Pretty sure that wouldn't work on me, mainly because my gmail (well actually Inbox...) tabs are always the left two tabs in my browser.
Little Pig, Little Pig! Let Me Admin! (Security Thread)
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Pretty sure that wouldn't work on me, mainly because my gmail (well actually Inbox...) tabs are always the left two tabs in my browser.
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Stross discusses, among other things, malware propagation through USB chargers (and the new MacBook, which charges via USB).
Those last two links are a rabbit-hole all their own. Oh man that Pi-Top looks like a lot of fun. Wildly impractical, but a lot of fun. As for RISC OS, wow, I had no idea that was even still a thing.
There's some hideous malware out there; basically most modern buses (USB, Firewire, Thunderbolt, I'm looking at you all) require an embedded microcontroller at each end of the connection to a peripheral, and it's possible to suborn this microcontroller and permanently infest a piece of hardware. If your laptop can only charge over USB — or your phone, for that matter — you might want to think twice before using a USB device or charger that you don't trust: what to do? Well, you might want to carry a USB condom with you — current delivery is negotiated over a couple of pins, but the job of a condom is to block USB data transfer, hopefully blocking malware at the same time, if you have to use an untrusted charger.
[...]
It's not un-reasonable to trust high power USB chargers by companies with a reputation on the line because their brand identity is their biggest asset in differentiating them from the baying pack of cheap commodity vendors selling out of the back of Chinese factories, and won't willingly fuck themselves in the head — they might be rooted, but it won't be intentional. But I'd steer a very wide berth around cheap no-name USB chargers from now on; it's easy to see some of them being sold at cost or even at a loss, just to get the malware payload they carry into circulation ...
Oh, and this is a harbinger of the whole internet of things midden that's going to rain down on us over the next decade. You want a smart hotel room door lock that uses NFC to a card in your wallet to let you in without swiping a magstripe card through a reader? Well, sucker, how do you know the hotel door lock hasn't been pwned and isn't rifling through the NFC cards in your wallet at the same time? How do you know your electricity meter isn't helpfully telling anyone who asks it when you're away from home? (Come to think of it, didn't Spider Robinson write that novel back in 1982?)
Actually, if that sort of thing keeps you awake worrying at night, you shouldn't buy this laptop; you should buy one of these instead, and run this operating system on it, just to fuck with the script kiddies' heads. (And maybe stack a System 360 emulator with VM/CMS on top to ... no, that way lies madness.)
Those last two links are a rabbit-hole all their own. Oh man that Pi-Top looks like a lot of fun. Wildly impractical, but a lot of fun. As for RISC OS, wow, I had no idea that was even still a thing.
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Well, apologies for the Gawker link, but that's who's covering this at the moment: Do you work for the American federal government? Well, if so, your SSN has been compromised
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Combining this vulnerability with the Local File Disclosure vulnerability above can result in unauthenticated remote code execution.
The restore feature on the "config backup" page extracts a .tar file encrypted with Blowfish using OpenSSL into the system's root directory (/) as root.
The .tar file must be encrypted with the static key /tmp/.charlie. Yes, that's the actual key - the software passes the wrong argument to OpenSSL. -K is used to pass the keyfile instead of -kfile, meaning that the key is the path of the keyfile rather than the contents of the keyfile.
This allows an attacker to upload a shell into the web root, or overwrite any sensitive system files such as /etc/shadow/.
https://musalbas.com/2015/06/14/e-detec ... isory.html
Government surveillance backdoors definitely won't have any security vulnerabilities guys, don't worry!
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
+ "Let's have the NSA centralize phone records, email records, and other potential dirt. What could go wrong?"
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Or consider whether you even need the damn thing anymore, and uninstall it if not. (YouTube uses HTML5; Netflix uses Silverlight. Hulu...I think Hulu still uses Flash.)
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Thad wrote:Or consider whether you even need the piss all over thing anymore, and uninstall it if not. (YouTube uses HTML5; Netflix uses Silverlight. Hulu...I think Hulu still uses Flash.)
Yeah, Hulu just complained that I don't have Flash. Also, Twitch, although for Twitch you should use livestreamer ( http://docs.livestreamer.io/ ) instead anyways because then it can stream through VLC and is overall better with a side benefit of no Twitch chat.
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Oh yeah, also: Gifs in your Facebook news feed, those require Flash. I'm not sure how even, but they do.
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
So the Ashley Madison data breach. It's something hilarious right now, but which will almost certainly take a pretty dark turn later. They've already started to release bits of data in a classic "We'll kill these hostages one by one until you accede to our demands" strategy, so I'm surprised there hasn't been any fallout from that as it is.
Wonder if it really will break the company, one way or another?
Wonder if it really will break the company, one way or another?
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
You know how the narrative that the "internet of things" being hacked is extremely unlikely. Well, that may be true, but they're sure working on ways to make it un-true.
It occurs to me that there is very much a group who would have the resources to find shit: Governments.
Welcome to your dystopian future, part 12!I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.
The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
...
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
...
Pinpointing a vehicle belonging to a specific person isn’t easy. Miller and Valasek’s scans reveal random VINs, IP addresses, and GPS coordinates. Finding a particular victim’s vehicle out of thousands is unlikely through the slow and random probing of one Sprint-enabled phone. But enough phones scanning together, Miller says, could allow an individual to be found and targeted. Worse, he suggests, a skilled hacker could take over a group of Uconnect head units and use them to perform more scans—as with any collection of hijacked computers—worming from one dashboard to the next over Sprint’s network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.
“For all the critics in 2013 who said our work didn’t count because we were plugged into the dashboard,” Valasek says, “well, now what?”
http://www.wired.com/2015/07/hackers-re ... ep-highway
It occurs to me that there is very much a group who would have the resources to find shit: Governments.
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
So, uh. I've been meaning to mention the recently-discovered Stagefright vulnerability in 95% of Android devices that allows attackers to execute arbitrary code just by sending an MMS message (the recipient doesn't even have to open it).
Ron Amadeo at Ars has a new editorial up titled Waiting for Android’s inevitable security Armageddon, which discusses how the fragmentation of the Android OS makes this an insurmountable problem -- because while Google is going to patch it, there's no way vendors are going to push the patch to any but a handful of devices.
There's a sort-of-famous line from Infosec Taylor Swift:
And yeah, here we see what Google's done that's really subverted the strengths of the open-source development model: it's replaced vendors like Canonical, Debian, Red Hat, SUSE, et al that had an incentive (usually financial, sometimes just reputational or ethical) to maintain and support their software with regular security patches, and have a rapid deployment mechanism for critical bugfixes, with vendors like Samsung, LG, Motorola, et al whose primary incentive is to sell shiny hardware, whose secondary incentive is to sell additional software and services to its users, and who don't really prioritize security and aren't going to until after they hit the fucking iceberg.
We've seen some massive holes in open-source software recently -- Heartbleed is possibly the greatest security vulnerability in the history of computers, and that's not hyperbole -- but a patch was issued within a week and had been deployed to more than 40% of vulnerable servers within a month. Those aren't perfect numbers, obviously, but they're better than the best-case scenario for Stagefright by an order of magnitude.
Of course, Android users are qualitatively different from any other Android users. The people fixing Heartbleed were (mostly) IT professionals running servers. Whereas even a typical desktop Linux user is, by definition, more tech-savvy than the average computer user. (Still and all, given that SteamOS is derived from Ubuntu, I'm betting SteamOS users will get regular patches and updates that plug system vulnerabilities.)
Android is not a traditional Linux distribution, and its vendors are not at all comparable to the likes of Canonical, Red Hat, et al. As such, Amadeo argues -- and I'm inclined to agree -- that Google needs to take a role that's more like MS on the desktop.
Unlike MS, Google can't technically stop anyone from modifying their system, since it's open-source, but Google controls the trademarks and already requires vendors to meet certain standards to use the Android brand, include the Google Play Store, Google Hangouts, etc. I'm thinking that Google can tighten its existing requirements and force its resellers to adhere to restrictions like the ones Amadeo describes if they want to keep Google's license and brand rights. Though even if that's settled, it's still one hell of an uphill battle:
I don't really like Lollipop very much but I guess it would probably be a good idea to update Cyanogenmod on my phone anyway. Don't think CM's got the fix yet, though; guess I'll wait until I'm sure.
...crap, it's 12:30? I should get to bed. Apologies if this post is incoherent.
Ron Amadeo at Ars has a new editorial up titled Waiting for Android’s inevitable security Armageddon, which discusses how the fragmentation of the Android OS makes this an insurmountable problem -- because while Google is going to patch it, there's no way vendors are going to push the patch to any but a handful of devices.
Their "fix" is going to be to patch 2.6 percent of all active Android devices. Tops. That's the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released.
And 2.6 percent is a generous estimation for the top-end of "currently supported" Android devices in the wild. In reality, the number of devices getting a Stagefright patch will almost certainly be much lower.
Even assuming vendors put on the heat and do quickly fix all 2.6 percent of their Android 5.1-using supported install base, that still leaves 92.4 percent of Android devices worldwide vulnerable to Stagefright. (Remember, five percent of Android devices aren't vulnerable to Stagefright at all.) Android's layer-cake update strategy isn't even remotely appropriate for an OS that now has 24,000 individual active device models to address.
In a perfect world, the inability to update billions of potentially pwnable Android handsets would be enough to get Google, the OEMs, and the carriers to all sit down, set aside their branding guidelines and marketing department-enforced differences, and say, "We need to fix this." But we don't live in a perfect world. In the real world, carriers and OEMs want to keep their branding and customization hooks in Android so that they can advertise to customers with their own apps and interfaces. Neither appears to want to take responsibility for the unprofitable post-sale support of the millions of devices they create and sell.
At some point, a huge Blaster worm-style Android security armageddon seems inevitable—and that's what it's going to take to bring real, meaningful change. Stagefright is a big deal, and the Android ecosystem's reaction to it is literally 2.6/100ths of what it needs to be.
There's a sort-of-famous line from Infosec Taylor Swift:
And yeah, here we see what Google's done that's really subverted the strengths of the open-source development model: it's replaced vendors like Canonical, Debian, Red Hat, SUSE, et al that had an incentive (usually financial, sometimes just reputational or ethical) to maintain and support their software with regular security patches, and have a rapid deployment mechanism for critical bugfixes, with vendors like Samsung, LG, Motorola, et al whose primary incentive is to sell shiny hardware, whose secondary incentive is to sell additional software and services to its users, and who don't really prioritize security and aren't going to until after they hit the fucking iceberg.
We've seen some massive holes in open-source software recently -- Heartbleed is possibly the greatest security vulnerability in the history of computers, and that's not hyperbole -- but a patch was issued within a week and had been deployed to more than 40% of vulnerable servers within a month. Those aren't perfect numbers, obviously, but they're better than the best-case scenario for Stagefright by an order of magnitude.
Of course, Android users are qualitatively different from any other Android users. The people fixing Heartbleed were (mostly) IT professionals running servers. Whereas even a typical desktop Linux user is, by definition, more tech-savvy than the average computer user. (Still and all, given that SteamOS is derived from Ubuntu, I'm betting SteamOS users will get regular patches and updates that plug system vulnerabilities.)
Android is not a traditional Linux distribution, and its vendors are not at all comparable to the likes of Canonical, Red Hat, et al. As such, Amadeo argues -- and I'm inclined to agree -- that Google needs to take a role that's more like MS on the desktop.
A totally closed approach will never work for Android updates—Google can't put that genie back in the bottle—but to fix the current security nightmare, OEMs and carriers are going to have to accept a smaller level of access. Carriers should be limited, just as ISPs on a PC, to user-level applications. OEMs could also be limited to user-level apps and perhaps access to a comprehensive skinning system (like those that exist on many skins today), which should allow them to do the interface branding that they love without disturbing the underlying operating system.
Unlike MS, Google can't technically stop anyone from modifying their system, since it's open-source, but Google controls the trademarks and already requires vendors to meet certain standards to use the Android brand, include the Google Play Store, Google Hangouts, etc. I'm thinking that Google can tighten its existing requirements and force its resellers to adhere to restrictions like the ones Amadeo describes if they want to keep Google's license and brand rights. Though even if that's settled, it's still one hell of an uphill battle:
Hardware support is also a sticky area. Android lacks the low-level hardware abstraction of x86 and Windows, where hardware drivers can live separately from the OS. ARM and Android still work with an embedded OS model, where there are no generic device drivers, making supporting every piece of hardware for every update a custom job. Fixing this is a really hard problem, as it would probably require support from Linux and ARM.
Android OEMs need to be soundly disabused of the idea that a two-year device upgrade cycle fits how long normal people own smartphones. Open Signal's just-released 2015 Android Fragmentation Survey says the most popular Samsung device in use today is the Galaxy S III, a three-year-old device. Of the top-ten in-use Samsung devices in the survey, six are older than two years old, and two are non-flagships that launched with an old OS and probably won't be updated.
I don't really like Lollipop very much but I guess it would probably be a good idea to update Cyanogenmod on my phone anyway. Don't think CM's got the fix yet, though; guess I'll wait until I'm sure.
...crap, it's 12:30? I should get to bed. Apologies if this post is incoherent.
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Speaking of InfoSec Taylor Swift I thought this SwiftOnSecurity post was well done.
It's mostly just rephrasing an old question though - how much of an open system do you want to allow?
It's mostly just rephrasing an old question though - how much of an open system do you want to allow?
- Brantly B.
- Woah Dangsaurus
- Posts: 3679
- Joined: Mon Jan 20, 2014 2:40 pm
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
The fact that this is a massively strong argument in favor of walled gardens just pisses me off.
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
I know, right?
I also wonder to what extent it's true - obviously people like that do exist and will continue to exist, but what percentage of the total user base do they really comprise?
I also wonder to what extent it's true - obviously people like that do exist and will continue to exist, but what percentage of the total user base do they really comprise?
- Brantly B.
- Woah Dangsaurus
- Posts: 3679
- Joined: Mon Jan 20, 2014 2:40 pm
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
I meant Thad's post. I long ago accepted that the general user benefits greatly from a curated environment - it's only irritating to me when professionals try to extol the virtues of something that's clearly suboptimal to start with and can't be improved. But now they've got a strong argument in "Okay, but when something goes wrong, THEY CAN ACTUALLY FIX IT."
Of course, the real problem isn't that Android isn't a walled garden. It's exactly the opposite; the problem is that every IMPLEMENTATION of Android is a walled garden, usually with two or more sets of wardens fighting for control. The real lesson here is that manufacturers need to own the product from start to finish, or else not at all.
Of course, the real problem isn't that Android isn't a walled garden. It's exactly the opposite; the problem is that every IMPLEMENTATION of Android is a walled garden, usually with two or more sets of wardens fighting for control. The real lesson here is that manufacturers need to own the product from start to finish, or else not at all.
- Mongrel
- Posts: 21332
- Joined: Mon Jan 20, 2014 6:28 pm
- Location: There's winners and there's losers // And I'm south of that line
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Fair enough.
I've been suspecting more and more that the period we live in now will be fondly recalled as some sort of Wild West analogue in a more controlled and stultifying but perhaps slightly-better-functioning future internet.
It's possible that the fundamentally decentralized nature of the internet's underlying architecture means this is wrong. I kind of hope so.
I've been suspecting more and more that the period we live in now will be fondly recalled as some sort of Wild West analogue in a more controlled and stultifying but perhaps slightly-better-functioning future internet.
It's possible that the fundamentally decentralized nature of the internet's underlying architecture means this is wrong. I kind of hope so.
Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)
Brentai wrote:The fact that this is a massively strong argument in favor of walled gardens just pisses me off.
Not really (because it's not like Apple's record on security is exactly sterling either). It's more of an argument in favor of the Microsoft model.
Which, you know, can still piss you off.
Brentai wrote:Of course, the real problem isn't that Android isn't a walled garden. It's exactly the opposite; the problem is that every IMPLEMENTATION of Android is a walled garden, usually with two or more sets of wardens fighting for control. The real lesson here is that manufacturers need to own the product from start to finish, or else not at all.
Right, that's it; the Windows model (or, to a lesser extent, the MacOS or Linux distro model) in a nutshell.
There's an inherent tension between choice and security*, and in some ways the only people who can have both are programmers and IT pros who have the savvy to effectively control their own systems. (This is why, say, secure boot and driver signing are very good things for security but very bad things for user choice.)
Richard Stallman's arguments for free software go back to 1984, when it was actually reasonable to assume that anybody using a computer was sophisticated enough to poke around in its source code and make modifications. That's, obviously, not the case anymore. (It's interesting to watch Tron now and hear the word "user" used as a synonym for "programmer".) People who do take manual control of the free software running on their devices are safer than those who don't -- but the latter outnumber the former by orders of magnitude.
Stallman would probably respond to that by pointing out that many (most?) Android devices contain DRM that makes it harder to install custom software, gain root access (ownership!) for your own device, or replace the firmware and OS that it ships with, and yes this is certainly part of the problem. But even given the choice, out of the box, to put AOSP or Cyanogenmod or Ubuntu or whatever on their phones, the vast majority of users wouldn't. The vast majority of users are best served by having somebody like MS or Apple or Google (or Canonical or whoever, but for most people it's MS, Apple, and Google) hold their hand.
Of course, it would be nice if people would just fucking learn how these pieces of equipment they use constantly, every day of their lives, actually worked. But obviously that's not gonna happen.
(I've used the car analogy before -- it's far easier to make safer cars than safer drivers. I can accept that while still getting pissed off by the abundance of shitty drivers in the world.)
* there's an "essential liberty/temporary safety" analogy here somewhere.
Who is online
Users browsing this forum: No registered users and 17 guests