total)
    • in reply to: Still no DejaBlue exploits generally available #1913512

      Well… wow!

      I re-read my initial comment and I could find no mention of patching.  And… that’s because I was careful in the words I chose.  The words I did choose (paraphrased here) were: “…take proactive steps…”.

      Heck, as of last month I decided to stop installing updates on my Win 7 systems permanently.    And, I actually disable the performance sucking side channel (eg: Spectre/Meltdown/etc) patches on my systems – but I mitigate the risk through other steps (browser & browser security/privacy add-on choices, browsing habits, firewall rules, etc).

      There are indeed steps users can take to mitigate the RDP risk without actually installing update(s).  Those steps have been mentioned by others in this forum (& me too):

      • Disable the RDP service
      • Block the RDP protocol at the home router/firewall (both inbound & outbound)

      One or both of the above have been mentioned in other related threads here and I’ve taken the steps myself… and not patched.

      Yes, for some users RDP is essential, so the above is perhaps impractical (OK, you could fine tune the router/firewall blocking rules to allow RDP to/from specific trusted hosts).

      But there are also many users that don’t use RDP at all, so disabling and/or blocking RDP seem reasonable mitigations.

      I deliberately did not mention the above steps in my original post, nor did I recommend updating.  I left the course of action up to the readers to research & decide for themselves.

      But, yes, I did express an opinion about not agreeing with the “no need to take this vulnerability seriously because it’s not being seen in the wild yet” mentality.  I worried it would trigger some rebuttals.  Regardless, I stand by my opinion on the matter.

      I’d also like to point out that I’ve been quite vocal (in this forum and elsewhere) about how utterly awful MS updates have become, as they now often seem like a new category of malware.

      Thank goodness for Linux.

      • This reply was modified 4 years, 6 months ago by ek.
      • This reply was modified 4 years, 6 months ago by ek.
      1 user thanked author for this post.
    • in reply to: Still no DejaBlue exploits generally available #1913337

      I guess I’m interpreting the blog post you cite very differently.  Specifically, the MalwareTech blog post: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

      In the blog post, the author appears to have deliberately crafted test exploits that would just crash the RDP service.  It appeared to me that he did so because it was a very quick and simple proof-of-concept that a BlueKeep style exploit could work.  He did not go further and craft a RCE exploit.  I can imagine why he made that choice.

      His sentence in the end of the article is the most important: “This bug is powerful because object instances are stored on the same heap, making it possible to overwrite them.”.  The ability to overwrite heap objects is a powerful vector for remote code execution.

      I just don’t get the “no need to take this vulnerability seriously because it’s not being seen in the wild yet” mentality.  That’s because it communicates what many folks want to hear: “no need to take proactive steps now, just wait until a bunch of poor folks get harmed first.”.  That’s all well and good – as long as you are not one of those users initially affected by the security hole.

      • This reply was modified 4 years, 6 months ago by ek.
      2 users thanked author for this post.
    • in reply to: Patch Lady – Choosing a home backup solution #1911597

      Over the years, I’ve probably used most of the backup tools mentioned here.  However, a few years ago I switched to using Clonezilla.  I use it to stream backups  over the home net to a general purpose home NAS.  I also replicate the backups to other storage for redundancy, but that’s a longer story.  Clonezilla supports encryption and I use that feature.  Using Clonezilla can be fiddly, but it works great for me and has saved my bacon a few times.

      If you decide to play with Clonezilla, use the Ubuntu-based Clonezilla Live version as it (usually) has better hardware compatibility than the Debian flavor.

      1 user thanked author for this post.
    • in reply to: Write protected memory stick. #1911438

      Over the years I’ve had a few micro-SDs set themselves to read-only.  In those cases, some kind of error/corruption caused the card’s microcode to set the card to read-only.  It’s presumably a safety feature so you don’t lose data.

      Anyway, my “fix” has always been:

      • copy the files off the card
      • pop the card into a digital camera and format it

      If the above works, I copy the files back to the card & I’m good.

      Sometimes even the camera format fails.  In that case I consider the card no longer reliable and time for replacement.

    • I don’t ever need or use RDP.  So, I just disable RDP in Windows AND make sure my home firewall to blocks inbound & outbound RDP. Done & no need to patch.

      But if you are a mobile user with Windows on a laptop (ie: no external firewall you control) and/or need RDP & VB, then I feel your pain.  Tough decision.

      • This reply was modified 4 years, 6 months ago by ek.
    • in reply to: August 2019 Security patches: It’s a biiiiiiiiig month #1908468

      I’m doubtful that the fixes/mitigations in the update will plug all the CTF attack vectors.  A few, maybe.  All, unlikely.

      CTF is just too entwined in the OS and probably requires a relatively long duration dev effort to re-engineer it (or rip it out) without breaking too much stuff.  I don’t see this happening for Win 7 or 8/8.1.  Win 10, maybe.

    • in reply to: August 2019 Security patches: It’s a biiiiiiiiig month #1908430

      ? says:

      thank you ek for the explanation! so this “new,” Window’s vulnerability can be described as just another one of many “potential” attack avenues not (currently) being exploited? and the real and present danger is using Window’s updates or Windows at all?

      Short answer to your 1st sentence: yes.  But this vulnerability is very different than the processor side channel vulnerabilities like Spectre – which are (generally) computationally expensive to leverage (ie: complex and relatively slow).  CTF is easy & fast to exploit to gain admin privs.

      On your 2nd sentence:  Well, if I made a statement like that I would be half serious.

      I’ve been using Linux the majority of the time for years now.

      I still run Windows 7 on some systems, but in doing so I follow these practices:

      • MS updates are now often as risky as malware.  So, I recently stopped patching.  Prior to that, I always kept the systems up to date.
      • The systems are behind a secure router with inbound/outbound rules set.
      • I periodically inspect system activity (process, disk, network, etc.).
      • I use a commercial Antivirus app and also do manual Defender scans.
      • I use a local DNS server/filter and DNS services (like Quad9 and OpenDNS) to block risky/unwanted hosts/domains.
      • The Windows systems never access the internet and especially: I avoid running a web browser of any sort on them.  But if I absolutely have to, I use Firefox with a number of security/privacy addons (eg: noscript, privacy badger, UBlock, containers, etc.).
      • I never store any sort of important documents on a Windows system anymore.
      • The systems are never “always on”.  I boot them when I need to use Windows and shut them down when done.
      • Software/application wise: the systems are “frozen”.  I don’t & won’t install any new Windows software (other than, maaaaybe, updates).
      • I disable a number of unneeded Windows services and block telemetry.

      So, yes, that’s a lot compromises & hoops to jump through just so I can (occasionally) use a a handful of Windows based apps I’m reluctant to abandon.  Not sure how much longer I’ll be willing to put up with it.

      4 users thanked author for this post.
    • in reply to: August 2019 Security patches: It’s a biiiiiiiiig month #1908157

      ? says:

      thank you, ek

      did you see in the video’s and in the code how quickly and easily windows can be compromised? i have always disabled cftmon.exe from XP on up, so do you think that would slow down the cracking procedure?

      Yes, I watched the video and shook my head in dismay.  MS ignored re-designing CTF to make it secure for 20 years.  I’m pretty sure at least some of their internals/kernel team knew about the mess.  I’m speculating that big changes to CTF internals would be messy and likely break a lot of stuff, so they punted.

      I don’t think disabling ctfmon will help.  Anyone can craft their own executable that leverages the CTF “API”.  This is one of those vulnerabilities that’s yet another great “tool” for malware and phishing.

    • in reply to: August 2019 Security patches: It’s a biiiiiiiiig month #1907987

      CTF vulnerability (CVE-2019-1162) is scary.
      What is vulnerable?  Oh, just everything that contains text.

      Yes, catastrophically bad and profoundly dangerous.

      I read Ormandy’s (project zero) blog post ( https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html ). I consider it priority reading for anyone concerned about Windows security.  Advance warning: expect a lot of face-palming and hand-wringing while you read it.

      The vulnerability is so bad – and seemingly so hopelessly entrenched throughout Windows – I don’t see how MS can ever truly fix it completely.  Especially with their current ‘dev teams.  It’s present in all versions of Windows from XP to Win 10.  So it’s been there for 20 years and just now discovered.  Ug!

    • in reply to: Defragmentation of the System Reserved partition? #1906780

      So, it’s a 100MB partition with 25MB of data stored?  Absolutely no need to defrag in my opinion. If you were talking about a much larger partition and several GB of data then defraging might make more sense.

      Think about it: with such a tiny 100MB partition and only 25mb of data involved you’ll get 8% fragmentation with just one or two fragmented files that are a few MB in size.

      But, even more fundamentally: the entire 25MB on that partition will be read into the drive’s on-board cache after just a few spins of the platters (most modern mechanical drives have on-board cache >=  32MB).  So, even if you did somehow defrag the 100MB reserved partition you wouldn’t see any real performance benefit.

      I’ve assumed your drive is mechanical.  If it’s actually a solid state drive then it makes even less sense to defrag the reserved partition.

      • This reply was modified 4 years, 6 months ago by ek.
      • This reply was modified 4 years, 6 months ago by ek.
      • This reply was modified 4 years, 6 months ago by ek.
      • This reply was modified 4 years, 6 months ago by ek.
      • This reply was modified 4 years, 6 months ago by ek.
    • If telemetry is there to tell Microsoft that your machine didn’t blue screen Is that too much?  Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

      As an aside I thought this wasn’t the first time telemetry updates were included in security updates but I’m trying to find that post.

      You leak data on the web now.  Chrome leaks it.  Firefox leaks it.  It helps developers know when crashes are occurring and to fix their software.  Why is this evil?


      I get what you are saying, and maybe 20 years ago it would be passable.  But not in today’s world.

      Just because so many entities on the web currently leak & slurp up user data doesn’t mean consumers should just relent and let it happen to them.  In fact the notion of “user data rights” is enjoying growing public support, evidenced by what Facebook/Google/Apple/etc are dealing with right now.  MS should be on that list too, as they seem to be flying under consumer privacy/data radar since Win 10 launched.  I remain hopeful.

      Regardless of operating system, I require the option to turn updates on/off whenever I wish and opt out of telemetry for as long as I want.  Nothing less.


      4 users thanked author for this post.
    • In recent years I religiously kept doing a number of tweaks (some described in this thread, some on other blogs) to stop telemetry on my Win 7 systems.  But MS kept pushing updates that re-activated telemetry. So frustrating & disappointing.

      The only thing that really works for me – and is easily reversible – was implementing a Pihole adblocker at home and adding a blocklist a github site maintains for blocking MS telemetry.  The blocklist works well, is easy to disable if needed and is completely independent of Windows.

    • in reply to: Windows 10 avoiders: What would change your mind? #1893274

      What would change my mind to motivate me to adopt Win 10?  Compensate me.  I’ll explain…

      MS is slow-walking Win 10 users to a fee-based subscription service.  A service that enforces unprecedented control of user PCs [OK, unprecedented except for maybe Chrome OS].  A service that regards end users and their PCs as the product, reaps user data and their PC CPU cycles, making revenue off them.  It’s moving to what looks to me as a very lop-sided business arrangement between the end user and MS – with MS eventually having all the leverage.

      So, to entice me to embrace Win 10 (and whatever it’s service model morphs to in the future) I need MS to compensate me for both the use of my personal/activity data, my PC’s resources AND the network bandwidth their business activities consume.  I think a fair trade would be Win 10 for free and a 75% subsidy of any PC I purchase to run Win 10 on… and NO monthly subscription fee.  If they do that I’ll play by their rules if I go Win 10.

      Otherwise, no deal.

      • This reply was modified 4 years, 7 months ago by ek.
      • This reply was modified 4 years, 7 months ago by ek.
      2 users thanked author for this post.
    • in reply to: A newbie's experience with Linux #1891732

      @klaas-vaak:  I did some checking & it seems like Lenovo laptops can sometimes be a challenge to control CPU or system power under Linux, resulting in poor battery run time and/or excess CPU throttling on AC power.

      There are a few tools some folks have developed specifically for Lenovo Linux laptops.  As an example:


      I have NOT toyed with this yet, but I have looked it over and it looks promising.  But there are some conditions to using it: you’ll probably have to disable UEFI Secure Boot (a show stopper for some I’m sure) and disable thermald (if your Mint install uses it).

      The thing I like about throttled is it supports setting the tdp_down state in CPUs that support the feature.  I’m pretty sure Windows 10 effectively allows configuring tdp_down on some i5-or-greater laptops to achieve better on-battery time.

      I’m assuming much on this, but I believe throttled and TLP can be run together – so long as all CPU control options in TLP are effectively turned off.

      But, sadly, it looks like thermald is strictly command-line and configuring it could be daunting for some Linux novices.

      • This reply was modified 4 years, 7 months ago by ek.
    • in reply to: A newbie's experience with Linux #1891231

      @ek: that’s interesting what you wrote about TLP. A couple of months ago I bought a Lenovo laptop with Win 10 pre-installed, which I deleted during the installation of Mint 19.1. I also installed TLP and left the default settings. I have not seen any improvement in battery life, which is a terrible 2 hours !! despite people saying TLP is fantastic – you confirmed it.

      Would you care to share what settings you tuned to bump up battery life?

      Have you installed TLPUI?  It’s a gui interface to TLP.  Info on installing here:


      It makes tweaking & testing TLP settings much easier.

      Also, I use TLP to tune both battery and AC power modes.  The battery mode tune is tailored to save power a lot of power and extend battery run time.  AC tune is mostly tailored to de-tune CPU pstates (processor speed steps) to keep the cores running at the highest speeds that don’t trigger constant thermal throttling.

      The attached plain text file below contains my tlp settings.  Disclaimer: the settings are extremely hardware specific and probably won’t work as-is on your system.


      • This reply was modified 4 years, 7 months ago by ek.
      1 user thanked author for this post.
    Viewing 15 replies - 16 through 30 (of 34 total)