They could have taken a more defence-in-depth approach to key storage and encrypted the cloud copy of the Bitlocker key with a random master key itself protected by a user password-derived key arrangement, with any crypto action occuring on the device to avoid knowledge of the plaintext key. That way the Bitlocker key stored in the cloud is opaque to Microsoft, and only by knowing the user's current cleartext password could they access the raw Bitlocker key.
The current approach is weak, and strikes me as a design unlikely to be taken unless all the people involved were unfamiliar with secure design (unlikely IMO), or they intentionally left the door open to this type of access.
Considering the number of x86 machines I've come across in fleet deployments that were put into various states of brickdom from Windows Update, I would not be at all surprised if it was a bad update-rollback sequence.
Laptops seem particularly susceptible to whatever (anti) magic Microsoft utilise for their update rollback process, but it happens to every device class seemingly at random. Besides the run of the mill "corrupt files at random in System32", which is common and simple enough to fix with a clean install, I've had a few cases where it appears an attempt at rolling back a BIOS update has been interrupted by the rollback manager and left those machines hard bricked. They could only be recovered by flashing a clean BIOS image with an external programmer and clip (or hand soldering leads), after which they ran without issue.
As much as it's valid to question the unconditional anti-Microsoft mentality, they are still far from infallible and from my experience they are getting notably more unreliable in recent years.
Likely cheaper to just coat the real drones in an aerogel or similar light weight, high thermal resistance material. It's an arms race still, but one with a reasonable amount of asymmetry in favour of an attacker.
You likely ran into anti-fraud provisions with that scenario, specifically identity theft prevention. Having worked at a similar business for years, a trend for high fraud occurrence is squeaky clean credit file-high income applying for low value credit.
These have a well above average occurrence of identity theft cases, presumably because the guaranteed affordability test pass combined with low value makes it easy to get the loan and subsequently unlikely anyone will bother to chase it when they identify it as fraudulent.
It's easier, and cheaper, as a provider to just reject all originating accounts in this scenario. Similar to applying for a mortgage: if your credit parameters vastly mismatch your affordability you will get a LOT more questions asked.
I'm really interested in this too. I'm tossing up between something like this (maximum thread count but probably high power usage) or a Ryzen build (simple and low power).
That CPU has a TDP of 115W but I can't find much information on the idle power usage.
I would also like to see a write-up of the GPU pass-through setup since that's something I've been wanting to have on my local system for ages, i.e. vm host system => dev vm 1 ... vm N, Windows VM + dedicated GPU for gaming etc.
If I were doing a build today, I would be sorely tempted by Ryzen, mostly because it would be new hardware and the AM4 platform. That said, having a server board has turned out to be really nice for a lot of things, such as ECC memory and nice virtualization features. It looks like Ryzen has some issues with kvm passthrough so far[0]. My favorite resources are [1] and [2].
If they were a research organisation then I would have nothing but respect for Facebook's accomplishments. However they are not a research organisation but instead a for-profit corporation that devotes an obscene amount of money and effort to undermining privacy for all users of the internet, irrespective of whether you use their platform or not.
I don't think it's fair to judge the merits of an entity purely by what it brings to the world, without also considering what it in turn takes from it.
I think your concern for privacy has no respect for the individual accomplishment. Facebook, like many other for-profit organizations, will always monetizing user data. You have the choice of not using it. The outcome of their research has impact from environmental to computer science. You may disagree how a for-profit should run, but I respect the people who work there performing top tier research. You'd think all of the DoD research grants are less sinister? Perhaps we should never accept any grants from the DoD so none of them goes into military action based on your sentiment of social responsibility.
Well there's Watson [1]. It obviously performed very well in Jeopardy! and it sounds like they had some novel ideas and techniques behind the implementation.
I'm not sure how cool this is anymore however. Our company was evaluating their Bluemix [2] cloud all-the-things-as-a-service service which offers Watson. Despite their very aggressive marketing team insisting it would be able to solve a very wide range of "machine learning problems" (their words, not mine) it fell down quickly when encountering problems outside their example data-set. It was also impossible to get in touch with an engineer there, the only people you could speak to were sales and/or marketing which were useless. I get the feeling their desired clientele are technically illiterate upper-management who merely want the guarantee of a massive corporation's support and to hell with their technical capabilities.
That is because IBM is a huge corporation, with loads of red tape. As an engineer, you are not allowed to talk directly to customers without a certain training/certification. Even if their engineers had the time and would be willing to do it, they are not allowed to.
YMMV obviously but having used CyanogenMod for the past few years on various devices I've found it to generally exceed the stability of vendor-provided Android. Not to mention the better user experience and more rapid security patching.
If the included file is writable by the PHP user then I would say that poses a reasonably high security risk; potential privesc, information disclosure, RCE. Of course an attacker would need the ability to manipulate local files as the PHP user, but that isn't much of a stretch.
Under a typical install, e.g. Debian, Ubuntu, etc, nginx parses the configuration files as root thus any exploit of the config parser gains full root access as the nginx master process doesn't drop caps.
Depending on where the include line is placed it may be possible for an attacker to create server blocks allowing them to execute arbitrary PHP by permitting PHP execution from a directory with PHP write access, e.g. `wp-upload`. Assisting exfiltration of data by allowing easy remote access to the filesystem. Possibly proxy all traffic through an attacker controlled script or host. Exposing local services to the outside world.
I'm sure there's plenty of other interesting little attacks possible if given enough time to play around with it.
If at all possible I would avoid permitting unprivileged r|w access to nginx configuration files.
Yeah these days even doing Cat 6 is pretty cheap. We ran Cat 6 throughout the apartment, and the biggest nuisance of it was figuring out the best way to do conduit (solid brick walls mean we can't just go in-wall).
The current approach is weak, and strikes me as a design unlikely to be taken unless all the people involved were unfamiliar with secure design (unlikely IMO), or they intentionally left the door open to this type of access.
reply