This strategy really depends on their ability to bribe President Trump for a pardon.

Depending on which version of Sleeping Beauty you’re reading, this isn’t that far off.

Sadly, yes a lot of organizations didn’t get the memo. But this really is the current guidance. In NIST 800-63B Section 5.1.1.2:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

I deal with this sort of thing pretty regularly for the company I work for. We get threat intelligence from several vendors when they see our users show up in “dumps”. Basically, threat actors will package up stolen credentials in a large zip file and make that available (usually via bittorrent) for anyone to download. Security vendors (e.g. Mandiant, which Google bought) download those dumps and search for accounts associated with their customers and send out these warnings when they find one. On the customer side, if the breach was recent we’ll force a password reset and warn the user about the breached password, with a recommendation to change their password on the affected site and also change any passwords which might be similar elsewhere.

Why do we force the password reset, even when it wasn’t the account for our business which was breached?
There’s a couple reasons for this. First off, people still reuse passwords all the fucking time. Maybe this victim didn’t, but we have no good way validate that. Second, even without direct reuse, folks like to have one main password that they apply slight variations to. They might use “Hunter 42!” at one site and then “Hunter 69*” at another. This isn’t smart, attackers know you do this and they have scripts to check for this. Lastly, if an organization is following the latest NIST guidance, you’re not changing your password on a regular cadence anymore. With that is the expectation that passwords will be rotated when there is a reason to suspect the credentials are compromised. Ya it’s annoying, but that’s part of the trade-off for not having to rotate passwords every six months, we pull the trigger faster on forced rotations now.

If you get one of these, consider it a good time to think about how you come up with and store passwords. If you are re-using passwords, please turn off your computer/device and don’t come back to the internet until you have thought about what you have done. If you aren’t already using one, please consider a password vault (BitWarden or KeePassXC make great, free choices). These will both help you create strong passwords and also alleviate the need to memorize them. Just create a strong master passphrase for the vault, let it generate the rest of your passwords as unique, long (12+ character) random junk, and stop trying to memorize them (with the exception of your primary email account, that gets a memorized passphrase).

Ya, I actually run both uBlock Origin and NoScript in my browser on my phone and personal machine (desktop). On my work laptop, those are a no-go. So, I get the full ads experience on my work machine when traveling.

I run Pi-Hole in a docker container on my server. I never saw the point in having a dedicated bit of hardware for it.
That said, I don’t understand how people use the internet without one. The times I have had to travel for work, trying to do anything on the internet reminded me of the bad old days of the '90s with pop-ups and flashing banners enticing me to punch the monkey. It’s just sad to see one of the greatest communications platforms we have ever created reduced to a fire-hose of ads.

Those just invent new frameworks every six months which everyone should totally use this new framework, for reasons. Though, maybe that’s just JavaScript.

English is what you get when a community can’t defend its borders and keeps being taken over by new rulers with a different language, which then works its way partly into common usage. Also, random word borrowing, because fuck you it’s ours now.

But if they did have a mutable VDI, they still wouldn’t be allowed to install software.

The actual install isn’t really important for an attacker, just the user making the attempt. The payload will exists beside the software installer and will be launched by the user running some sort of “install” batch file or executable. It won’t install anything, it’ll dump files in places like %TEMP% and add something to the user’s RUN registry entry. It’s also why I mentioned a “laptop”. What the attacker is really after isn’t the Citrix server (that would be nice to pop, but it’s not necessary) it’s the user’s local system. That’s going to provide a beachhead on the network for the attacker to work out from. It will also provide a treasure trove of credentials the attacker can sell or use elsewhere to attack the environment (infostealers don’t need, or even ask for, local admin). Even just being able to sell access to one compromised laptop is a win for the attacker. Access brokers can sell that off to more advanced groups who will come back and try to move out from there.

But wait, we have MFA everywhere! Are you sure, are you really, really sure you don’t have a dev team somewhere who decided to hang something out on a poorly documented corner of the network and they disabled MFA on the device for a test, and then forgot to shutdown the test equipment? Because ya, I’ve worked incidents where exactly that happened.

If you set stuff up properly

A lot of heavy lifting going on in those words…

Also, the malware which gets bundled with “free” versions of products usually doesn’t care if the install fails or succeeds, just that the user downloaded the package, unzipped it, and double-clicked on the ever-so-helpful “install.lnk”. Most of the current ransomware and infostealer malware doesn’t need local admin to do it’s damage. Plenty of Remote Access Toolkits (RATs) will run quite happily in user space. Users can edit their local RUN registry key and/or create scheduled tasks. And there are doubtless Privilege Escalation vulnerabilities sprinkled around the system like fairy dust when it gets to be time to dump the SAM hive or lsass memory space.

Yes, locking down local admin gets you a lot, in terms of security. It’s far from a trump card though. Lots and lots of damage can happen in user land.

Not to worry, they will just go to some sketchy website and download a “free” version of Office and then act all surprised pikachu when Security rolls up to take their laptop.

Ya, he’s not gonna be found “safe”. The last few nights have been well below freezing in much of Virginia. With a gun and a lack of cold weather gear, there’s not a lot of safe outcomes available. Though I’d guess he hasn’t noticed the drop in temperature.

While this patch might stop some existing attacks, it’s not really a fix. First off, the type of people who might install a third party Windows patch are probably the exact same people who would be cautious about clicking on an LNK file embedded in a ZIP file. Second, even if this patch somehow became widespread, attackers would just shift their attacks into the 260 character limit. Sure, it would now be visible in the properties, people aren’t looking at the properties of LNK files.

The problem is this “vulnerability” is essentially “as designed”. LNK files exist to allow both pointers to other files and a quick way to run complex commands. It’s like calling powershell.exe a vulnerability, because it can be used to get up to all sorts of malicious stuff. Both are powerful tools on Windows, but those tools can be abused.

First off, why does a beer company have personal data on customers? It seems like the best protection for this data would be, don’t have it in the first place. You sell beer, you don’t need to hoover up personal data on people to make and sell beer.

“That reflects a wider truth that companies are investing more than ever in digital defences, yet adversaries continue to outpace them, exploiting weak links in supply chains or breaking in through trusted partners,” he (Shankar Haridas, head of UK and Ireland at ManageEngine) added.

Ya, they are spending money, but failing at basic cyber hygiene (read: documentation, patching and network segmentation). But hey, I Mr. ManageEngine here will be happy to sell us another product which just papers over the failures to get the basics done. And it will almost certainly have “Agentic AI” to do…something.

The compromise seems to have started with network equipment at one site, impacting the OT environment and potentially expanding into IT systems

I’d bet a lot of money the Asahi security team had been screaming about the OT environment being a big, juicy target for a long time. But, applying security controls in the OT environment is hard and scary and might cause a blip in production. So nope, all those shit-boxes running Windows XP must never be touched. Also, NDR is expensive and hard, so stop asking about it. But yes, those same shit-boxes really do need to be fully internet connected and logged on 24x7 as a local admin, with the same password everywhere, because identity management is hard.

We seriously need to start dragging CTOs, CIOs and CEOs out into the street, tarring and feathering them when this shit happens. Also, the companies making the OT systems need to have their entire management put through a chipper shredder the first time one of them suggests that their systems just shouldn’t be patched. If your shit is so fragile that an OS patch might break something, chipper shredder goes BRRRR…

Sorry, OT systems are a bit of a pain point.

The Felon in Chief can bluster all he likes. When people don’t have the money to spend, they ain’t gonna spend it.

This is also why the Trump administration is considering helicopter money checks. These types of hand-outs can give people a sense of having money. The problem is that it ultimately drives inflation. We saw this with the stimulus checks during the pandemic. Arguably, something was needed then to support people during an actual emergency. But part of the inflation problems we have now can be traced back to those checks.

“Tariff” checks may give a short boost to holiday buying. But the long term damage is not going to be worth it to anyone but Trump. And that assumes the short term benefits last through the 2026 midterms.

Ya, AI as a tool has it’s place. I’m currently working on documentation to meet some security compliance frameworks (I work in cybersecurity). Said documentation is going to be made to look pretty and get a check in the box from the auditors. It will then be stored in a SharePoint library to be promptly lost and ignored until the next time we need to hand it over to the auditors. It’s paperwork for the sake of paperwork. And I’m going to have AI spit out most of it and just pepper in the important details and iron out the AI hallucinations. Even with the work of fixing the AI’s work, it will still take less time than making up all the bullshit on my own. This is what AI is good for. If I actually care about the results, and certainly if I care about accuracy, AI won’t be leaned on all that much.

The technology actually it pretty amazing, when you stop and think about it. But, it also often a solution in search of a problem.

Coming soon:
Assassin’s Creed: Long March

Which, might not be the worst game ever. The politics of it would be interesting though.

Black Friday specials are never on the products you actually want, they are on products the business either wants to clear out or are specifically sourced for the sale. Once you’re in the store, you’ll see the products which they actually want you to buy and for which the prices are either not marked down or are actually marked up. It’s all just a scam to separate you from your money.

This is great, but the Senate seats up for election in 2026 make the Democrats winning a majority really, really tough. The current Senate is 53 Republicans, 43 Democrats and 2 Independents who caucus with Democrats. This means that the Democrats need to net +4 seats to gain control of the Senate. Sure, it’s possible but the map doesn’t look good.

For example, the Democrats best pickup opportunity is likely Susan Collins’s seat in Maine. Despite Maine leaning Democrat in statewide elections, this is a rodeo Collins knows very, very well. Democrats have been trying to knock her off for several cycles and yet she’s still here. Maybe this will be the year. But, if this is the best opportunity for Democrats, we aren’t off to a good start.

North Carolina is an open seat, which helps some. But, the State has consistently voted Republican in Statewide elections (and went for Trump by ~3 points in 2024). A large enough blue wave could overcome that, but it’s already an uphill battle. And things only get worse from here.

Next up is Ohio, which Trump won by ~11 points. We aren’t talking super-hard MAGA land there, but Democrat friendly, it ain’t. This is the state which gave us Vice President JD Vance as a Senator. The election here is for the remainder of Vance’s term. Hope may spring eternal, but there is a really sketchy looking reality hiding around the next corner with a sock full of pennies.

That takes us on to Iowa. This state was Trump +13 in 2024. Sure, some farmers may be pissed off about the tariffs, but enough to put a Democrat in the Senate? This seems to fall into the “time to put the bong down and reconnect with reality” territory. I mean, it’s always possible. With a really well calibrated Democratic candidate, the GOP picking a really flawed candidate and really poor economic conditions, maybe. But I wouldn’t be betting the farm on Democrats picking this one up.

And then we need to consider defense. Jon Ossof is up for re-election in Georgia. Georgia went for Trump by ~2 points. Not a large margin, but enough that Osoff isn’t a shoe-in. And Michigan (Trump +1) is an open seat election. The previous Senator (Gary Peters) was a Democrat, so there is certainly hope, but again this isn’t a certain thing. If either of those seats are lost, Democrats are then looking at Texas (Trump +14. Also, it’s fucking Texas).

I’m all for a Democratic Congress. But their chances in the Senate look pretty bleak.