Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Grath
Posts: 1508
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Tue Nov 28, 2017 7:13 pm

Looks like the problem is that High Sierra just shipped with a root account with no password because setting the root password fixes the issue.

User avatar
Caithness
Posts: 694
Joined: Mon Jan 20, 2014 6:45 pm
Location: Mint is a vegetable, right?

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Caithness » Tue Nov 28, 2017 7:51 pm

Thanks for that, Grath. I think I'm still going to attempt my long-delayed install of Windows 10 on this MacBook Pro tonight, though.

User avatar
Rico
Posts: 479
Joined: Tue Jan 21, 2014 2:29 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Rico » Thu Jan 04, 2018 6:01 am

If you've got an Intel chip, be sure to update as soon as possible, a huge bug lets regular programs access kernel memory space.

User avatar
Thad
Posts: 5917
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Jan 04, 2018 10:17 am

As it turns out, there are two huge memory-access bugs, Meltdown and Spectre. Meltdown is the one that's been confirmed on Intel chips but not yet known to affect any other processors; Spectre affects Intel, AMD, and ARM. Both are critically serious -- "JavaScript can read your passwords" serious.

The security patches have some potentially huge performance impacts, mostly on file R/W operations. (Servers are going to be affected in a big way, but you shouldn't notice a significant impact on gaming performance.)

It's possible that these bugs have existed for decades, it's unknown whether they've ever been exploited, and if they have, there wouldn't be any evidence in any logs. So yeah you're gonna wanna update your shit, whether said shit is Linux, Windows, MacOS, iOS, Android, BSD, or whatever.

User avatar
Thad
Posts: 5917
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Jan 28, 2018 1:17 pm


User avatar
Thad
Posts: 5917
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Mar 18, 2018 10:36 pm

Thad wrote:And there's not really any good alternative. AMD and ARM chips don't use IME, but they've got similar coprocessors with similar proprietary firmware and similar vulnerabilities.

To wit: AMDFLAWS is a list of 9 vulnerabilties affecting AMD's "secure" coprocessor.

This isn't Meltdown/Spectre level; in fact, every one of these vulnerabilities requires that the attacker already have some kind of administrative access to the machine. The article notes that the disclosure by Israeli security research firm CTS-Labs is sensationalistic and potentially shady.

Cory Doctorow wrote:Now, with that all said, there are some very important caveats, which are summed up well in this thread by security researcher Arrigo Triulzi and its replies.

Triulzi points out that the CTS-Labs paper is very short on technical details. Moreover, CTS-Labs' claimed defects are presented as grave in and of themselves, even though they can only be effected by attackers who are already in a position to control the user's system. For example, the MASTERKEY attack requires that the user install an untrusted BIOS update; there are many ways that such an update could allow an attacker to control the user's system, making the MASTERKEY attack somewhat redundant. The RYZENFALL attack requires that unauthorized code be loaded into the secure coprocessor; FALLOUT requires that the attacker gain control over the vendor's signing keys. Any computer that is vulnerable to these attacks is also vulnerable to much better-understood attacks and is by definition insecure, so Triulzi asserts that CTS-Labs is making a lot out of nothing.

I quibble with this: sneaking malicious code into the secure coprocessor is indeed a high barrier for attackers to hurdle -- but the nature of secure computing also makes such an attack particularly grave, in a way that mere physical control and root access to a system without such a coprocessor doesn't approach. The secure copro is designed to resist inspection and alteration (to prevent attackers), and this means that defenders are effectively helpless against such an attack.

But Triulzi's other points are well-made. The CTS-Labs paper makes a bunch of irrelevant references to aerospace, the FTC, and self-driving cars that seem calculated to discredit AMD; it also includes a disclaimer that reveals that a fall in AMD share-prices could benefit CTS-Labs and/or its personnel.


tl;dr CTS-Labs is probably exaggerating the threat of these vulnerabilities, but, like I was saying earlier, coprocessors running proprietary code are inherently insecure. Even if these vulnerabilities aren't as bad as the research firm is making them out to be, we can expect a lot more stories about coprocessor exploits in the years to come.


User avatar
Mongrel
Posts: 10112
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Mar 19, 2018 5:00 pm

So it looks like this Cambridge Analytica & Facebook leak is going to have some big effect, not the least of which is EU regulation of social-media (which was already under consideration, but may grow significantly harsher and be implements much quicker now).

Also, CA has been revealed to have high-level ties to Russia (this is my surprised face).

Annnd finally, a breaking story coming out of the UK tonight: Executives from Cambridge Analytica boasted that they could entrap politicians with Ukrainian sex workers, offer bribes to public officials, and use former spies to dig dirt on political opponents. (Vice article, in anticipation of a Channel 4 broadcast coming out tonight in the UK)
Image

User avatar
Mongrel
Posts: 10112
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Mar 19, 2018 5:05 pm

Oh and in TOTALLY UNRELATED news, Facebook lost $36 Billion in share price today.
Image

User avatar
Mongrel
Posts: 10112
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Fri May 25, 2018 2:04 pm

Alexa secretly records and transmits conversation to a random contact

A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

"My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name.

Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system.

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

That person was one of her husband's employees, calling from Seattle.

"We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

Danielle listened to the conversation when it was sent back to her, and she couldn't believe someone 176 miles away heard it too.
Image

User avatar
Friday
Posts: 2383
Joined: Mon Jan 20, 2014 7:40 pm
Location: A user of Sosuns

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Friday » Fri May 25, 2018 4:44 pm

"Family shocked that thing they have been joking about which is true turned out to be true"
Image

User avatar
beatbandito
Posts: 1842
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Fri May 25, 2018 6:37 pm

I don't get...

I mean, okay, sending the recordings to someone else is one thing. But why were they "joking" that it listens to everything they say? They know how voice commands work, right? It really worries me that people have their houses this wired with technology they don't even understand the fundamentals behind.
Image

User avatar
Friday
Posts: 2383
Joined: Mon Jan 20, 2014 7:40 pm
Location: A user of Sosuns

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Friday » Fri May 25, 2018 8:37 pm

No no, Alexa doesn't listen to you until you say "Alexa". Then it listens to you.

But up until you say "Alexa" it can't hear anything you're saying.

But once you say "Alexa" and it hears you say "Alexa", then it can hear what you're saying.
Image

User avatar
beatbandito
Posts: 1842
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Fri May 25, 2018 9:46 pm

after activating Alexa it will go back and listen to the last thirty seconds and hear you planting the drugs
Image

User avatar
TA
Posts: 1651
Joined: Mon Jan 20, 2014 8:58 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby TA » Sat May 26, 2018 1:03 am

Friday wrote:No no, Alexa doesn't listen to you until you say "Alexa". Then it listens to you.

But up until you say "Alexa" it can't hear anything you're saying.

But once you say "Alexa" and it hears you say "Alexa", then it can hear what you're saying.


That's the claim, anyway.
のほも is such a good word?? the concept is kind of hard to fully get across in translation, but basically it means a feeling of pure, deep, platonic affection, and i think thats beautiful

Who is online

Users browsing this forum: No registered users and 3 guests