Windows is so fucking weird

Make a new folder and call it [whatever you want].{437ff9c0-a07f-4fa0-af80-84b6c6440a16} and open it

Windows Explorer ribbon controls as files in explorer

They even work if you click on them

Here is my thesis on Security:

The diligent and reliable existence of locks, matters a lot more than their strength.

In trying to find how often lockpicking is a factor in burglaries, a huge number/majority of thefts were from behind no locks at all. Lockpicking is almost nonexistent.
Thieves simply try doors for being left open. Or just break a window.

This matched with my experience in Enterprise Security.
Penetrators got in through poking for trivial misconfiguration and lack of protection, not novel trespass.
They had millions of targets with a small % of success and won.

So I ask, why aren't we focusing on high assurance?

Because assurance is hard. It is not fun. It is not flashy. It fails silently. It supposes diligent attention.
Remediation is by definition beyond self-correction. The percentage of failures meets 85% SLA, even though it fails every month for three years.
Catastrophe is demure.

The modern Enterprise endpoint is almost always a massive distribution of responsibility. And in that denial of culpability, nobody is responsible for success.
The completeness of maintenance. The completeness of security configuration. The completeness of the agents that assure it.
It is the perfect failure.

Nobody owns actual success, just blame.

Hey everyone,

We run an introductory security podcast called Short Explanations. The goal is to explain security topics simply and easily, so the average person can make themselves more secure.

We like to keep things short and to the point.

We are: @chaimtime and @samurailink3

Find us:
https://www.shortexplanations.com

https://youtube.com/@shortexplanations

ONE BAD PASSWORD

He spent 24 years building his business. One bad password and a ransomware attack blew it to smithereens.

Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?

Finnegan quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.

There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site’s security and taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.

How could this happen?

24 years ago, when Finnegan originally set up his business website, SEC Info, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.

That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.

At the time, Yahoo advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.

“Had I remembered that I was using a password from 24 years ago,” he says, “I certainly would have changed it.”

As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.

The hackers were able to encrypt everything on his servers — not only the database of documents but also Finnegan’s email system and even his list of users and their contact information.

That means that once SEC Info is back in operation, he won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him — all 500,000 of them.

“I have to re-create everything, and that takes time. I hope it’s not more than a month, but there’s no way of knowing right now.”

How can you benefit from the unfortunate experience of Fran Finnegan?

Use a Modern Password on every online account.

A Modern Password is *different for every site.* It's composed of 14 or more characters: upper-case, lower-case, numbers and special characters. No dictionary words and nothing that is specific to you, the website or the industry the website is associated with. No sports team names, no family or pet names, no birthdays or anniversaries — basically nothing specific about you or your interests.

If the bad guys find and analyze one of your passwords, they shouldn't find anything that relates to you. Absolutely nothing personal — not a hint of you, not even a whiff of you.

Like a deserted ghost town in an old spaghetti western . . . nothing but tumbleweeds blowing in the wind.

All the bad guys should see is a random string of letters, numbers and special characters. A password manager makes creating and using these kinds of passwords *extremely* easy.

Make it tougher for the bad guys to cause havoc in your life or business.

You deserve to keep what you’ve earned.

https://www.latimes.com/business/story/2021-07-09/a-ransomware-attack-destroys-a-thriving-business

#Infosec
#Cybersecurity
#Passwords
#PasswordManagers
#ComplexPasswords
#SpecialCharactersInPasswords