Hacker News: jeffmcjunkin

New comment by jeffmcjunkin in "Project Glasswing: Securing critical software for the AI era"

jeffmcjunkin — Tue, 07 Apr 2026 22:49:55 +0000

Can confirm.

Google releases Gemma 4 open models

jeffmcjunkin — Thu, 02 Apr 2026 16:10:54 +0000

Article URL: https://deepmind.google/models/gemma/gemma-4/

Comments URL: https://news.ycombinator.com/item?id=47616361

Points: 1810

# Comments: 473

New comment by jeffmcjunkin in "Kerberoasting"

jeffmcjunkin — Wed, 10 Sep 2025 23:09:32 +0000

I absolutely agree that Microsoft could do better, but they are making progress in removing support entirely for broken (from a security perspective) older protocols such as NTLMv1 (which uses DES as well: more here -- https://bit.ly/crackingntlmv1) and SMB1.

The financial incentives drive Microsoft to support every possible (mis)configuration, forever. It's the tireless work of a few folk at Microsoft like Ned Pyle, Steve Syfus, and Mark Morowczynski that have landed the changes so far.

There could absolutely be a "security check" tool deployed by default with Server 2025 or similar that looks for Kerberoastable user accounts (any account with a ServicePrincipalName is technically Kerberoastable, like computer accounts), AS-REP roastable accounts, weak encryption types, etc. That would probably get more traction than changing defaults out of the box for everyone, as that's another way to phrase "breaking customer environments when they upgrade".

New comment by jeffmcjunkin in "Kerberoasting"

jeffmcjunkin — Wed, 10 Sep 2025 23:00:35 +0000

The RC4 encryption type correlates to the DES hash (more commonly the "NT" hash), so PingCastle has the right warning.

New comment by jeffmcjunkin in "I bought the cheapest EV, a used Nissan Leaf"

jeffmcjunkin — Fri, 05 Sep 2025 23:19:07 +0000

KeySavvy is the normal workaround for this. $99 extra cost to both sides for them to handle the title verification and shipping, and to act as the dealer to make it qualify for EV credits.

New comment by jeffmcjunkin in "Introducing Gemma 3n"

jeffmcjunkin — Fri, 27 Jun 2025 04:29:19 +0000

Thank you, this was affecting me too.

New comment by jeffmcjunkin in "CLP Calculus Textbooks"

jeffmcjunkin — Sat, 12 Apr 2025 20:01:22 +0000

From https://personal.math.ubc.ca/~CLP/about/ :

> For various reasons we have christened these notes “CLP” - none of those reasons can be found [here](https://en.m.wikipedia.org/wiki/CLP)

Presumably it's an inside joke or something.

New comment by jeffmcjunkin in "Colorado scrambles to change voting-system passwords after accidental leak"

jeffmcjunkin — Sat, 02 Nov 2024 22:40:48 +0000

Recently, yes :)

https://www.cnn.com/2023/08/06/us/oregon-drivers-pump-own-fu...

New comment by jeffmcjunkin in "What I've Learned in the Past Year Spent Building an AI Video Editor"

jeffmcjunkin — Tue, 24 Sep 2024 17:37:26 +0000

We don't advance as a society unless people ask new questions. Having folk willing to spend some time answering those questions (in public, no less!) helps others. It's really, really damn hard to predict how advancements in one area can help another.

All that said, thanks for your interesting new question, and thanks for spending time on it :D

New comment by jeffmcjunkin in "Ping Ff02:1"

jeffmcjunkin — Tue, 28 May 2024 17:20:33 +0000

Title needs a small fix, it should be `ping ff02::1` (with two colons) to be a valid IPv6 address, match the actual command, and match the original title.

New comment by jeffmcjunkin in "Backblaze Scales Storage Cloud"

jeffmcjunkin — Tue, 21 May 2024 19:09:07 +0000

FWIW I've heard the term "dark fiber" used in both ways as well. Whenever there's ambiguity in jargon, I just avoid that jargon and use more words to describe the actual concept.

New comment by jeffmcjunkin in "BlackCat ransomware group implodes after apparent payment by Change Healthcare"

jeffmcjunkin — Wed, 06 Mar 2024 03:33:19 +0000

That helps with "we've encrypted your data; pay us for the key" but doesn't help you with "we've made copies of your patient records, leadership's emails; pay us or we publish it all".

The phrase to describe this is double extortion.

As for your question, https://www.cisa.gov/stopransomware is a decent start, but it's a complicated issue. In short, if a pentester can get inside your environment and gain privileges, so can an attacker. You want to slow down attackers enough to buy time for detection and response capabilities.

New comment by jeffmcjunkin in "JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (Fixed)"

jeffmcjunkin — Tue, 05 Mar 2024 22:43:59 +0000

Sorry, it was alluded to elsewhere: https://infosec.exchange/@iagox86/112045097519922098

There's more to the story that Rapid7 didn't want to air publicly, and none of it is good for JetBrains.

New comment by jeffmcjunkin in "JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (Fixed)"

jeffmcjunkin — Tue, 05 Mar 2024 19:41:54 +0000

Yup, silently patching (like JetBrains did) has a lot of downsides. Let alone the deception from JetBrains to the Rapid7 team.

(Disclosure: I know some of the folk on the Rapid7 side, so I'm perhaps biased towards their interpretation of events)

New comment by jeffmcjunkin in "Encrypted Client Hello"

jeffmcjunkin — Fri, 29 Sep 2023 15:28:51 +0000

For whatever reason, Domain Fronting is considered more of an attack behavior, used by red teamers and penetration testers. Doubling down on that behavior likely didn't seem as appealing from a PR perspective.

New comment by jeffmcjunkin in "x86 is dead, long live x86"

jeffmcjunkin — Mon, 31 Jul 2023 18:52:28 +0000

Ahem, that's _9000_.

New comment by jeffmcjunkin in "Does Company ‘X’ have an Azure Active Directory Tenant?"

jeffmcjunkin — Sat, 01 Oct 2022 13:50:32 +0000

Nearly 100% have on-prem AD (full name: "Active Directory: Domain Services"). Azure AD is a separate identity provider -- to a first approximation it's HTTPS and cookies, not Kerberos, LDAP, and Ticket-Granting Tickets that we see on-prem.

New comment by jeffmcjunkin in "Does Company ‘X’ have an Azure Active Directory Tenant?"

jeffmcjunkin — Sat, 01 Oct 2022 13:49:31 +0000

In contrast, the vast majority of companies with Azure AD also have on-prem AD (full name: "Active Directory: Domain Services") with some type of synchronization between them. Usually this amounts to having an on-prem service that shleps password hashes (technically salted, stretched hashed versions of the on-prem hashes) to Azure.

New comment by jeffmcjunkin in "T-Mobile: Breach Exposed SSN/DOB of 40M+ People"

jeffmcjunkin — Wed, 18 Aug 2021 19:14:48 +0000

Smart cards are essentially a big Secure Enclave themselves.

The whole point of a smart card (same as a military CAC, and almost the same as a TPM chip on computers) is to sign operations using the private key, without allowing export of that private key. They're still made of atoms, like all objects, and susceptible to physical key extraction attacks.

New comment by jeffmcjunkin in "Privilege escalation with polkit: How to get root on Linux with a seven-year-ol"

jeffmcjunkin — Fri, 11 Jun 2021 00:06:37 +0000

Title doesn't quite fit, how about this instead?

"Privilege escalation with polkit: Rooting Linux with a 7-year-old bug"