Feed aggregator

Dirk Gently’s Holistic Detective Agency is to be released on vinyl record for the first time by Demon Music Group. Written by Douglas Adams, these BBC radio dramatisations will be available on 17th July 2020. ‘Let’s think the unthinkable, let’s do the undoable.’ Presented on vinyl for the very first time, Dirk Gently’s Holistic Detective […]

The post ‘Dirk Gently’s Holistic Detective Agency’ by Douglas Adams to be released on vinyl appeared first on Blogtor Who.

When a group of celebrities ask to speak with their lawyer, they usually don’t have to call in a bunch of other people to go speak with their lawyer. However, in this case it may well be a thing a little down the line. A huge array of musicians including Bruce Springsteen, Lady Gaga, Madonna, Run DMC and many more have had documents galore pilfered by the Sodinokibi gang.

Around 756GB of files including touring details, music rights, and correspondence were stolen – some of which was sitting pretty on a site accessible through TOR as proof of the sticky-fingered shenanigans. The law firm affected is Grubman Shire Meiselas & Sacks, a major player handling huge contacts for global megastars on a daily basis. Although they handle TV stars, actors, and sports personalities and more, so far the only data referenced online appears to be in relation to singers / songwriters. 

Why?

The assumption is the data is being displayed as a preview of things to come; pay a ransom, or the data gets it (and by gets it, we mean “everything is published online in disastrous fashion”). The Sodinobiki gang are not to be trifled with, having already brought the walls crashing down upon Travelex not so long ago.

Hot targets…

Legal firms are becoming a hot target for malware focused criminals as they realise the value of the data they’re sitting on. Break in, exfiltrate the files, then send a few ransom notes to show them you A) have the files and B) mean business. If they refuse to pay up, drop the files and walk away from the inevitable carnage of reputational damage + compromised clients.

Who or what is Sodinokibi?

Put simply, a devastatingly successful criminal group with a penchant for Ransomware, data theft, and extortion. Sporting a popular Ransomware as a Service business model, they spiked hard in May of 2019 with a ramp-up in attacks on business and (to some degree) consumers. Their ransomware went a long way to filling the void left by GandCrab group’s “retirement,” and multiple, smaller spikes took place until an eventual decline for both consumer and business towards the end of July.

There were six versions of Sodinokibi released into the wild between April to July alone, helping to keep the security industry and targets on their toes over a very condensed period. Vulnerabilities, phishing campaigns using malicious links, malvertising, and even compromised MSPs to help launch the ransomware waves. You should absolutely lock down your MSP, by the way.

Technical details on the attack?

This is a breaking story and for various reasons the affected parties aren’t going to spill the beans just yet, especially with investigations ongoing. Having said that, there’s every probability they used ransomware to get the job done and that this was a targeted attack. How is Sodinokibi ransomware faring at the moment?

Sodinokibi ransomware statistics

This likely isn’t part of any huge spam wave. Our monthly data for consumer and business shows the last big spike in Ransom.Sodinokibi back in December:

Overall detections for months in 2019 and 2020

Business detections hovered between 200 to 280 from September to November 2019, before exploding over December to just under 7,000. It quickly dropped back down to 260 in February 2020, with a slight spike of 1,447 in April.

Consumer, meanwhile, followed a slightly more convoluted path with a peak of just over 600 in November 2019, and numbers ranging from 293 in July 2019 to 228 in March 2020 and generally low numbers elsewhere (76 in August 2019, 70 in December 2019, and 109 in April 2020).

In conclusion, then, ensure your ransomware armory is fully stocked and ready to go should you be sitting on lots of incredibly valuable entertainer documents, or indeed anything at all. Whether hit by random attacks or targeted mayhem, the end result is still the same: lots of headaches, and quite a few calls to legal.

Or, in this case, many calls to legal.

The post Sodinokibi drops greatest hits collection, and crime is the secret ingredient appeared first on Malwarebytes Labs.

MooglyCAL2020 Block #10 is a unique textured adventure by Pia Thadani of Stitches N Scraps! This square is full of color possibilities too! Read on for all the details, and for the link to Block #10 in this free year-long crochet along! Disclaimer: This post includes affiliate links; materials provided by Yarnspirations, Furls, and Chetnanigans....

Read More

The post MooglyCAL2020 – Block #10 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0

I think I might right another follow-up to this post, so it was worth revisiting from the distance past of 2018...

Art by Bill Sienkiewicz
Here are some further refinements/elaborations on the idea I presented in a previous post for a 5e (or any sort of D&D really) game that was actually far future science fiction replicating fantasy.

• The Distance Future: Millions of years certainly, though exactly how long is obscured by the mists of time and the humankin's fickle devotion to data storage formats. It is possible that biologic humanity even disappeared at one point but was resurrected by its nostalgic offspring. Scholars are aware that more than one civilization has come and gone and the Height was long ago.
• A Neglected Garden: Earth was once an intensively managed paradise, maintained by nanotechnology and AI that were integrated into the natural world. Most of the animals were heavily modified by genetic engineering and technology, and some were of exozootic stock. Even humans were integrated into this network, and everyone born still carries the nanotechnological  system within them. Though technological spirits and godlings still live in nature, they no longer heed humans on any large scale, at least in part due to the fact that few humans can activate the necessary command codes.
• Diverse Humankin: Through genetic engineering, different clades of human-descended biologics have developed. The reasons for the modifications from baseline seen in these "races" may not always be apparent. Perhaps some were just art projects for some creative god?

Art by Laura Zuccheri

• The grist: Commoners speak of "magic users" in dim memory of the fact that everyone of Earth is a "user" in the computer science sense, but wizards know there is no such thing as magic, only grist (or maybe mana), the shells of nanotechnology that envelope the world. Everyone uses it to a degree, but few have the aptitude to develop the skill to employ the grist to work wonders.
• The ether: The underlying grid of spimes and metadata, which supports the nano and once integrated it with the internet, is known as the Etheric Plane or Ether. Wizards and other magic users are aware it plays an important part in their spells and also in the powers of gods and incorporeal intelligences, but they are like mice within a palace, ignorant of its total function and potential.
• The Outer Planes: Civilization at the Height was not confined to the Primal Earth, but extended through the stars. Some of the posthumans that went to other stars disassembled planets to convert to computronium, then huddled close to stars for power. Their civilizations sometimes became very strange, perhaps even went mad. Many of their networks still connect to Primal Earth through ancient but robust relays. Humankin of Earth are often in grave danger when they venture into such places.
• Treasures Underground: Earth's current society is built on the detritus of millennia. Current humankin seek to exploit it in rudimentary ways, and more advanced civilizations of earlier times sought to do so in more advanced ways. The tunnels they dug still exist, but so do the guardians they put in place and the dangers they encountered.

The post 1400 appeared first on Looking For Group.

The post Video of the Day – Lorraine, 2020 appeared first on Blogtor Who.

Week seven of the Doctor Who lockdown brought three Doctors, a Zygon invasion, and more treats from the Time Space Visualiser, G’Day of the Doctor and more…   Here we are the end of week seven of lockdown! That’s almost a year in dog’s years! Many countries around the world begin a long, slow process […]

The post Doctor Who Lockdown: Week Seven Roundup appeared first on Blogtor Who.

The Leaping Stripes and Blocks Squared Tutorial demonstrates how to crochet this fun and addictive motif or blanket – in both right and left-handed videos! Disclaimer: This post includes affiliate links; materials provided by Yarnspirations and Clover USA. Leaping Stripes and Blocks Squared Tutorial: How to Crochet the Leaping Stripes and Blocks Squared – Right...

Read More

The post Leaping Stripes and Blocks Squared Tutorial appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0

So I've been going through Castles & Crusades Classic Monsters book & setting up wilderness campaign encounters for an upcoming Victorious rpg campaign. Work has had me on the ropes for some time now but some how I've squeezed a few ideas into the campaign mix. The Classic Monster book basically has a rework of many of the Fiend Folio favorites in it Behirs and Boggarts cavefishers,  Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

The Common Vulnerability Scoring System (CVSS) provides software developers, testers, and security and IT professionals with a standardized process for assessing vulnerabilities. You can use the CVSS to assess the threat level of each vulnerability, and then prioritize mitigation accordingly.

This article explains how the CVSS works, including a review of its components, and describes the importance of using a standardize process for assessing vulnerabilities.

What is a software vulnerability?

A software vulnerability is any weakness in the codebase that can be exploited. Vulnerabilities can result from a variety of coding mistakes, including faulty logic, inadequate validation mechanisms, or lack of protection against buffer overflows. Unprotected APIs and issues contributed by third-party libraries are also common sources of vulnerabilities.

Regardless of the source of the vulnerability, all present some risk to users and organizations. Until vulnerabilities are discovered and patched, or fixed in a software update, attackers can exploit them to damage systems, cause outages, steal data, or deploy and spread malware.

How vulnerabilities are reported

The way in which vulnerabilities are reported depends on the type of software they are discovered on and the type of vulnerability they appear to be. In addition, the perceived importance of the vulnerability to the finder is a factor in how it’s reported.

Typically, vulnerabilities are found and reported by security researchers, penetration testers, and users themselves. Security researchers and penetration testers may work full-time for organizations or they may function as freelancers working under a bug bounty program.

When vulnerabilities are minor or can be easily fixed by the user without vendor or community help, issues are more likely to go unreported. Likewise, if a severe issue is discovered by a black hat researcher, or cybercriminal, it may not be reported. Generally, however, vulnerabilities are reported to organizations or developers when found.

If a vulnerability is found in proprietary software, it may be reported directly to the vendor or to a third-party oversight organization, such as the non-profit security organization, MITRE. If one is found in open-source software, it may be reported to the community as a whole, to the project managers, or to an oversight group.

When vulnerabilities are reported to a group like MITRE, the organization assigns the issue an ID number and notifies the vendor or project manager. The responsible party then has 30 to 90 days to develop a fix or patch the issue before the information is made public. This reduces the chance that attackers can exploit the vulnerability before a solution is available.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a set of free, open standards. These standards are maintained by the Forum of Incident Response and Security Teams (FIRST), a non-profit security organization. The standards use a scale of 0.0 to 10.0, with 10.0 representing the highest severity. The most recent version released is CVSS 3.1, released in June 2019.

These standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

How CVSS scoring works

CVSS scoring is based on a combination of several subsets of scores. The only requirement for categorizing a vulnerability with a CVSS is the completion of the base score components. However, it is recommended that reporters also include temporal scores and environmental metrics for a more accurate evaluation.

The base score of the CVSS is assessed using an exploitability subscore, an impact subscore, and a scope subscore. These three contain metrics for assessing the scope of attacks, the importance of impacted data and systems, and the scope subscore assesses the impact of the attack on seemingly unaffected systems.

Base score

The base score is meant to represent the inherent qualities of a vulnerability. These qualities should not change over time nor should qualities be dependent on individual environments. To calculate the base score, reporters must calculate the composite of three subscores.

Exploitability subscore

The exploitability subscore measures the qualities of a vulnerable component. These qualities help researchers define how easily a vulnerability can be exploited by attackers. This subscore is composed of the following metrics:

Metric Measurement Scale (low to high) Attack vector (AV) How easy it is for attackers to access a vulnerability Physical (presence)
Local (presence)
Adjacent (connected networks)
Network (remote) Attack complexity (AC) What prerequisites are necessary for exploitation Low
High Privileges required (PR) The level of privileges needed to exploit the vulnerability None
Low
High User interaction (UI) Whether exploitation requires actions from a tertiary user Binary—either None or Required

Impact subscore

The impact subscore measures the effects that successful exploitation has on the vulnerable component. It defines how a component is affected based on the change from pre to post exploit. This subscore is composed of the following metrics:

Metric Measurement Scale Confidentiality (C) Loss of data confidentiality in the component or wider systems None
Low
High Integrity (I) Loss of data integrity throughout the component system None
Low
High Availability (A) Loss of availability of the component or attached systems None
Low
High

Scope subscore

The scope score measures what impact a vulnerability may have on components other than the one affected by the vulnerability. It tries to account for the overall system damage that an attacker can execute by exploiting the reported vulnerability. This is a binary scoring with scope being changed or unchanged.

Temporal score

The temporal score measures aspects of the vulnerability according to its current status as a known vulnerability. This score includes the following metrics:

Metric Measurement Scale (from low to high) Exploit code maturity (E) The availability of tools or code that can be used to exploit the vulnerability Proof of concept
Functional
Unproven
High
Not defined Remediation level (RL) The level of remediation currently available to users Official fix
Workaround
Temporary fix
Unavailable
Not defined Report confidence (RC) The degree of accuracy of the vulnerability report Unknown
Reasonable
Confirmed
Not defined Environmental metrics

Environmental metrics measure the severity of the vulnerability adjusted for its impact on individual systems. These metrics are customizations of the metrics used to calculate the base score. Environmental metrics are most useful when applied internally by security teams calculating severity in relation to their own systems.

The importance of standardization

CVSS provides comprehensive guidelines for assessing vulnerabilities. This scoring system is used by many and has a wide range of applications. However, perhaps the most important aspect of the CVSS is that it provides a unified standard for all relevant parties. Standardization is crucial when responding to risks and prioritizing mitigation.

CVSS scores are more than just a means of standardization. These scores have practical applications and can have a significant impact in helping security teams and product developers prioritize their efforts. 

Within an organization, security teams can use CVSS scores to efficiently allocate limited resources. These resources may include monitoring capabilities, time devoted to patching, or even threat hunting to determine if a vulnerability has already been exploited. This is particularly valuable for small teams who may not have the resources necessary to address every vulnerability.

CVSS scores can also be useful for security researchers. These scores can help highlight components that are especially vulnerable or tactics and tools that are particularly effective. Researchers can then apply this knowledge to developing new security practices and tools to help detect and eliminate threats from the start. 

Finally, CVSS scores can be informative for developers and testers in preventing vulnerabilities in the first place. Careful analysis of high ranking vulnerabilities can help software development teams prioritize testing. It can also help highlight areas where code security best practices can be improved. Rather than waiting until their own product is discovered to be vulnerable, teams can learn from other’s mistakes

The post How CVSS works: characterizing and scoring vulnerabilities appeared first on Malwarebytes Labs.

An assortment of things:

1. Erik Tenkar (of Tenkar's Tavern fame) has shared that he has some health issues going on. I am praying for him, and hope you do, too. He's a good guy, and I hope he has a speedy recovery.

2. Aldo created a fantastic fillable character sheet for Sentinels of Echo City. It's linked to the left. You'll want to download that :)

3. If you are having any trouble with your discounted copy of Tales of the Splintered Realm, please let me know (mtdesing at roadrunner dot com). If you purchased the pdf, you should be getting the print edition for a base price of $10. In the 'thank you' message from drivethrurpg, there is a copy to the direct link for the discounted version. If you cannot find that, I'll send you the link directly via email. For some reason, drivethru is not super excited about helping me sell games on a different site. I would use their POD builder, but the last time I tried I found it impossible to use. Maybe it's better now...

4. I am VERY grateful for the all of the enthusiasm and support people have shown for my projects over the last few weeks. It's been a lot of fun to log on every day and see what people are doing with the games.

5. I am THIS close to being done with my doctorate in educational leadership. I am on the FINAL review stage, and have one more set of edits to do to my dissertation and I should be truly and absolutely done with that beast. Whew.

By Joseph Mohr Old School Role Playing OSRIC Levels 9-12

Raven Darkmore is the legendary Grandfathr of Assassins. He has ruled the night for the last forty years. Now he has been laid to rest. The location of his tomb has been a mystery until recently. A pair of thieves have found the location. Unfortunately, one of them died, trying to explore the tomb. His partner decided that he needed a little help. He has contacted the party offering to lead them to the tomb for a share in the treasure. But not everything is as it appears. The thief leading the party to this tomb is not trustworthy. And the tomb is not as empty as it might seem.

This 27 page adventure describes a small 23 room tomb dungeon with a “central star” layout. It stuffed full of high level baddies, all living in harmony, waiting to kill the party. And is in single-column format. And is dull.

Do you think your life has meaning? Let us assume you were locked up, today, in solitary confinement for the rest of your life, with little to no agency in your life from now on. Let us contrast that to the life you have now, or, perhaps, what you imagine to be #BestLife. Is one more meaningful than another? Can the choices and outcomes of either life be declared to be meaningful … because there can be no meaning, making everything, essentially, the same, and the struggle against the absurd what brings value? But, what if there is no struggle? What if you are not aware of it? Sometimes, reality has a way of slapping you around and challenging those beliefs of your. Reality, in this case, in the form of The Tomb of Raven Darkmore.

Blah blah blah. Grandmaster of Assassins dead, buried in a tomb, thief dude finds it and recruits to you help him loot it. He will, of course, betray you and, of course, the GM isn’t actually dead but is hanging out inside with all of his assassin buddies. As in, there are ten 10’ squares with ten high-leve dudes in the room, about half assassins. If you follow the DM advice then they just backstab instead of doing their assassinate strike. Oh, and then there’s the ghost that hangs out in the tomb. And the two bad-ass vampires running around. And the mummy lord priest. And the Death Knight. All in a small tomb complex laid out like a central star. No one really cares that you’re there, or hunts you down, or really cares that anyone else is there either. They just hang out in their little rooms, waiting for someone to come visit so they can attack. 

This is the problem with tomb adventures. This is the problem with ihg level adventures. A static environment with unintelligent undead for low level adventurers is not the same as a high-level adventure with intelligent (super intelligent) undead. If this were a low level adventures, returned, then it would just have the “I am a boring tomb adventure” problem to solve. But, as a high level adventure, is has to solve all of the high level adventure problems also, and it just doesn’t try at all. They are all just there, waiting. 

And I didn’t even mention the two assassin patrols or the black pudding or the hang of displacer beasts wandering around. There are, of course, a lot of traps. 

It’s all in single column. It’s gots continuity errors. The ghost loves his wife, but I guess he never leaves his own tomb to go find her missing bones? Plus, her tomb is LITERALLY on the other end of the room, an open room. And her locket is in her crypt. But he’s never gone over there to find it? And then, when her bones DO show up, later in the adventure in another room, they are labeled as HIS bones, not hers. It’s like no one tried.

A chapel to a forgotten god. A tomb with an alter to the same god. That’s the detail you get. Nothing special. All abstracted. Everything boring and generic, when it exists at all. The descriptions are all facts and mechanics. Both doors are locked with extremely complicated locks (-50% to picking.) Of course. “The coffins of the king and queen lie side by side in death. Dominik and Eliza were king and queen of a minor kingdom that once existed in this area. They died nearly 400 years ago during a war that engulfed this region.” That’s your room description. Enjoy. Abstracted detail. Non-existent detail. This is like a randomly generated dungeon. Just roll on the DMG chart and put the monsters in and slap a trap down in each room.

This is not D&D. Oh, I know, one true-way-ism and all that fuckery. Why bother writing an adventure when you could just randomly roll on tables to produce the same thing? 

The highlight of the adventure is Ghosty McGhostface, who will help you, maybe, in the final fight, maybe, if you find his wife’s bones. Maybes. There are essentially no room descriptions. Maybe one room has “murals of his best assassinations.” Everything else is backstory and trivia, when it has descriptions at all. 

Love bland descriptions with an emphasis on mechanics? Do I have an adventure for you!

And, of course, there’s no level range given on the cover. Or in the product description. Why bother? Three stars on DriveThru. Ouch!

This is Pay What You Want at DriveThru, with a suggested price of $3. The preview is six pages. For that, you get to see the level range, on the title page, as well as two pages of wandering monsters in the wilderness. Bad preview. Previews need to show you something of the meat of the encounters, what you will actually be buying. 

https://www.drivethrurpg.com/product/310981/The-Tomb-of-Raven-Darkmore?1892600

I had intended to talk about Mister Miracle #6 and Funky Flashman this week, but I just read Forever People #8 (on sale February 1972), and I feel like that better encapsulates the oddness of what Kirby was doing with the Fourth World saga.

There is a lot going on in this issue. A man known as Billion-Dollar Bates lives out in the desert with a barrier and deserted town guarded by para-military private security. He's involved with a Satanic cult called "The Sect" who has a ritual space beneath his mansion and wears weird looking masks. He's holding a group of prominent citizens against their will with some "power."

If that isn't enough, someone is infiltrating Bates' compound, wearing the masks of the Sect, and killing his guards. Then the Forever People show up.

Ultimately, we discover that Bates (like time-lost Sonny Sumo) has the "Anti-Life Equation," the innate ability to control minds. Unlike the virtuous Sumo, who worried about ever using the power, Bates has made himself wealth and powerful--and still has the desire to gloat to others about his deeds. It ends badly for him:


The inflitrators are Darkseid and his minions. And accident keeps Darkseid from the Anti-Life Equation: bullets through Bates. This is the second time Kirby has introduced the Equation in the flesh, and the second time he takes it off the table. Presumably he feels if it's ever here to stay he's reached the climax of his story.

With his ribbon tie, big cigar, and jowled face, Mister Bates is a rich man caricature. His very name hints at the self-gratifying nature of his use of the power and the way he has lived his life. He also fancied himself a "wheeler dealer," he tells his captives, but then the Sect revealed the true nature of his power. His life blessings almost literally derive from Satan.


The weirdest thing in this issue is, when confronted with the Forever People, Darkseid starts sort of playing drill sargeant and lines them up to berate them. Later Darkseid reveals it was a ruse to throw the Forever People off-guard, suggesting he fears them a bit. It's not at all how Darkseid is portrayed in the modern DCU.

Actors and writers from across the Doctor Who universe have come together to create special one-hour video LOCKDOWNUNDER in aid of the postponed G’Day of the Doctor fundraiser event Originally due to take place on Saturday 9th May at London’s Royal Vauxhall Tavern, G’Day of the Doctor was created as a Doctor Who charity fundraising event in aid of the […]

The post ‘Doctor Who’ Stars Feature in Special Hour-Long Charity Video ‘G’Day of the Doctor: LOCKDOWNUNDER’ appeared first on Blogtor Who.

World War II is over. France is liberated. But some fires continue to burn. A new adventure for the Sixth Doctor, Constance and Flip, Doctor Who: Scorched Earth, is released today. Colin Baker, Miranda Raison and Lisa Greenwood star in Doctor Who: Scorched Earth, written by Chris Chapman. The TARDIS lands in a French village […]

The post BIG FINISH: Doctor Who: Scorched Earth – May main range release out now appeared first on Blogtor Who.

The post Video of the Day – TVLine: Comic-Con, 2017 appeared first on Blogtor Who.

DMs Guild is having a "Play It Forward" promotion through this Sunday (May 17th), which gives each author of a purchased product 100% of the revenue instead of the usual 50%. Furthermore, many products are 20% off, and the Ruined Tower of Zenopus is one of these selected items, which means it is currently only $1.59!


Product Link:
The Ruined Tower of Zenopus on DMs Guild

Click here to read reviews of the RTOZ by various bloggers


Ad design by the 1000 Foot General

PEFs; what are they and how do we use them?

PEF Video

The print editions are live on Lulu - and just FYI, Lulu has a 15% off print editions coupon ONEFIVE that ends at midnight on 5/14, if you want to take advantage of that, too.

Enjoy.

A few print copies of Tales of the Splintered Realm arrived at my doorstep this morning! I will be reviewing it and setting up the discounted copy today, creating the codes, and contacting people who have purchased the pdf with a direct link for the $10 version. This book is gorgeous. I'm so happy with it.