There is a very high quality video about how Solar Gravitational Lens could be used to map exoplanets, and full explanations about the images reconstruction and engineering challenges: https://youtu.be/NQFqDKRAROI
I've been aware of gravitational lensing before but this is the first time I've heard of it being used to resolve exoplanets.
This is super exciting and needs to be made a higher priority than it is considering our only other way around this is to build gigantic telescopes far beyond our current capabilities.
At the moment IMHO the major issue comes from that people use only the Basic Score of the CVSS 3.1, issued by the NVD.
Indeed, if you also take the Temporal Score (with CTI feeds for example), and if you add the Environmental Score, then you can have very good results to help prioritizing the vulnerabilities on your assets and reflect the real threat.
I would also like, however, to see the CVSS4 with a "cost to patch" component: in OT environments, CISO like to use the SSVC because it’s the easiest way to say "wait" instead of "patch now". But since SSVC is not really recognized by all auditors, it generates conflicts.
Bringing a component in the CVSS to reflect the cost of remediation on very complex devices, where deploying a KB requires to stop a full factory, could help getting the same results (aka "don’t patch now and wait") but with a more respected scoring system.
From my perspective, that’s the only missing component for a good CVSS system :).
> I would also like, however, to see the CVSS4 with a "cost to patch" component: in OT environments, CISO like to use the SSVC because it’s the easiest way to say "wait" instead of "patch now". But since SSVC is not really recognized by all auditors, it generates conflicts. Bringing a component in the CVSS to reflect the cost of remediation on very complex devices, where deploying a KB requires to stop a full factory, could help getting the same results (aka "don’t patch now and wait") but with a more respected scoring system.
The issue with this is that the people who are best suited to score an issue from the reporting perspective won't necessarily have any idea what the cost to patch something actually is. This is why CVSS shouldn't be used as a be-all-and-end-all metric for anything -- there are a lot of factors that don't relate to the vulnerability's relative severity that it does not account for.
Not really a new idea... a group called kPoint was doing something like this years ago but I am sure it is easier today.
> kPoint scans every frame of every video so well that users can search through every spoken word or important text on screen to find precise points where a phrase was said or shown
Some Windows configuration have bad permissions on their SAM database.
If a standard user has access to shadow copies (VSS), this can lead to privilege escalation.
Microsoft recommends to [1]:
1) Restrict access to the contents of %windir%\system32\config:
- Command Prompt (Run as administrator): icacls %windir%\system32\config*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config*.* /inheritance:e
2) Delete Volume Shadow Copy Service (VSS) shadow copies:
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
--
Also, please note that some authorities seem to adress this subject carefully. The French national cybersecurity agency (ANSSI) has for instance published a News bulletin [2] but no "real" Security bulletin of this vulnerability [3].
In its News bulletin, the ANSSI specifies that it also affects Windows Vista RTM :).
However, the ANSSI also says that deleting VSS entries (step 2 of Microsoft recommendations) "must be decided after evaluating the advantages and disadvantages with regard to the risks, in particular because there may be other possibilities for privilege escalation depending on the level of security of your information system."
Unity has also a lot of potential in the Cybersecurity industry, for people that wants to train themselves on Industrial Systems.
The only thing that makes industrial Cybersecurity really hard for students is the industrial systems laboratory requirements.
With Unity, some people are trying to build completely virtual pentest labs on industrial systems, such as GRFICS (https://github.com/Fortiphyd/GRFICSv2).
Great app, I just bought it and I will try it on the next WebEx conference calls :).
Some remarks:
- the "Highlight cursor at app launch" has a "Start sdf sdfsdf" tooltip
- I can not change the keyboard shortcuts (when I click on the button to configure them, nothing happens)
- the default keyboard shortcut "Control + Option + A" presented in the menu does not work on French keyboards and requires instead to push "Control + Option + Q", which looks like a AZERTY / QWERTY configuration issue?
Yes, that's correct. Custom shortcuts isn't implemented yet. I will enable it after I add the different drawing shapes. Thanks for bringing this up. This helps me in prioritizing features.
From my understanding, it's a dataviz of Facebook ads linked to politics.
For instance, if we select "Browse per country" and then "France", you can see political ads, with their political party, their content, their settings, etc.
My recipe is AdBlocks + automated updates enabled + firewall enabled + desktop shortcut for web browser + regular antimalware check.
Regarding phishing, I set them up with a GMail account and their filter is quite good against this.
So far, not anything bad happened, some minor malware were installed through malicious web browser extensions, but no financial damage or identity theft.
From my experience, the password manager is just another issue to solve for this kind of people: it’s another software to use and these users do not like to use software.
As a result, paper is sort of natural for them, and the only way I found to impeach them from writing down their passwords is to make them use passphrases instead of passwords.
They do remember the passphrases they typed in, however the issue is that some websites still refuse passphrases because they are too long :(.
