MSG night 2 thoughts

Most importantly I would like to thank those who encouraged me to make the 9 hour drive to see the show. I wasn’t going to go because of the long drive, but thank you, thank you, thank you for everyone’s support in going!

I won’t go into details of the songs and such (with the exception of Still The One!) as you can find that on YouTube but other things that happened...

There were a lot less rainbows than what I was expecting. I guess everyone was decked out in rainbows the first night? (Including the rainbow lights project) However, I was wearing a bright pride shirt that apparently caught the attention of an usher. They came up and bluntly asked, “Is Harry gay?” They proceeded to tell me about a lot of people wearing ‘rainbow capes’ the night before and was curious. I was momentarily speechless trying to figure out how to provide a novels worth of information into a few sentences. I had also left my Larry scrapbook (that I don’t actually have) at home which was unfortunate. For those asking my response was, “He’s not out, but yes, I believe so. He’s very supportive of the community.” Something like that. From their reaction they seemed to ignore my allusive tag on of “I believe so” and took my response as a “Yes, he’s gay.” Their eyes lit up and a bright smile appeared on their face, followed by a slight look of annoyance towards the person who interrupted us for assistance. Lol. So that was amazing.

Moving on. Harry sounded wonderful (of course he did) and he is such an entertainer. He is so quick witted it’s amazing.  It was a pleasure watching it in person. You can watch most of it on YouTube.

So he sang Still The One. I’m still shook. I wasn’t on my phone but noticed I had received a text from the wonderful Susette saying he was about to sing it so get my camera ready! I don’t know what was going on on Tumblr but I didn’t realize it until he started talking about it. So yeah, there was that. I personally wasn’t prepared for the change in setlist and lost my shit. I will never be over it.

I haven’t seen it on Tumblr so it’s worth mentioning about when Kacey was walking back onto the stage. She was flaunting and modeling that dress like no other…. making sure no could question that it was an intentional rainbow. And then the lyric change! My eyes were sweating for a few moments.

I am in agreement with @alwaysxyou that Louis was there in a VIP box for part of the show. You can find their post here. The only thing I have are additional observations to go along with their post so no need to ask for anything else. In the post it says the person (i.e. Louis) came in mid show. My immediate thought for agreeing is the way that an usher made me stop recording on my camera about that time. They said I could only use my phone to record and take pictures (which obviously doesn’t have the zoom and quality capability as my camera) Why mid show? If they didn’t want me using a camera they should have told me at the beginning of the show! So that pissed me off. I’ve never had that happen before, 1D or otherwise. I’ve also never been told I couldn’t use my camera period. When they saw I was trying to pull it out again, I got an immediate warning and the usher stood behind me the rest of the show. It was also about this time I noticed security going around on the floor with flashlights signaling people out. People with cameras? So thank you to those who were able to record the entire show! Also. that specific VIP box is under a banner reading 1927-1928. Being under the 28 I’m sure is a complete coincidence. And  the obvious change in setlist! Harry knows that we know what Still The One is in correlation with. And he chose to sing it for the first time that night???? Another coincidence? So, yeah. I also believe Louis was there.

This got really long so I’ll stop. Thank you again for all of the wonderful people that encouraged me to go! I am forever in your debt.

Now we’re onto the second movie, Mobile Suit Gundam II: Soldiers of Sorrow. If you’ve just joined us, I’m liveblogging the Mobile Suit Gundam film trilogy as the first (well, technically second) stop in Mecharama—my massive binge of mecha anime. Go to the Mobile Suit Gundam link (or the Mecharama link) in my “Liveblogs” tab to read it from the start.

Before I continue, let’s get this out of the way.

Do not send me spoilers.

Spoilers are anything that comes up in the future of the thing I’m liveblogging. Pointing out foreshadowing is a spoiler. Saying ‘ooh, you said [thing] and that makes me laugh because I know something you don’t’ or asking leading questions is a spoiler. Telling me what will happen is DEFINITELY a spoiler. Yes, even if I asked, chances are the question is rhetorical. Use your better judgement, don’t be a dick.

(四月一日さんのツイート: "fate apocryphaのモーさん観たら描きたくなったのでPCを起動したわ！！！なんだあの子！！クソ可愛いな！おい！！！ 猫とじゃれるってモーさん…！君って子は！！ https://t.co/LdsuMwzpik"から)

sleepover aftermath

MOZ: your floor is satisfactory campground

Art MSG02 : https://www.pixiv.net/member_illust.php?mode=medium&illust_id=56035357

MSG02 | ヒロインXの学園物語やればｗ？ 常にエクスカリバー出してそうな二人！

Petya Ransomware Spreading Via EternalBlue Exploit

On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to Petya ransomware. Based on initial information, this variant of the Petya ransomware may be spreading via the EternalBlue exploit used in the WannaCry attack from last month.

Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: "On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!"

Our initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems. Analysis of the artifacts associated with this campaign is still ongoing and we will update this blog as new information come available. 

FireEye has confirmed the following two samples related to this attack:

71b6a493388e7d0b40c83ce903bc6b04

e285b6ce047015943e685e6638bd837e

FireEye has mobilized a Community Protection Event and is continuing to investigate these reports and the threat activity involved in these disruptive incidents. FireEye as a Service (FaaS) is actively engaged in monitoring customer environments.

While FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.

rule FE_CPE_MS17_010_RANSOMWARE { meta:version="1.1"       //filetype="PE"       author="[email protected] @TekDefense, [email protected] @ItsReallyNick"       date="2017-06-27"       description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec" strings:       // DRIVE USAGE       $dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide       $dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide       $dmap03 = "\\\\.\\C:" nocase ascii wide       $dmap04 = "TERMSRV" nocase ascii wide       $dmap05 = "\\admin$" nocase ascii wide       $dmap06 = "GetLogicalDrives" nocase ascii wide       $dmap07 = "GetDriveTypeW" nocase ascii wide

      // RANSOMNOTE       $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide       $msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide       $msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide       $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide       $msg05 = "your important files are encrypted" ascii wide       $msg06 = "Your personal installation key" nocase ascii wide       $msg07 = "worth of Bitcoin to following address" nocase ascii wide       $msg08 = "CHKDSK is repairing sector" nocase ascii wide       $msg09 = "Repairing file system on " nocase ascii wide       $msg10 = "Bitcoin wallet ID" nocase ascii wide       $msg11 = "[email protected]" nocase ascii wide       $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide       $msg_pcre = /(en|de)crypt(ion|ed\.)/     

      // FUNCTIONALITY, APIS       $functions01 = "need dictionary" nocase ascii wide       $functions02 = "comspec" nocase ascii wide       $functions03 = "OpenProcessToken" nocase ascii wide       $functions04 = "CloseHandle" nocase ascii wide       $functions05 = "EnterCriticalSection" nocase ascii wide       $functions06 = "ExitProcess" nocase ascii wide       $functions07 = "GetCurrentProcess" nocase ascii wide       $functions08 = "GetProcAddress" nocase ascii wide       $functions09 = "LeaveCriticalSection" nocase ascii wide       $functions10 = "MultiByteToWideChar" nocase ascii wide       $functions11 = "WideCharToMultiByte" nocase ascii wide       $functions12 = "WriteFile" nocase ascii wide       $functions13 = "CoTaskMemFree" nocase ascii wide       $functions14 = "NamedPipe" nocase ascii wide       $functions15 = "Sleep" nocase ascii wide // imported, not in strings     

      // COMMANDS       //  -- Clearing event logs & USNJrnl       $cmd01 = "wevtutil cl Setup" ascii wide nocase       $cmd02 = "wevtutil cl System" ascii wide nocase       $cmd03 = "wevtutil cl Security" ascii wide nocase       $cmd04 = "wevtutil cl Application" ascii wide nocase       $cmd05 = "fsutil usn deletejournal" ascii wide nocase       // -- Scheduled task       $cmd06 = "schtasks " nocase ascii wide       $cmd07 = "/Create /SC " nocase ascii wide       $cmd08 = " /TN " nocase ascii wide       $cmd09 = "at %02d:%02d %ws" nocase ascii wide       $cmd10 = "shutdown.exe /r /f" nocase ascii wide       // -- Sysinternals/PsExec and WMIC       $cmd11 = "-accepteula -s" nocase ascii wide       $cmd12 = "wmic"       $cmd13 = "/node:" nocase ascii wide       $cmd14 = "process call create" nocase ascii wide

condition:       // (uint16(0) == 0x5A4D)       3 of ($dmap*)       and 2 of ($msg*)       and 9 of ($functions*)       and 7 of ($cmd*) }         

FireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.

Implications

This activity highlights the importance of organizations securing their systems against the EternalBlue exploit and ransomware infections. Microsoft has provided a guide for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.

from Petya Ransomware Spreading Via EternalBlue Exploit

An usher just asked me if Harry is gay. She was wondering after seeing everyone with rainbows. 🌈❤️

Sing Shania Twain at Madison Square Garden ✅

My finger slipped... I accidentally bought a ticket for tomorrow night’s show.

And we’re in!

Rockin our to some Shania Twain!!!

😑

Let me see what spring is like on Jupiter and Mars...

The third and final movie has a lot to live up to. We’ve got the Zeon target and Char, while we’ve seen barely any of the royal family in this movie. 

Given that the third movie’s nearly a whole point higher than the first... I’d say we’re in for a ride.

This is really looking like psychic powers here, not just intuition.

I really didn’t think this guy would get a character arc.