Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Grath
Posts: 2387
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Tue Nov 28, 2017 7:13 pm

Looks like the problem is that High Sierra just shipped with a root account with no password because setting the root password fixes the issue.

User avatar
Caithness
Posts: 940
Joined: Mon Jan 20, 2014 6:45 pm
Location: Mint is a vegetable, right?

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Caithness » Tue Nov 28, 2017 7:51 pm

Thanks for that, Grath. I think I'm still going to attempt my long-delayed install of Windows 10 on this MacBook Pro tonight, though.

User avatar
Rico
Posts: 548
Joined: Tue Jan 21, 2014 2:29 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Rico » Thu Jan 04, 2018 6:01 am

If you've got an Intel chip, be sure to update as soon as possible, a huge bug lets regular programs access kernel memory space.

User avatar
Thad
Posts: 13168
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Jan 04, 2018 10:17 am

As it turns out, there are two huge memory-access bugs, Meltdown and Spectre. Meltdown is the one that's been confirmed on Intel chips but not yet known to affect any other processors; Spectre affects Intel, AMD, and ARM. Both are critically serious -- "JavaScript can read your passwords" serious.

The security patches have some potentially huge performance impacts, mostly on file R/W operations. (Servers are going to be affected in a big way, but you shouldn't notice a significant impact on gaming performance.)

It's possible that these bugs have existed for decades, it's unknown whether they've ever been exploited, and if they have, there wouldn't be any evidence in any logs. So yeah you're gonna wanna update your shit, whether said shit is Linux, Windows, MacOS, iOS, Android, BSD, or whatever.

User avatar
Thad
Posts: 13168
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Jan 28, 2018 1:17 pm


User avatar
Thad
Posts: 13168
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Mar 18, 2018 10:36 pm

Thad wrote:And there's not really any good alternative. AMD and ARM chips don't use IME, but they've got similar coprocessors with similar proprietary firmware and similar vulnerabilities.

To wit: AMDFLAWS is a list of 9 vulnerabilties affecting AMD's "secure" coprocessor.

This isn't Meltdown/Spectre level; in fact, every one of these vulnerabilities requires that the attacker already have some kind of administrative access to the machine. The article notes that the disclosure by Israeli security research firm CTS-Labs is sensationalistic and potentially shady.

Cory Doctorow wrote:Now, with that all said, there are some very important caveats, which are summed up well in this thread by security researcher Arrigo Triulzi and its replies.

Triulzi points out that the CTS-Labs paper is very short on technical details. Moreover, CTS-Labs' claimed defects are presented as grave in and of themselves, even though they can only be effected by attackers who are already in a position to control the user's system. For example, the MASTERKEY attack requires that the user install an untrusted BIOS update; there are many ways that such an update could allow an attacker to control the user's system, making the MASTERKEY attack somewhat redundant. The RYZENFALL attack requires that unauthorized code be loaded into the secure coprocessor; FALLOUT requires that the attacker gain control over the vendor's signing keys. Any computer that is vulnerable to these attacks is also vulnerable to much better-understood attacks and is by definition insecure, so Triulzi asserts that CTS-Labs is making a lot out of nothing.

I quibble with this: sneaking malicious code into the secure coprocessor is indeed a high barrier for attackers to hurdle -- but the nature of secure computing also makes such an attack particularly grave, in a way that mere physical control and root access to a system without such a coprocessor doesn't approach. The secure copro is designed to resist inspection and alteration (to prevent attackers), and this means that defenders are effectively helpless against such an attack.

But Triulzi's other points are well-made. The CTS-Labs paper makes a bunch of irrelevant references to aerospace, the FTC, and self-driving cars that seem calculated to discredit AMD; it also includes a disclaimer that reveals that a fall in AMD share-prices could benefit CTS-Labs and/or its personnel.


tl;dr CTS-Labs is probably exaggerating the threat of these vulnerabilities, but, like I was saying earlier, coprocessors running proprietary code are inherently insecure. Even if these vulnerabilities aren't as bad as the research firm is making them out to be, we can expect a lot more stories about coprocessor exploits in the years to come.

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Sun Mar 18, 2018 11:18 pm

Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Mar 19, 2018 5:00 pm

So it looks like this Cambridge Analytica & Facebook leak is going to have some big effect, not the least of which is EU regulation of social-media (which was already under consideration, but may grow significantly harsher and be implements much quicker now).

Also, CA has been revealed to have high-level ties to Russia (this is my surprised face).

Annnd finally, a breaking story coming out of the UK tonight: Executives from Cambridge Analytica boasted that they could entrap politicians with Ukrainian sex workers, offer bribes to public officials, and use former spies to dig dirt on political opponents. (Vice article, in anticipation of a Channel 4 broadcast coming out tonight in the UK)
Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Mar 19, 2018 5:05 pm

Oh and in TOTALLY UNRELATED news, Facebook lost $36 Billion in share price today.
Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Fri May 25, 2018 2:04 pm

Alexa secretly records and transmits conversation to a random contact

A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

"My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name.

Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system.

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

That person was one of her husband's employees, calling from Seattle.

"We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

Danielle listened to the conversation when it was sent back to her, and she couldn't believe someone 176 miles away heard it too.
Image

User avatar
Friday
Posts: 6265
Joined: Mon Jan 20, 2014 7:40 pm
Location: Karma: -65373

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Friday » Fri May 25, 2018 4:44 pm

"Family shocked that thing they have been joking about which is true turned out to be true"
ImageImageImage

User avatar
beatbandito
Posts: 4300
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Fri May 25, 2018 6:37 pm

I don't get...

I mean, okay, sending the recordings to someone else is one thing. But why were they "joking" that it listens to everything they say? They know how voice commands work, right? It really worries me that people have their houses this wired with technology they don't even understand the fundamentals behind.
Image

User avatar
Friday
Posts: 6265
Joined: Mon Jan 20, 2014 7:40 pm
Location: Karma: -65373

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Friday » Fri May 25, 2018 8:37 pm

No no, Alexa doesn't listen to you until you say "Alexa". Then it listens to you.

But up until you say "Alexa" it can't hear anything you're saying.

But once you say "Alexa" and it hears you say "Alexa", then it can hear what you're saying.
ImageImageImage

User avatar
beatbandito
Posts: 4300
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Fri May 25, 2018 9:46 pm

after activating Alexa it will go back and listen to the last thirty seconds and hear you planting the drugs
Image

User avatar
Blossom
Posts: 2297
Joined: Mon Jan 20, 2014 8:58 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Blossom » Sat May 26, 2018 1:03 am

Friday wrote:No no, Alexa doesn't listen to you until you say "Alexa". Then it listens to you.

But up until you say "Alexa" it can't hear anything you're saying.

But once you say "Alexa" and it hears you say "Alexa", then it can hear what you're saying.


That's the claim, anyway.
Image

User avatar
mharr
Posts: 1583
Joined: Tue Sep 27, 2016 11:54 am
Location: UK

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby mharr » Mon May 28, 2018 1:27 am

"Things we are merrily fucking with while not even understanding the fundamentals behind" is my working definition of the word 'technology'. We stop calling things that once we generally grok the basics. They get promoted to being 'plumbing', 'furniture' or whatever.

User avatar
Yoji
Posts: 1440
Joined: Mon Apr 04, 2016 4:12 pm
Location: Screamtown

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Yoji » Tue May 29, 2018 2:13 pm

Not sure if the is the right thread, but... Any other Yahoo users here? Because I opened my mail the other day and got hit with a new privacy statement that pretty much said "We're gonna snoop your email so we can advertise at you better. That's cool, right? It fuckin' better be."

It's really upsetting for some reason. I mean, I figured all our mail has been scanned for years now, but to just out and say it...
Image: Mention something from KPCC or Rachel Maddow
Image: Go on about Homeworld for X posts

User avatar
beatbandito
Posts: 4300
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Tue May 29, 2018 2:25 pm

As far as I understand, all these updated privacy statement roads lead back to GDPR. For all data that enters or leaves the EU (so all data, basically) the user needs to be aware of what information is being recorded and for what purposes.

It's pretty similar to how early smartphone apps would kinda' have full access to change your phone or none, and now (on android at least) every app needs to tell you what it can control. Which is why Flappy Bird needs to full access to your calls and contacts... so that it can pause if you get a call while playing.

Ultimately it's still the same things you agreed to when you checked a box or hit 'next' and skipped the terms and conditions. Europe turned on the light so you can see the monster, instead of pulling up the sheets and hoping for the best.
Image

User avatar
nosimpleway
Posts: 4515
Joined: Mon Jan 20, 2014 7:31 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby nosimpleway » Tue May 29, 2018 3:03 pm

Yeah, the new privacy policies are just "We're gonna keep doing all the things we've been doing", the only new item being "...which are:"

User avatar
Thad
Posts: 13168
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Oct 16, 2018 12:56 am

Epson follows HP's lead, pushes "security update" that disables third-party ink cartridges.

I've already been over what a catastrophically bad idea this is, when HP did it.

And I'm not even talking about the DRM. My opinion on whether or not it is okay for a vendor to restrict the way in which you're allowed to use your legally-purchased hardware is well-known and you can take it as read.

This is, somehow, even worse than that. Because it teaches people not to trust security updates.

Who is online

Users browsing this forum: No registered users and 19 guests