Everything has been built with Claude, even the bill of materials for the hardware.

The project is open source and now protects my raspberries. You can see a demo here: https://www.reddit.com/r/ClaudeAI/comments/1u03rja/automated...

MITRE ATT&CK is a framework that you can use to see the links between multiple security findings (here vulnerabilities from the CVE database). MITRE ATT&CK represents the path an attacker could use on your information system, aka "KillChain".

CVE2CAPEC is built on an open source repo https://github.com/Galeax/CVE2CAPEC/ with JSON data about CVE, CWE, CAPEC, and MITRE ATTACK Techniques, that you can use for your own projects as well.

Feel free to play with it and to open any issue if your need other features!

Comments URL: https://news.ycombinator.com/item?id=41943661

Points: 2

# Comments: 0

At the moment IMHO the major issue comes from that people use only the Basic Score of the CVSS 3.1, issued by the NVD.

Indeed, if you also take the Temporal Score (with CTI feeds for example), and if you add the Environmental Score, then you can have very good results to help prioritizing the vulnerabilities on your assets and reflect the real threat.

I would also like, however, to see the CVSS4 with a "cost to patch" component: in OT environments, CISO like to use the SSVC because it’s the easiest way to say "wait" instead of "patch now". But since SSVC is not really recognized by all auditors, it generates conflicts. Bringing a component in the CVSS to reflect the cost of remediation on very complex devices, where deploying a KB requires to stop a full factory, could help getting the same results (aka "don’t patch now and wait") but with a more respected scoring system.

From my perspective, that’s the only missing component for a good CVSS system :).

Gitlab::Password.test_default(21) => "123qweQWE!@#000000000"

Comments URL: https://news.ycombinator.com/item?id=30872415

Points: 66

# Comments: 22

I'd like the same for all my photos and videos: that would be so much easier to find specific pictures by keywords

Some Windows configuration have bad permissions on their SAM database. If a standard user has access to shadow copies (VSS), this can lead to privilege escalation.

Microsoft recommends to [1]:

1) Restrict access to the contents of %windir%\system32\config: - Command Prompt (Run as administrator): icacls %windir%\system32\config*.* /inheritance:e - Windows PowerShell (Run as administrator): icacls $env:windir\system32\config*.* /inheritance:e

2) Delete Volume Shadow Copy Service (VSS) shadow copies: - Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. - Create a new System Restore point (if desired).

--

Also, please note that some authorities seem to adress this subject carefully. The French national cybersecurity agency (ANSSI) has for instance published a News bulletin [2] but no "real" Security bulletin of this vulnerability [3].

In its News bulletin, the ANSSI specifies that it also affects Windows Vista RTM :).

However, the ANSSI also says that deleting VSS entries (step 2 of Microsoft recommendations) "must be decided after evaluating the advantages and disadvantages with regard to the risks, in particular because there may be other possibilities for privilege escalation depending on the level of security of your information system."

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

[2] https://www.cert.ssi.gouv.fr/actualite/CERTFR-2021-ACT-031/

[3] https://www.cert.ssi.gouv.fr/alerte/

The only thing that makes industrial Cybersecurity really hard for students is the industrial systems laboratory requirements.

With Unity, some people are trying to build completely virtual pentest labs on industrial systems, such as GRFICS (https://github.com/Fortiphyd/GRFICSv2).

Some remarks:

- the "Highlight cursor at app launch" has a "Start sdf sdfsdf" tooltip

- I can not change the keyboard shortcuts (when I click on the button to configure them, nothing happens)

- the default keyboard shortcut "Control + Option + A" presented in the menu does not work on French keyboards and requires instead to push "Control + Option + Q", which looks like a AZERTY / QWERTY configuration issue?

For instance, if we select "Browse per country" and then "France", you can see political ads, with their political party, their content, their settings, etc.

On The Shortness of Life, Seneca => An essay about how to handle life and how to see what is really important

On War, Clausewitz => An important essay about strategy and war, politics and management

The Prince, Machiavelli => A little bit cynical but quite realistic about the nature of power in the hands of humans

Thirty-Six Stratagems, multiple authors => A list of strategies that can be used in any situation, whether when winning or losing

Comments URL: https://news.ycombinator.com/item?id=20329682

Points: 1

# Comments: 0

As a result, paper is sort of natural for them, and the only way I found to impeach them from writing down their passwords is to make them use passphrases instead of passwords.

They do remember the passphrases they typed in, however the issue is that some websites still refuse passphrases because they are too long :(.

Regarding phishing, I set them up with a GMail account and their filter is quite good against this.

So far, not anything bad happened, some minor malware were installed through malicious web browser extensions, but no financial damage or identity theft.

You have full details on what these requests look like here: https://www.owasp.org/index.php/Blind_SQL_Injection

Do you have the same issues in the US? If so, do you plan to manage the rent payment as well?

I remember people from different generations walking in the streets, talking and laughing together without knowing each other. Something very rare for Paris :).