permissions – Cannot use the special principal ‘dbo’ when addressing SQLMI risk VA2108

We’ve just set up a new SQL Managed Instance on Azure, and have restored a database to it for testing. After running an initial Azure Vulnerability Assessment, the results include this:

VA2108 – Minimal set of principals should be members of fixed high
impact database roles

Fixed database roles may have administrative
permissions on the system. Following the principle of least privilege,
it is important to minimize membership in fixed database roles and
keep a baseline of these memberships.

Remediation – Remove members who should not have access to the database role

ALTER ROLE (db_owner) DROP MEMBER (dbo)

I don’t want to ignore this if its a real concern, but am worried about inadvertantly damaging something due to a lack of experience. There are many web sites showing how to ‘fix’ the error, but each is based on its own scenario.

Within SQLMI we have the following logins:

  1. SqlMiAdmin (the Azure-created user account that owns the instance)
  2. DbUser1 – See below

Within the database itself we have the following users:

  1. DbUser1 – Mapped to the above login for CRUD operations via stored procedures only
  2. dbo – not used (directly, AFAIK)

The owner of the database (in Properties) is shown as SqlMiAdmin. Any schema changes and database updates are performed by me using SqlMiAdmin.

I’m unsure about how to tackle VA2108 and it’s implications in doing so. If the dbo user isn’t used in the database then I figured I’d try following the Azure recommendation, but it fails:

ALTER ROLE (db_owner) DROP MEMBER (dbo) 
-- Cannot use the special principal 'dbo'.

Can anyone please recommend an appropriate course of action?

soft fork – Is there network split risk for Taproot activation with two releases (Bitcoin Core and Bitcoin Taproot)?

Every soft fork or consensus change involves a (very small) non-zero risk of a network split. That risk is considerably lower for a soft fork than say a hard fork (where all nodes need to upgrade). That’s why soft forks aren’t attempted every month or year. All you can do is minimize that risk.

Aaron lays out some scenarios that are theoretically possible. Any incompatibility between “Bitcoin Core” and “Bitcoin Taproot” during the Speedy Trial deployment is in my view highly unlikely. If Speedy Trial fails to activate and we reach November 2022 (please note 2022 not 2021) without miners activating then we are in a similar scenario to the UASF in 2017 where it depends on what the economic majority is running. I can’t predict what the economic majority would be running in November 2022 but I highly suspect the delaying of Taproot activation would be at the top of everyone’s minds.

You do have to weigh up these risks of a network split with miners deliberately blocking Taproot activation potentially forever. If we were to say no more UASFs ever again because we don’t want to take any network split risk that would be handing miners a permanent veto to block the activations of soft forks that have community consensus. So you have to weigh up the risk of the latter which would be just as concerning (if not more concerning) to people.

So in summary these are subtle trade-offs. A number of developers have worked hard to minimize the risk of a network split. But it doesn’t get to zero unless you literally never try a soft fork again. And that would mean that Bitcoin would never seriously improve again.

tls – ubuntu sources.list urls are not HTTPS — what risk does this present, if any?

I was looking at the installation instructions for VS Code today and found this step curious:

sudo apt install apt-transport-https

I see that there appears to be https transport available for apt:

$ ls -1 /usr/lib/apt/methods
cdrom
copy
file
ftp
gpgv
http
https
mirror
mirror+copy
mirror+file
mirror+ftp
mirror+http
mirror+https
rred
rsh
ssh
store

This made me curious about why Microsoft would have one install that package so I did some searching and ran across this article from cloud flare which points out that even fairly recent versions of Debian require additional steps to secure apt.

I was quite surprised to see that all of the urls in my sources.list are NOT https. My machine is running Ubuntu 20.04, upgraded from Ubuntu 18.04:

$ grep http /etc/apt/sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ focal universe
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ focal multiverse
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
# deb http://archive.canonical.com/ubuntu focal partner
# deb-src http://archive.canonical.com/ubuntu focal partner
deb http://security.ubuntu.com/ubuntu focal-security main restricted
deb http://security.ubuntu.com/ubuntu focal-security universe
deb http://security.ubuntu.com/ubuntu focal-security multiverse

This seems less than ideal. It occurs to me that https can be more finicky and any failures might impede critical software updates, but this also seems painfully out of date from a security perspective. On the other hand, the information being transferred is open source software, so there isn’t really any risk if someone snoops the packets in transit — it’s not sensitive information, is it?

Still, I’m wondering if there is risk in this. Is the HTTP protocol vulnerable to packet injection in transit? Can anyone lay out what risks there might be in using insecure HTTP traffic for apt?

Is there any risk of my pc getting hacked by sharing a game save file?

What I mean is suppose I wanted to share a game save file from ppsspp emulator on my pc. Is there any risk that a hacker might be able to use something from that file to hack my pc? I mean the file was generated by my pc after all. Thanks

security – Is it a risk to store / load un-encrypted senstive data in Map

security – Is it a risk to store / load un-encrypted senstive data in Map<> – Android Enthusiasts Stack Exchange

network – Risk of system getting hacked through the internet or Wi-fi?

I am not a high profile person or anything like that. I just dislike the idea, that someone with bad intentions could access my personal files, documents, photos etc. (personal diary, baby pictures of my children etc.)
I am not worried about anyone getting a look at my internet traffic / man-in-the-middle attack etc. I am only concerned about, that someone with bad intentions being able to access my personal files.

I assume, that it is not impossible to “hack” my system and get access to my files, but “how hard” would it be for someone commited to the task?

Is the only way to access my files, if they planted malware on my system?

Or if they accessed screen share?

My questions concerns both:

If the person accessed / hacked my wi-fi / home network

Or

Only through the internet

Settings:

Microsoft Windows 10 Home

Windows login password protected

Windows Defender firewall

No file or folder sharing enabled

Network discovery is turned off

File and printer sharing is turned off

AVG registers threats in real-time

All software drivers etc. fully updated

Wi-fi is password protected

Network / Wi-fi profile: Private

Router security WPA2-Personal

I become uneasy, when I read posts like this, which makes it sound “easy”:

https://www.quora.com/Can-a-hacker-control-my-computer-through-Wi-Fi-connection-only/answer/Aaron-Shbeeb

https://www.quora.com/How-do-I-hack-a-computer-on-same-network/answer/Harshit-Dangwal

Please let me know, if I shall add more info concerning the above.

Thanks in advance for replying

Best regards

What are the risk quantification methods you have used for Cyber security project benefit realisation

As a consultant, I have now seen, FTSE companies with millions of budget being poured into the Cyber Security programmes. Almost all the projects within the portfolio do have a clear justification in terms of the risk mitigated. However, there is often no benefit realisation plan and there is no way to measure the success of the projects on the go. My question is how do you define metrics ? and what sort of risk quantification methods have you used in Cyber security ? Is there another way ?.

Thanks.

internal storage – What’s the best way to move files from SD card without the risk of losing any files?

For regular fuse/FAT file system type, there is no need to preserve file permissions, just copy all files as usual. You can check file system type by typing in mount in the terminal emulator. You will see somthing like this example:

/mnt/media_rw/149B-8301 type vfat
/storage/149B-8301 type fuse

149B-8301 is the UUID of the SD card and it shows that the file system is vfat.

To copy files regularly, run the following:

adb pull -a /storage/149B-8301 ~

advanced copy (tarball archive)

adb exec-out "tar -c storage/149B-8301 | gzip" > ~/sdcard_backup.tar.gz

copy from PC MicroSD Card Reader

cd /media/xubuntu
tar -czf ~/sdcard_backup.tar.gz 149B-8301

Note: replace ~ with path to target disk drive providing enough free disk space on PC

wifi – Security risk by using private keyboard in work computer

As many others I am currently working from home as my company has recommended this due to Covid-19. When reading through our policy it is clearly stated that I am not allowed to plug in any usb-device into my work-laptop. This includes mouse and keyboard. The only thing I’m allowed to to is to plug in a HDMI-device as well as connect to my private WiFi. I.e. I can not use my existing desk-setup with my existing keyboard/mouse and have to use (the somewhat crappy) keyboard and mouse provided by my employee. The employee buys their mices and keyboards from regular stores and do nothing in particular to make sure that they are safe.

On top of this, the keyboard and mouse provided by my employee are not allowed to be plugin to my private computer. So I need to keep two keboards and two mices on my rather smal desk…

I do perfectly understand that plugin in an “unknown” (to the company) USB-device can pose as a potential secutiry risk, but to me it feels like a very, very low risk. The risk that I see if if someone have tampered with my keyboard/mouse, or if has been bought at a very shady place.

Am I the wrong here (stating that using private USB-keyboard does not pose any real risk) or can I argue with my employee that we should be allowed to use private keyboards/mices? To me, connecting to a private WiFi poses a much greater risk (it’s a non-IT company, so my guess is that the secutiry of peoples WiFi is not very strong). My keyboard isn’t even USB, it’s PS2 and I use a PS2 to USB adapter (but then again, that device could have been tampered with).

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123