Did folks not learn this from the response to Hurricane Katrina ? The people of New Orleans were basically left to rot while the State of Louisiana and Federal Government were standing around holding their dicks. When they finally did respond, it was about as bungled as it could be.

Whatever area you live in, figure out what disasters are possible/likely and plan to deal with the fallout from one of those, with zero help for a two weeks or more.

I happen to be a prime example of how bad US Rail is this week. I’m taking my son from near Fredericksburg (the real one), up to Ballston for a summer camp. We have a couple options:

1. Drive

• Distance: ~70 miles one way, ~140 round trip
• Time: 1 hour and 45 minutes one way, with traffic. ~3.5 hours round trip.
• Cost:
  • 4 gallons (US) of gas @ $3.50/gal: $14
  • Wear and tear: estimate at 0.5 gas cost: $7
  • Parking: $11
  • Total: $32/day

2. Virginia Railway Express (VRE) and Washington Area Metro (WMATA)

• Distance: N/A
• Time:
  • Drive to Fredericksburg station: 20 minutes
  • VRE (Fredericksburg to L’Enfant station) - 1 hour 20 minutes
  • WMATA (L’Enfant to Ballston) - 20 minutes
  • Total: 2 hours one way, 4 hours round trip
• Cost:
  • Drive: we’ll just ignore this, it’s close enough to zero.
  • VRE: $23.56/person * 2 people: $47.12
  • WMATA: $3.45/person * 2 people: $6.90
  • Total: $54.02/day

So, for the low, low cost of about 1.68 times the cost of driving, we can take slightly longer to get to our destination and have zero control over our schedule, which makes the actual time devoted to travel considerably longer. We tried the public transit route last year, and it meant leaving earlier in the morning (about 30 minutes) to catch a train to get us there on time, and getting us home around 45 minutes later. And this is right around the US Capitol, which has some of the better transit options. Needless to say, we’re driving this year.

I really want to be able to take transit, but it’s basically dead in the US. Earlier this year, I needed to go to Boston for work. Catching a train from Washington, DC to Boston meant an 7 hour train ride (using the “high speed” Acela line) at ~$500 round trip. Flying was 1.5 hours and cost ~$300 round trip. Wanna guess which option I used?

Basically, all of the incentives are stacked against transit options in the US. Except within certain metro areas, driving or flying is always cheaper and faster. Yes, inside those metro areas, public transit can be great. I used to work in Washington, DC and used the VRE I mentioned earlier to get there and then WMATA or the Capital BikeShare to get to my office. That was great, since I didn’t have to drive into DC every day, which sucks big donkey balls. But it probably wasn’t cost effective and wasn’t really time efficient either.

I’m reminded of a joke I used to see in auto shops:
Cost to fix it - $100
If you worked on it first - $500

Now we can add:
If you used AI to fix it - $1000

But have you considered, line goes up?

Sadly, there are probably a lot of developers who are burning the candle at both ends to push this out the door, on an unrealistic schedule. And who will then burn the candle in the middle as well when the release is a buggy mess. Only to finally be tossed aside like so much trash when the game fails to realize these unrealistic expectations. And all of that will squarely be the fault of management, who will wipe away crocodile tears with the profits this game will generate. Just not the profit they unrealistically promised investors; so you know, the game was actually a failure. Fuck EA’s management, the world would probably be a better place if the C-Level suite and board room got emptied out by some disaster.

Valheim.

Mistlands - Not because “whaaa, Mistalnds hard”, but because the whole area is built around verticality and the game engine most certainly is not. Combat is Valheim is generally pretty good, but after a reasonable amount of playtime, you will experience the frustration of swinging under/over enemies, because of minor variations in terrain height. Mistlands dials this problem up to 11, with the added bonus of enemies which specifically take advantage of this problem.

The Mistlands also turns exploration into a boring, grindy chore. The shorelines are a nightmare to sail around and even with the wisp, the mist is always too close to deal with said shorelines. So, you’re hoofing it through terrain which is designed to be difficult to navigate and move across. The feather cape helps, a bit. But, you’re still going to spend way too long faffing about, jumping up one side of a ridge and floating down the other, only to find that you’re in a gully with nothing useful and need to jump up the other side. Seeing dungeon entrances at any range is impossible. Enemies regularly pop out of nowhere and you’re forced into dealing with the combat verticality problems.

I’ll also throw a bit of shade at “Refined Eitr” as a resource, though I think the problem is less the resource and more the grind to get the parts for it. To start with, you need to make a Black Forge, to make that you need Black Cores, to get Black Cores, you need to spend hours in the mists hoping to stumble across one or more dungeons to get the cores. And inside the dungeons, expect lots of combat where the verticality problem is on prominent display. Now that you have the Black Table, you get to make the Eitr Refinery, which requires more Black Cores. Hope you enjoyed getting them the first time! Ok great, more cores obtained, time to go stumbling about again looking for Soft Tissue. With any luck, you’ve been mining (or at least marking) nodes along the way. Though, expect to spend more time lost in the Mists, you need a shit ton of Soft Tissue. Thankfully, this is a resource you can take through a portal, so that’s nice.

And finally, you get to raid Dverger towns for a required material to extract sap, a Sap Extractor. “What about trade? Vikings were well know traders”, you ask. Nope, fuck trade, all that gold you’ve been collecting, go spend it on some clothes which you will never actually use. You want a Sap Extractor, put on your killing pants and get raiding. Ok fine, we have our Sap Extractor covered in Dverger gore. And that gets us to the least horrible part of our Refined Eitr. Sap extraction is not terrible, find a spot with several roots in close proximity and just rotate a few extractors through them.

Right let’s get our Eitr Refinery built…and why the fuck is one of the input ports on the top? Ok whatever, I’ll build some stairs and…why the fuck is this thing tossing off damaging sparks? Yes, I know you can wrap it in iron bars, but seriously what the fuck? Why is this even a game mechanic? It’s really the perfect metaphor for all of the Mistlands. It’s needlessly annoying and doesn’t really provide anything positive for gameplay or fun. Just another pointless grind tossed in because, “players like hard things, right?”

Mmm, feel that nice astroturf.

The initial access seems to include an Apache CVE from 2019 and a WordPress plugin CVE from 2017. Honestly, UCSD should write a “thank you” letter to Androxgh0st for highlighting their poor patch management, and only using it for C2 in the process. Rather than as a beachhead into the network for a full-blown ransomware attack.

If your patch management is this bad, you shouldn’t be allowed to put stuff on the internet.

For anyone else who asked:
WTF is deepin?

It’s less fun than the first guess I came up with based on the name “deep in”, and it’s really just a Chinese Linux Distro with a bunch of re-packaged and/or proprietary applications. Which, one would expect, to be completely balls “deep in” your private information.

First question which popped into my mind was, “Will they force Defender out as well?”
Or, is Microsoft about to abuse it’s position to stifle competition? Again.

do anticheat count as antivirus?

No. But, from the article:

Microsoft has been speaking with game developers about how to reduce the amount of kernel usage

The CrowdStrike fiasco was finally enough for Microsoft to look at forcing drivers out of the kernel. This is absolutely a good thing and will hopefully lead to a more stable Windows.

Why We’re Opening Betting Sponsorships

Because holy fuck that’s a lot of money.

How We’re Doing It Responsibly

We’'re not. We’re just trying to cash in and pretend we’re not going to take advantage of people with poor impulse control.

I have it on good authority that you currently have a project idea which you can use to pick one (or more) of those paths and start learning. ;-)

For example user management in studio3T

Not sure how I missed this on my first read of your post. But, this looks like a fancy front end to making MongoDB calls. That makes life easier, MongoDB has a well documented API and a driver for C#. As an aside, if you want to get really good at PowerShell, getting a basic working knowledge of C# and .Net in general is really helpful. For the lazy (and I always like lazy), there’s even a pre-built MongoDB module on the PowerShell Galley called Mdbc. There is also the Project’s GitHub Page which has a lot of useful info.

Granted, this path likely means learning enough about MongoDB to create/delete/modify users. But you came here expecting a load of homework, right? Also, this is a good excuse to spin up a docker container running MongoDB and go hog wild breaking the fuck out of it (just call it “research” if management asks). And who doesn’t love breaking stuff?

I’d also note that you may be able to get some help along the way by capturing the network traffic to the server caused by the Studio3T GUI. WireShark can capture the traffic to/from the DB server and you can read that to reverse engineer some of the calls you care about. Just, make sure you talk to your security folks before you download/install WireShark. If they are worth their salt, they’ll understand an engineer installing/running wireshark, it just makes their day easier if they know the alert is coming first. Assuming the GUI isn’t complete shit, it may encrypt traffic. This can be dealt with by using the SSLKEYLOGFILE environmental variable. In most cases, this results in the TLS keys being saved to a file and that can be imported into WireShark.

Good luck, and have fun!

How you gonna teach English without being able to teach nouns words which describe people, places or things?

FTFY, you dirty n-word user you.

The other way to read this data is that 75% (a sizable majority) of people feel they can be comfortable on less than $150k. I also suspect this strongly correlates to location. Someone living in Washington, DC is going to need a lot more to feel comfortable than someone living in Bumblefuck, MO.

There’s plenty of fraud, waste and abuse. It’s just conveniently called “contracting”, so money can be shoved out the door to private companies which do half the work at twice the price and end up delivering shoddy results. The reason DOGE didn’t find anything was that they weren’t looking at the contracting companies and instead were looking at the agencies themselves and the employees working for them. I won’t say that some of those agencies aren’t a complete waste of money (see: TSA, ICE, DOGE); but, DOGE was hyper-focused on agencies which actually do useful stuff (e.g.: SSA, NOAA).

Theoretically, browsers could even stop from the JS engine from being started for the site in the first place.

The NoScript extension is basically this. Most of the client side stuff is off by default and you can enable it per-domain. It breaks a whole lot of websites, but often in ways where the main content of a website is still readable. Over time, you can build up a list of “allow by default” domains and most of the web you care about works. Though, you may have to spend a moment or two sorting out permissions when you visit a new site.

There are a few options:

1. Use AutoIT or some similar automation framework. Generally, this is pretty easy and gets the job done. Your security folks may hate you (AutoIT binary hashes are basically all assumed to be malware IoCs at this point),
2. Depending on how the GUI works, you may be able to reverse engineer the calls made by the application and just make those calls yourself. For a Web UI, you can use something like BurpeSuite or even just the FireFox developer tools to catch the web calls and then modify/replay those as desired. For a console application, it could be trickier, as you may need to either load the software’s libraries (DLLs) or figure out database calls. It all depends on how the user data is stored and updated.
3. Using P/Invoke you can load several functions from the Win32 API, specifically FindWindowEx and EnumChildWindows to locate the GUI application and any specific form items you want to manipulate (e.g. TextBoxes to fill, Buttons to click). You can then modify properties or send clicks. You’ll probably hate yourself at the end of this project, but you’ll learn a lot.

That’s my bet. This is cranks and grifters thinking no one is going to check their work, so they saw no reason to bother checking it themselves.

If you care about your privacy, don’t use products from a company whose entire business model is built on invading your privacy.

While I don’t doubt that Iranian backed groups are more likely to target US based assets, I’ve been reading these reports for the last couple days and the “guidance” coming out of the US Government (USG) has been incredibly lackluster. CISA is basically saying, “use MFA and don’t use default passwords.” No shit, should I also plug in the power cord? It’d be great if some sector of the USG would publish something useful. Like a rundown of TTPs or even IoCs. The USG no doubt has a ton of SIGINT on these groups, and I understand that they can’t share all of it; but, fuck me could you at least put something more useful out than “use MFA”?