The article literally talks about how one of the server implementations does exactly that:
> Does this affect Prosody?
> Not directly. Let’s Encrypt is not the first CA to issue server-only certificates. Many years ago, we incorporated changes into Prosody which allow server-only certificates to be used for server-to-server connections, regardless of which server started the connection. [...]
I wouldn't be surprised if this happened without JD Vance's knowledge. This sounds like a thing that Secret Service would make happen to make sure they can secure him at all times.
I wouldn't be surprised if it was explicitly requested to make for a more fun kayaking trip either. This sounds like a thing that someone who rejects climate change while receiving big oil donations would do.
Our politics does have some good parts. The political system we have is reasonably good. We have many political parties due to the proportional representation system. A single party is also unlikely to get a majority in parliament on their own, so parties with different backgrounds will have to work together to form a functioning government.
We do suffer from many political parties not willing to cause short term pain to improve long term outcomes. There are a few urgent issues going on in politics at the moment. Stuff where a decision needs to be made now and action should be taken. But the political parties do not want to make those decisions because they would inflict short term pain to some voters but would also improve the long term quality of life and economics of the Netherlands.
The worst part is that those issues have been known for a long time, but decisions were postponed over and over again because politicians didn't want to make the decision. Making the issues worse and more urgent over time.
At the same time populism is clearly on the rise in the Netherlands. A famous thing happening in a debate before the previous elections was a populist saying "But this woman cannot wait for the costs to be decreased, she needs it now." about decreasing a specific part of healthcare costs for citizens. Of course when the same populist became the biggest party during the elections, they never introduced anything to decrease that part of the healthcare costs.
>Of course when the same populist became the biggest party during the elections, they never introduced anything to decrease that part of the healthcare costs.
This depth you are never going to get in a college education anyway. Especially not since programming isn't (and shouldn't be) the only thing you learn in a Software Engineering / Computer Science bachelor.
The type of work the people working at an APT do, is mainly office work, while it still is very much "hands-on-keyboard" work (so you cannot set an action to automatically occur when nobody is checking the results in the middle of the night). You might want to try shuffling this up when you are in charge, but your (usually highly skilled and expensive) employees probably don't want to be working weird shifts all the time. Especially when they have families.
It also may not be worth it. Generally APT's want to stay under the radar while they are executing. But after the goals have been reached, most of the time it doesn't matter much if they get attributed. We have yet to see real consequences against any APT's. So paying your employees more to work night shifts, likely doesn't stack up against the consequences of attribution.
I have a hard time imagining these APT attacks are manual at the keyboard typing. That seems like an invention for entertainment whereas I'd expect reality to be "run script & establish an ongoing backdoor" or "run script & perform attack". You might need on-call to flag if anything has gone wrong, but I'd have a hard time imagining the entire team is involved for that so the cost of paying extra for an on-call is quite trivial vs the overall cost of the team. In industry that's not even compensated since salaried employees don't get overtime although I imagine that for government work the unions have negotiated this better.
EDIT: Huh, I guess sometimes it is like the movies: > One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 16pm EST (US working hours).
On-Call for mission of this size sounds fairly unlikely, doesn't it?
You wouldn't spend hundreds of thousands of dollars on large scale attacks with lots of (temporary) infrastructure and planning to then yolo it at the last minute and hope that everything goes well and you have the results back when you come back on Monday.
> I have a hard time imagining these APT attacks are manual at the keyboard typing.
(My perspective on this comes from doing security assessments and pentests 10+ years ago. Take that for what it's worth.)
I think of it a little bit like robotic vs. human space missions.
A robot can gather a ton of data without human intervention. It can perform repeated mindless activities. A certain amount of contingency against unforeseen issues can be engineered-in. Beyond the point of expected anomalies, though, the robot is going to fail (and perhaps expose your operation).
When it comes to reacting to rapidly changing mission conditions nothing beats a human in the loop. It's really hard to plan for all the peculiarities of any given environment. Intuition and experience play an immense role. Most of all, though, you may only get one shot before you're detected and stopped.
I wonder how APT operates. I guess it is not too different from a well funded Corporate red team, but the stake is higher and the opponents have almost unlimited amount of resources.
Do we have any probe into the state-sponsored APT world? I wouldn't be surprised if there isn't any, but would like to know.
The biggest piece of advice I have is to not give up too easily. The writeup makes things seem a lot easier than they actually are. While working on this project I had many moments where I almost gave up. Pushing past such roadblocks can get you to great insights.
For learning how to do such things? Well, a general computer science or electrical engineering background is a great start already. Ideally you learn a bit about embedded systems and how electricity works on circuit boards. A great resource for this is Big Clive on Youtube [1] who reverse engineers many circuits on his channel.
Tinkering around with hardware at a lower level will also reward you with a lot of knowledge. For example just working with an ESP32 and some off-the-shelf sensors will help you get a feeling for how these things work. See if you can communicate with other systems as well this way. Try to do as much as possible using jumper wires and breadboards rather than premade cables, so you get to know how it works. Also get a multimeter (one that beeps) and get comfortable using it. If you're unsure which multimeter to get, Big Clive has a pretty good video about that.
One thing I recommend getting is a logic analyzer. You don't need to go for an expensive Saleae (you can find pretty cheap clones on your regular Chinese webshops for example). Then just use it to investigate things that you already have access to. Attach it to a UART port where you know data is sent over and see if you can obtain that using the logic analyzer.
Then you can probably step over to investigating things you don't know. Just figure out with a multimeter what the voltages are and see if maybe data is sent over the line.
Due to everything in a URL before the @ being interpreted as a username for basic authentication, this would result in the user navigating to https://example-project-v1.zip instead of to github.
Edit: Fortunately it seems like browsers have caught on to this trick
Usually that CFO doesn't have admin privileges. However, the exe he ran could very easily make use of a privilege escalation exploit on a service that does run with admin privileges. An exploit that is a buffer overflow or otherwise an exploit that is possible due to memory safety issues.
Or that exe tries to connect to other services in the network to exploit a buffer overflow on another system. An example of such an exploit was EternalBlue.
So yes, you're probably right that from a purely external perspective, attackers are unlikely to gain initial access using exploits targeting memory safety. However, once they are in, there are all sorts of memory safety bugs that could be used.
As a pentester that did exactly this in many corporate networks: this is extremely effective. Just announce with a router advertisement that there is a DHCPv6 server and start handing out link-local IPv6 addresses while you specify your own system as DNS-server.
Clients (both Windows and Linux) will prefer the DNS-server specified through IPv6 over the one from IPv4. Then you can spoof any DNS record and capture juicy NTLM hashes flying through the network or relay their authentication and get a free authenticated connection.
This is most effective in networks that were designed for only IPv4 and didn't consider IPv6 at all. But it is also effective in some networks that do use IPv6.
Mitigations? Either disable the IPv6-stack on all systems, or configure your switches to block the router advertisements and do not allow DHCPv6 traffic to the wrong systems.
FWIW, I'm typing this on my framework right now, and I'm in Europe (Netherlands). So it is available in parts of Europe. Don't remember them promising delivery in all of Europe though?
> Does this affect Prosody?
> Not directly. Let’s Encrypt is not the first CA to issue server-only certificates. Many years ago, we incorporated changes into Prosody which allow server-only certificates to be used for server-to-server connections, regardless of which server started the connection. [...]