sylver_dragon

Did folks not learn this from the response to Hurricane Katrina ? The people of New Orleans were basically left to rot while the State of Louisiana and Federal Government were standing around holding their dicks. When they finally did respond, it was about as bungled as it could be.

Whatever area you live in, figure out what disasters are possible/likely and plan to deal with the fallout from one of those, with zero help for a two weeks or more.

But have you considered, line goes up?

Sadly, there are probably a lot of developers who are burning the candle at both ends to push this out the door, on an unrealistic schedule. And who will then burn the candle in the middle as well when the release is a buggy mess. Only to finally be tossed aside like so much trash when the game fails to realize these unrealistic expectations. And all of that will squarely be the fault of management, who will wipe away crocodile tears with the profits this game will generate. Just not the profit they unrealistically promised investors; so you know, the game was actually a failure. Fuck EA’s management, the world would probably be a better place if the C-Level suite and board room got emptied out by some disaster.

The initial access seems to include an Apache CVE from 2019 and a WordPress plugin CVE from 2017. Honestly, UCSD should write a “thank you” letter to Androxgh0st for highlighting their poor patch management, and only using it for C2 in the process. Rather than as a beachhead into the network for a full-blown ransomware attack.

If your patch management is this bad, you shouldn’t be allowed to put stuff on the internet.

For anyone else who asked:
WTF is deepin?

It’s less fun than the first guess I came up with based on the name “deep in”, and it’s really just a Chinese Linux Distro with a bunch of re-packaged and/or proprietary applications. Which, one would expect, to be completely balls “deep in” your private information.

Why We’re Opening Betting Sponsorships

Because holy fuck that’s a lot of money.

How We’re Doing It Responsibly

We’'re not. We’re just trying to cash in and pretend we’re not going to take advantage of people with poor impulse control.

I have it on good authority that you currently have a project idea which you can use to pick one (or more) of those paths and start learning. ;-)

For example user management in studio3T

Not sure how I missed this on my first read of your post. But, this looks like a fancy front end to making MongoDB calls. That makes life easier, MongoDB has a well documented API and a driver for C#. As an aside, if you want to get really good at PowerShell, getting a basic working knowledge of C# and .Net in general is really helpful. For the lazy (and I always like lazy), there’s even a pre-built MongoDB module on the PowerShell Galley called Mdbc. There is also the Project’s GitHub Page which has a lot of useful info.

Granted, this path likely means learning enough about MongoDB to create/delete/modify users. But you came here expecting a load of homework, right? Also, this is a good excuse to spin up a docker container running MongoDB and go hog wild breaking the fuck out of it (just call it “research” if management asks). And who doesn’t love breaking stuff?

I’d also note that you may be able to get some help along the way by capturing the network traffic to the server caused by the Studio3T GUI. WireShark can capture the traffic to/from the DB server and you can read that to reverse engineer some of the calls you care about. Just, make sure you talk to your security folks before you download/install WireShark. If they are worth their salt, they’ll understand an engineer installing/running wireshark, it just makes their day easier if they know the alert is coming first. Assuming the GUI isn’t complete shit, it may encrypt traffic. This can be dealt with by using the SSLKEYLOGFILE environmental variable. In most cases, this results in the TLS keys being saved to a file and that can be imported into WireShark.

Good luck, and have fun!

There’s plenty of fraud, waste and abuse. It’s just conveniently called “contracting”, so money can be shoved out the door to private companies which do half the work at twice the price and end up delivering shoddy results. The reason DOGE didn’t find anything was that they weren’t looking at the contracting companies and instead were looking at the agencies themselves and the employees working for them. I won’t say that some of those agencies aren’t a complete waste of money (see: TSA, ICE, DOGE); but, DOGE was hyper-focused on agencies which actually do useful stuff (e.g.: SSA, NOAA).

Theoretically, browsers could even stop from the JS engine from being started for the site in the first place.

The NoScript extension is basically this. Most of the client side stuff is off by default and you can enable it per-domain. It breaks a whole lot of websites, but often in ways where the main content of a website is still readable. Over time, you can build up a list of “allow by default” domains and most of the web you care about works. Though, you may have to spend a moment or two sorting out permissions when you visit a new site.

There are a few options:

1. Use AutoIT or some similar automation framework. Generally, this is pretty easy and gets the job done. Your security folks may hate you (AutoIT binary hashes are basically all assumed to be malware IoCs at this point),
2. Depending on how the GUI works, you may be able to reverse engineer the calls made by the application and just make those calls yourself. For a Web UI, you can use something like BurpeSuite or even just the FireFox developer tools to catch the web calls and then modify/replay those as desired. For a console application, it could be trickier, as you may need to either load the software’s libraries (DLLs) or figure out database calls. It all depends on how the user data is stored and updated.
3. Using P/Invoke you can load several functions from the Win32 API, specifically FindWindowEx and EnumChildWindows to locate the GUI application and any specific form items you want to manipulate (e.g. TextBoxes to fill, Buttons to click). You can then modify properties or send clicks. You’ll probably hate yourself at the end of this project, but you’ll learn a lot.

While I don’t doubt that Iranian backed groups are more likely to target US based assets, I’ve been reading these reports for the last couple days and the “guidance” coming out of the US Government (USG) has been incredibly lackluster. CISA is basically saying, “use MFA and don’t use default passwords.” No shit, should I also plug in the power cord? It’d be great if some sector of the USG would publish something useful. Like a rundown of TTPs or even IoCs. The USG no doubt has a ton of SIGINT on these groups, and I understand that they can’t share all of it; but, fuck me could you at least put something more useful out than “use MFA”?

If you repeat a lie enough times, eventually you start to believe it. Others might also start believing it. Get enough people fully wrapped up in your lies and now you have a cult. Your cult followers will happily swallow any lie you tell them and defend it, often to the point of torture and death. This is pretty much where we are with MAGA, it’s a cult of personality and it’s followers will happily slurp up anything which dribbles out of Trump.

I’m curious to see if the cult outlives its original prophet. Once Trump kicks it, does the cult undergo a transition to a full blown religion? Or, does it fizzle out without it’s original charismatic leader?

1. I don’t want to use the command window for everything, or really much of anything, at least at the start.

With many of the modern distros, you can get a long way without a lot of command line work. But, some interaction will likely still be inevitable. However, most distros include either flatpak or snap, which lets you download, install and update software via the Graphical User Interface (GUI). So, there shouldn’t be too much command line work required.

2. I currently use Proton VPN and I’d like to use it on this new laptop too.

It looks like Proton officially supports Ubuntu. And I would note that it expects the GNOME desktop, not KDE. So, Kubuntu will likely run into issues (probably the same issues as Mint). That said, they also have a page on installing on Linux Mint which seems to indicate skipping a single step. There are also guides out there for installing Proton VPN, without using the terminal.

As an aside, unless you need a VPN to securely access a remote network, shift your apparent location or for downloading/sharing copyrighted works, consider saving the money and not paying for a VPN. They are mostly just a waste of money for the average user. Sorry, I’ll get off my soapbox now.

So, does this mean I should use Ubuntu? And will Kubuntu work or would I have to use a different version of Ubuntu? And is there no way to get Proton without using the console?

Just going with Ubuntu might be easier and it’s the officially supported distro. If you run into a problem, you may have trouble getting support on an unsupported distro. That said, it looks like getting it running on Mint/Kubuntu seems easy enough and works. I’m personally a fan of the KDE desktop (this is where the “K” in Kubuntu comes from) and think it makes the Windows->Linux transition somewhat better.

if I’m able to change to a custom mouse pointer (I currently use a cute one that I’d like to also use on the new laptop)

Yup, you can change the mouse pointer. Not sure if you can import your current one, but that’s going to depend on the format and where you got it.

if keyboard shortcuts like alt-tabbing work or are easily configurable

You’ll find many of the shortcuts work the same. Even the ones using the “Windows” key are mostly similar, though you’ll see it referred to as the “Meta” key. Alt-Tab as an example works exactly the same. And yes, they are configurable.

I’m kind of confused about how updating things works on linux. Will I be able to easily update to a new version of whatever distro I’m using?

So, edging back onto my soapbox for a sec (you can safely skip this whole paragraph, if you want), the software ecosystem in Linux is a mess at the moment. It’s very much the XKCD Standards situation. First, you will likely have the main OS way to update the OS and software. For Ubuntu, this will be via .deb packages. You’ll update these via a command like sudo apt update && sudo apt upgrade. The you will have one or more other package managers for containerized packages. This will be flatpak or snap. Why do we have one (or both) of these? Well, like a lot of standards fuckery it comes down to some very good technical reasons and nerds thinking that they are going to be the one to provide the “One True Solution”. And of course, that’s why we now have multiple completing standards. And then you get AppImage based software for developers who don’t want to be bothered with package managers and who hate security.

(non-soapbox answer) Yes, updating is usually pretty easy, but it may involve updating in more than one place. At minimum, you’re likely to need to do OS updates via something like the apt commands and also updating via flatpak.

Will I be able to easily update to a new version of whatever distro I’m using? Do I even want to update to the newest version?

Mostly yes and absolutely yes. For the distro upgrade here’s an example (not my blog) for the latest Mint upgrade. Pretty simple stuff. As for “Do I even want to update to the newest version?”, tip number one for keeping your system secure is: install your updates. This is true regardless of what OS you’re on. Please, if you install it, keep it up to date. This is what happens when people neglect updates.

And is there a way to be notified and set auto-updates for some applications?

Yes, and probably best to just turn on automatic updates and forget about it.

I’ve seen quite a few threads and questions about having to manually update things, but if I get an application from the software manager then will it be as easy as a clicking a button?

Yes, if you install from the software manager (behind the fancy name, this will be either flatpak or snap in Mint or Kubuntu) updates will be a one-click affair. Or better yet, automagically handled, if you turn that on. Turn that on.

I know I’ll have to adjust and just learn-by-doing some things no matter which distro I pick

Unfortunately yes, there will be a learning curve. But, I promise it’s not so bad and it’s completely worth it. And there are lots of folks here who will be happy to help (and a few jerks who will scream “RTFM!”, sorry about those, they suck.). If things get too bad, you can always go back to Windows, you have a license and it’s pretty easy to reinstall these days.

uhhh how easy is it to fuck up the process of trying and then installing a linux distro? Like completely-make-the-computer-unusable fuck up?

It’s really, really, really hard to get the computer completely fucked up and unusable, just by changing the OS. Seriously, the most likely way you would do this is by dumping your drink of choice in the keyboard because you got distracted. The great thing about software is that it is very rarely permanent. And nothing you’re doing here would be permanent. Go wild and try try a new distro. If things don’t work out, going back to Windows isn’t hard at all.

So based on all that, should I just go for Linux Mint like most new users? Or would you recommend a completely different distro?

I’m gonna go out on a limb and say that Mint is great choice and the one I’d recommend. While I don’t use it myself (I hate myself, so I use Arch), it’s got a solid reputation, is designed to make the transition from Windows easier and uses KDE for the interface (don’t worry if that last bit doesn’t make sense, just roll with it). There is also a lot of support available here on Lemmy and across the web.

That actually sounds like a reasonable response. Driving assist means that a human is supposed to be attentive to take control. If the system detects a situation where it’s unable to make a good decision, dumping that decision on the human in control seems like the closest they have to a “fail safe” option. Of course, there should probably also be an understanding that people are stupid and will almost certainly have stopped paying attention a long time ago. So, maybe a “human take the wheel” followed by a “slam the brakes” if no input is detected in 2-3 seconds. While an emergency stop isn’t always the right choice, it probably beats leaving a several ton metal object hurtling along uncontrolled in nearly every circumstance.

First thing that comes to mind is spending a week camping on the shores of Lake Mead many years ago. Didn’t shower for a week, though one could argue that being scoured by lake water when you either go flying off an inner-tube or make a mistake while water skiing, does a fine job of taking the dirt off.

War is Peace. Freedom is slavery.
And now for your Five Minute Hate.

It’s a good thing the American people would never elect a demented narcissist to the office of The President.

Fuck.

Maybe we could create something new and wonderful? Oh wait, no. let’s just see what else we can dredge up from the bottom of the nostalgia barrel, run for two seasons and then kill because it wasn’t a super breakout success.

A couple thoughts. Assuming your motherboard is capable of SATA hot-swap and has it enabled (look in your BIOS), you should be able to umount the game drive, and swap it without shutting down. Assuming the game drives are partitioned using GPT, you should be able to add individual entries in /etc/fstab using the partition UUIDs and control mounting and umounting to specific mount points for different drives. Personally, I would add the noauto option to those entries, so that mounting is done manually and can be controlled easily.

OS drive swapping may be simpler, depending on your BIOS. With the system powered off, swap the drives and assuming the BIOS picks up the new boot partition cleanly, you’re off to the races. The only issue would be if the BIOS just doesn’t want to recognize one of the drives’ boot partitions. I had this issue with my Arch install and my MSI motherboard. The motherboard won’t recognize the default install location and I had to move the boot files around to work in a fallback mode. Annoying, but solvable.

Finally, as others have said, this could all be a matter of over-complicating things. Why not just stuff all the drives in the case and always have everything? You can configure the primary drive’s boot loader to let you pick between which OS to boot. And you can have any and all data drives mounted at the same time. Unless you are struggling with physical space or power requirements, it saves on having to muck about with swapping stuff.

do any of you hate how self-hosting services like photo- or document-management systems, or even a simple rss tool, forces you to sort your stuff out, and put your decades old files in order?!

What is this “sort” thing you speak of? I don’t sort anything, I have NextCloud syncing my entire photos, videos and documents folders and they are just as messy as ever. Granted, I do go through my photos and videos once a year and dump them in a folder named for the year they were taken. Occasionally, I’ll go hog wild and try to sort some of a year’s photos/videos into folders named after events. Though, that hasn’t happened in a number of years. I setup NextCloud so I could have everything synced to my own server and just forget, not have to deal with labeling my data.

As for bookmarks. I already keep those in folders; but, I don’t sync those. I use my desktop far more than I use my phone for web browsing. And the types of things I use my phone for (mostly recipes), I just keep bookmarked there.

The first issue with running a coin miner is using company resources for your own profit. Your own system, using your own electricity, go for it. Running it on a company owned laptop, while at a company building, burning electricity the company is paying for. Ya, that starts to get uncomfortably close to fraud or theft. There is also that whole, “running unauthorized software on a company system, doing who knows what else in the background.” There is a very real possibility that the coin miner has unknown vulnerabilities which could allow remote code execution; or, just outright be malicious and contain a remote access trojan. Maybe he was smart enough to audit all the code it was using and be very sure that’s not the case. More likely, he just grabbed a random implementation of XMRIG, put his wallet in the config file and ran it. Either way, he also made a point of refusing to remove it, so we escalated up to management. With the recent ransomware outbreak having been in the multi-million dollar (possibly low tens of millions) damage range, refusing to remove unauthorized software went over about as well as a lead balloon. There may have been other factors at play; but, the unauthorized software and being a dick about removing it was what got him out the door.