Fair enough, but absent any evidence that password reuse is leading to a problem, the article is trying to claim that him being the victim of previous breaches is somehow a failure of security on his part. That’s just dumb. Maye he did reuse passwords and that’s going to cause problems. But, absent any evidence of it, the whole article just comes off as yellow journalism, at best.

I’m no fan of the folks at DOGE; but, I feel this bit is important to highlight:

the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points.

I know that my own credentials show up in the HaveIBeenPwned database quite a few times. I’ve had the same email address going on three decades now and have been signed up to a lot of services which got breached. The result is that you can find my personal email address and the associated password for whatever service got popped. Does that mean my own security is bad and/or my credentials for anything else are compromised? No, because I use complex, unique passwords everywhere. Yes, if you dig through the data, you can find my username and password for Dungeons and Dragons Online. And that will net you fuck all, because that was the only place I used that password.

Honestly, this article is more an embarrassment to the person who wrote it than the person it’s about. Anyone who has had the same email address for any significant length of time and has used it to sign up to internet based services has probably had their credentials for some of those sites compromised. Sure, the OpSec and practices of folks in DOGE have been terrible, but all we know is that this user has had their credentials from other sites and services dumped, just like every other victim of such breaches. That’s not news, nor does it reflect on the victims of those breaches. This is just a sad attempt at a hit piece, which only shows the author’s lack of ability to find anything interesting to write about.

“the arrestment failed,” said the official

I wonder at the nature of that failure. I’d immediately think this means “the cable broke” or “the hook broke”. But, it could also mean “the pilot missed the cable and failed to respond correctly”.

It’s that “middle ground” where Russia gets half of Ukraine’s territory and the US gets all of their mineral rights?

Molotov and Ribbentrop nod in approval.

Ya, the headline is kinda bullshit. The SecDef is always going to be a top espionage target. The real problem is that, had anyone else who holds a security clearance been this slipshod with classified material, they would be in jail now. The two tiered nature for accountability for security violations demonstrates deep problems with the entire system.

It was the auto-hiding replacement for the task bar. You opened it by moving the mouse pointer to the upper right or lower right corner. But unless you remembered where it was at, you’d get stuck asking, “where the fuck is the start menu”. It especially sucked when you were a normal version of windows and RDP’d into a Sever 2008 box and couldn’t use the Win key.

Then no one would have noticed and sysadmins everywhere wouldn’t have their PTSD triggered by the words “charm bar”.
Shit, now I need whiskey.

You missed
winMe: you can’t change the thing because the OS already crashed.

So, he finally took Andrew Llyod Webber’s advice from Jesus Christ Superstar and popped into the age of mass communication.

Stopping Windows from running, probably not. MS could stop sending updates and could deactivate it, but it would mostly keep running. And, if any EU/Russian systems were not connected to the internet (yes, this sort of thing still happens in 2025), nothing MS did would matter. Office/Azure and other cloud based services are more vulnerable. Yes, Microsoft could geo-fence those services such that they did nor work if you were coming from an IP address in EU/Russia. Though, the simple workaround for this is to install a VPN. And given US sanctions on Russia, this is probably happening right now anyway.

As much as the tin-foil hat crowd likes to think about MS having some master control switch, it’s incredibly unlikely. The problem with backdoors is that hackers are constantly looking for ways to attack systems, especially Windows. If there was some sort of master “off switch” baked into the code, it’s likely some one would have stumbled upon it by now. Even if it’s that well hidden, it’s a “one use” item with high reputational damage attached. Stop and consider for a moment, what happens when that kill switch gets used? It’s going to be picked up on. People record internet traffic for fun. As soon as that kill command went out, security researchers, the world over, would be dissecting logs to find the command, and then it would be reversed engineered. That MS had such a kill switch in their codebase would cause massive distrust in MS software going forward. No one would want to take the risk of having that kill switch running in their environment, certainly not on anything critical. Also, given how bad people are at updating Windows, we’d probably see a lot of systems killed by hackers just doing hacker things. Since the versions with the kill code would be know, you’d get bored teenagers searching Shodan for vulnerable systems and sending the kill command for fun. And all of this would be “Microsoft’s fault” for having the backdoor. It would be a PR nightmare. And since everyone would now know what the kill command looked like, anyone who mattered would install filters to block it at the firewall. So, it got used once, caused some damage with a lot of damage to MS’s reputation but is now neutralized. Was it worth it? Probably not to Microsoft.

This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.

That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.

I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:

While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.

The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.

Sounds more like a feature than a bug.

I think the most surprising thing here is that 60% of networks don’t allow any/any. I swear, the number of devs I’ve had to convince that they don’t actually need to plop their MySQL backend on the open web, to allow their web front end to reach it, is way higher than it should be. Folks moved their workloads to “the cloud” and decided that we needed to internet like it was 1999.

Perfect, we’ll just spin up an image of your machine in EC2, give it a public IP, set the default network rules to “allow any any” and we’re good. And I have no idea why the security team just all quit.

I’m kinda confused. This looks like really old information re-packaged as some sort of “exploit”. Examining the RDP cache is an old trick. Here’s a video on doing it from six years ago:
https://www.youtube.com/watch?v=NnEOk5-Dstw

The tools for doing this, have been out for a long time. Here’s the EnCase tool:
https://marketplace.opentext.com/cybersecurity/content/rdp-cached-bitmap-extractor

Here’s an open source parser:
https://github.com/ANSSI-FR/bmc-tools

So, what’s new here and how is this allowing “Attackers to Take Over Windows and Browser Sessions” other than, if they are on a system, they can dig through the RDP cache? Which, if they are already on the system which launched the RDP sessions, the horse is long out of the barn. Between credential dumping, keylogging and pass the hash, the attacker probably has as much access as the local user has anyway.

Flying with my father. Flying was his passion and I only ever got to ride with him once. Sadly, he passed several years ago and I’ll never get to go up with him again.

The other 16% just didn’t notice.

foreign intelligence partners … will curtail what they share with the US

Wouldn’t be surprised if domestic intelligence agencies start curtailing what they share. The fact is that a TS/SCI isn’t that hard to get, if you aren’t a complete fuck up. And even folks who have been a complete fuck up in the past can still get one, if they stopped being a fuck up long enough ago. That many of the folks in Trump’s cabinet would be denied a clearance speaks to the level of fuck uppery that they have been up to recently. Gonna be an interesting four years with the Felon in Chief.

When we finished our basement, I had the electrician run two Cat-6 cables to a box right by every outlet and back to a single point. I had to terminate and punch everything down. But, now I have Ethernet throughout the basement.
Totally worth it.

I join at exactly the designated time. If you wanted me there five minutes earlier, then schedule the meeting five minutes earlier. Don’t jerk me around with some expectation that I’m going to do anything other than what you asked for. Also, most of the folks I work with tend to be booked with lots of back to back meetings; so, no one is showing up early anyway. We all show up at the designated time and anyone late can catch up when they show up.

The “early is on time” mentality makes some sense for physical meetings and appointments. For virtual meetings, it just demonstrates that the person has no understanding of how technology works.