Josh Wieder

Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software. Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details. I've included a copy of that Matrix for readers to review below. As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for  the recent Shellshock bash vulnerability ). 24 of the patches are for MySQL. I highly advise anyone using MySQL or any Oracle product, including Java, to  update their software immediately.

Words fail me.

Observe, if you will, the following clear cut photographic evidence that something  is amiss in Washington. Henry Waxman . Powerful Congressman, member of the House of Representatives. Former Chair of the Energy and Commerce Subcommittee on Health and the Environment. Chairman of the House Energy and Commerce Committee . Rumored to snort cocaine without the aid of a straw or similar apparatus. Claims the ability to "smell fear". Edward Tattsyrup . Star of BBC television documentary " League of Gentlemen ". Owner of Royston Vasey's Local Shop. Brother and husband of Tulip "Tubbs" Tattsyrup. Committed to the interests of both his Local Shop and the Local People of Royston Vasey. The genetic link between these two individuals is clear. Have Royston Vasey politics leapt across the pond? Royston Vasey is a Local Shop for Local People - there is nothing for Americans, there . How have the Tattsyrup's bizaare opinions regarding transp

I don't get them.

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is. Keep in mind the camera adds 10 pounds Dan Froomkin and Natasha Vargas-Cooper over at The Intercept  exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction. In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files  and demonstrated some inter-agency cooperation they could very likely have prevent

A significant number Palo Alto Networks (PAN) firewalls are leaking critical information onto the open internet. Its vital to immediately qualify that statement. The leaks result from firewall administrators enabling Client Probing and Host Probing within the User-ID settings without explicitly limiting such probes to a trusted "zone" or subnet. Username, domain name and password hash are provided to those initiating a properly formatted SMB connection to impacted firewalls.  HD Moore , Chief Research Officer of Rapid7  and founder of MetaSploit , is responsible for the initial publication of the vulnerability. Enabling such a configuration on a production firewall appliance, with its resulting leaks, results in a somewhat unusual situation where responsibility for the resulting vulnerability ought to be shared between security administrators and PAN developers. SMB probing should be filtered to trusted subnets; this is obvious. That said, such a setting should not be

Congress appears to have abandoned FBI Director James Comey's bungled attacks on consumer adoption of encryption . Its a rare glimmer of sanity from Capitol Hill; press reports quoting congressional officials using language not ripped from the pages of an Orwell novel. Readers may remember that in a recent post we mentioned some danger signs indicating that the executive wanted to take some more aggressive action to ensure that the commoners and foreign-folk don't have access to encryption tools that would help keep their data free from snooping. Top brass from the FBI and the Attorney Generals Office were telling anyone who would listen that unless tech companies stopped trying to protect their customer's data, law enforcement would be powerless in the face of modern "cyber" criminals. Congress has refused to jump on this alarmist bandwagon. Darrell Issa, a member of that rarest of species - California Republicans - had this to say about federal law enforcem