* Posts by Munin

20 publicly visible posts • joined 22 Nov 2013

Bypass the Windows AppLocker bouncer with a tweet-size command


I've validated that blocking regsvr32 on the windows firewall blocks network access - some folks may need to block both the 32 and 64 bit version for some reason - and can mitigate the issue.

Come get your free Opera VPN (and bring along something to read)

Thumb Down

Raising more red flags than a Soviet military parade

So, watching some talk on the twitters about this, some rather troubling things have come to light -

First, it's not really a VPN at all. It's an HTTP proxy. Calling it a VPN is, at best, misleading.

Second, it appears ( based on thread here: https://twitter.com/spazef0rze/status/723244948464762885 ) that it maintains a proxy-auth key.

If you recall the Verizon 'supercookie' mess? ( http://www.theregister.co.uk/2016/03/07/verizon_fined_135m_for_stalker_supercookies/ ) Approximately the same capabilities should be possible - that is, unique identification of individual browser installations across browsing sessions, albeit limited to Opera and whoever they decide to sell the info to.

And given the nature of surveillance in this day and age, this places this traffic firmly into the "Hey, lookit this tasty morsel we can subpoena!" section of every applicable law enforcement environment.

There's no way that I'm going to install this hot mess.

How much of one year's Californian energy use would wipe out the drought?


Re: Not going to happen

It's not just environmentalists, either.

One of the interesting things about California's legislative system is the ability for any sufficiently organized [ read: they can file some paperwork and get enough suckers to sign a petition ] group of citizens to, in effect, put legislation on the ballot.

This is how we got the "Proposition 65" that, as of a couple years ago, forced Starbucks to start putting cancer warnings on their door.

There's several groups that are organized to represent "citizens concerned about governmental overreach and taxation" [ read: virulently anti-tax, and committed to abolishing every tax they can get support for ] that would be very interested in opposing any publicly-funded projects that show up on the ballot.

Even if the legislature managed to get its act together enough to begin such a program, it would be at the cost of one or more of the legislator's seats - as is evidenced by the recall campaign starting against the gent who authored the bill calling for mandatory vaccination.

So while environmentalists are, certainly, one cause that will put the kibosh on desal plants, there's quite a few others who are just as committed to keeping the state dry.

Thumb Down

Small issue of infrastructure

So, good article, but I have a few quibbles as someone who lives in California.

First, this assumes that there are enough desalinization plants to handle demand - which there aren't, and there won't be for quite some time. Desalinization plants are expensive to build and maintain, and every time those of us who support them try to get them built, the various interests opposing them kick up a huge fuss - interests that vary depending on where, precisely, you want to build the thing, but generally including both environmentalists and very rich people who don't like eyesores. Even if you can get the things built, they still need to be certified as safe by various agencies, etc., which turns into a (mostly political) boondoggle.

Second, this also assumes that there's enough electricity capacity to manage to run the things. This is a somewhat more complex topic, but the long and short of it is that, especially since the nuclear plant down by San Diego was forced to close, electricity capacity is somewhat shaky, especially during the height of summer. California's electricity infrastructure doesn't really have the capacity for the amount of load that a bunch of new desal plants would require - we've already got advertisements all over the radio demanding electricity conservation pretty much year-round.

Remember, any power used for desalinization is power that can't be used to run the air conditioners of the rich folk in Beverly Hills, and they get all upset when rolling blackouts start.

So yes, it would be, when amortized across the entire population, a fairly reasonable cost and one which I, for one, would be more than willing to bear. However, as lovely as the plan is in theory, implementing it in practice is significantly more complex.

But if Mr. Page would like to come show us lazy Californians how it works, I'd be more than willing to give him directions to Sacramento so he can show our perpetually incompetent legislature what for.

Small number of computer-aided rifles could be hacked in contrived scenario


I suppose the question would be which is longer - the range of your high-gain wifi antenna or the rifle? ;-)


Re: Right on

Mostly because of ATF regulations; the way the rules are written, if you don't want to be classified as a machine gun or summat like, you have to only allow one bullet per trigger pull. This necessarily precludes automatically actuating triggers.

Of course, that only matters if you want a -legal- gun that you can sell to other folks in the United States. If you're not constrained by those considerations, there's nowt preventing you from taking the same general 'tag this target' notions and actuating the trigger with a servo - which takes the human out of the firing decision entirely.

Basically, the only thing preventing the production of a self-targeting sniper turret is some red tape.

Proxyham Wi-Fi relay SUPPRESSED. CONSPIRACY, yowl tinfoilers


Even if the antenna weren't noticed, radio direction finding is, in fact, a thing - and at 900 MHz, it's a pretty easy thing. Frankly, I am only really disappointed the talk was pulled because I was planning to attend to ask the presenter some very pointed questions about why he thought putting wifi comms across a 900MHz backhaul was innovative or interesting at all - much less why he was fiddling about adding a raspberry pi to the mix.

Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish


Ain't that a kick in the head

So you're saying that, since 2010, a significant portion of the consumer market has been essentially wiretapped by a foreign-owned company? That's a little bit on the distressing side.

Anonymous HACKED GAS STATIONS - and could cause FUEL SHORTAGES


This was only vandalism, but if you read the manual...

There's a lot of other things you can do if you read the manual about how to interface with that model device.

For instance, if you (the evil black-hat bent on causing trouble) decided to, you could alter the amount of water reported to be in the tank - something which would call for a shutdown of fuel service and for someone to run a test on the tank to determine how much water is present.

Alternatively, you can change the tank's diameter to 0, which sets off all manner of alarms, some of which conflict with each other - a rather Hollywood sort of error condition, where everything lights up and buzzers sound and all that jazz.

Or you could change the reported fuel level to something miniscule, so that the fuel truck will attempt to deliver several hundred more gallons to the tank than there is space for, potentially resulting in a nasty spill.

Or why not change the threshold for the leak detection vapor pressure? This one's nice and subtle, and results in vastly reduced fuel flow at the pump, so those few who do stay around to pump fuel end up having to spend much longer (thus taking up space) at the pump than they would otherwise.

All of this is nicely documented in the manual from the manufacturer, freely available online to anyone with half a clue of what to look for.

Needless to say, attaching unauthenticated devices directly to the internet is a very bad idea, and those persons who made that choice need to be sacked forthwith.

Chipmaker FTDI bricking counterfeit kit


Re: That's going to cause some problems

I specifically saw Travis Goodspeed state this; can probably find some others if you take a look.


That's going to cause some problems

I've been watching some of these developments on twitter; several prominent hardware designers have sworn off FTDI for future use.

Furthermore, this is likely to cause non-technical consumers some consternation: in the perception of the typical uneducated user, "Windows Update" will have broken their widget. As such, it's likely there's going to be a lot of future resistance to OS updates by those users and those persons those users talk with. The story of "my friend updated his windows and his things broke" is bound to make the rounds very fast.

Needless to say, this is going to be problematic for the infosec community; it's hard enough to get users to install updates promptly as-is, but after this, it'll be all the harder.

Additionally, besides the inevitable class-action suits that'll be brought against 'em, it's likely that FTDI is going to end up getting some nasty visits on the criminal side of the house for malicious destruction of property - if not worse; if they managed to brick any government kit with this stunt, then like as not they'll get charged with espionage or summat like.

There's plenty of ways FTDI could have addressed this issue, and bricking hardware is probably the worst way.

Who's that sniffing around BlackBerry? Oh, is it YOU again, Lenovo?

Big Brother

The MIBs won't like this one

Only folks I know who buy Blackberries these days for anything other than making delicious, delicious preserves are the US Feds. If Lenovo - Chinese company - buys Blackberry, then the MIB types will likely get very upset about this, being as they'd assume the Chinese would now have backdoors into all those lovely phones that the US taxpayers had paid so much money to get. But on the bright side, all the middle manager types who've been whinging to get an iPhone instead will find their requests suddenly not falling on deaf ears...

Hate Facebook? Hate it enough to spend $9k fleeing it? Web 'country club' built for the rich


Oh, is that all it takes?

So a ~$30/mo VPS, a wordpress install, and a rapidssl cert are all it takes to get rich people to hand over several thousand bucks?

I should get in on this racket.

Mobe battery flat? These ELECTRIC PANTS will pump things up


Amazing Techno-Trousers

I assume that, having shelled out however much on a mobe capable of this charging and on these techno-trousers, the wearer will be guaranteed to be wearing them at any point his phone needs charging on account of not being able to afford anything else to keep his legs covered?

Unicode ideogram list-site Emojipedia goes titsup. Wow. Did you just give us the finger?



It's been a few years since I've read 'em, and I am a little tipsy at the moment, but is anyone else reminded of the infographics for illiterate persons in Stephenson's novels? I seem to recall them being used in Snow Crash and The Diamond Age, unless I'm mistaken. I don't mean to sound as though I'm some sort of Plato-decrying-the-youth type, but do we really need to further encourage a departure from reading and writing--from actual coherent sentence-making into symbology and pictures? But then, the very fact I've posted this comment indicates that the battle has already been lost, and I'd best bone up on the meanings of these 'emoji' lest I find myself illiterate in the new language of the kids-these-days.

Russian cybercrooks shun real currencies, develop private altcoins


Corp Scrip

The thing that I'm seeing here is that these folks are using various in-house cryptocurrencies as, essentially, scrip--the same kind of thing that the old Robber Barons used to do with 'company towns' and the like, where they paid for work in scrip that was only good in company-owned stores.

It's an interesting notion, as it not only keeps your workers under management's thumb, but management also can adjust prices to make working for them more or less attractive as their particular needs go. Not only that, but the management also can regulate the amount of scrip in circulation, allowing them to induce artificial scarcity or plenty as they see fit.

In a way, this is also similar to other organizations' attempts at in-house scrip; didn't Facebook have something similar going on a while back, with some kind of facebook bucks or credits or the like that you could cash in for various things? Various MMORPGs have the same kind of in-game credit that can be cashed in for real-world money or vice versa, as well.

If I were in a predicting mood, I'd say that the rise of bitcoin and the various altcoins provides a model for many different businesses, and that a smart fellow would get into the business of scrip exchange, maintaining as many different kinds of scrip accounts as possible so's to glean commissions from interchanging amongst the vast amounts of corporate-specific scrips that are likely to show up in the near future.

Those of you who play Shadowrun may find some of this to be very familiar as well.

Candy Crush King went 'too far' when it candy crushed my app – dev


Of course they're not going to enforce the name "too strictly"; they know it'd never stand up in court, so they'll only use it to beat up on small-time devs who don't have the resources to fight back.

KC engineer 'exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS'


Re: Where's the story?

" I wonder how they could tell you the password so you can connect your router to their network."

By reading the second to last paragraph in my post, guv.


Re: Where's the story?

Industry standards state that passwords shall not be stored except as a hashed output.

Passwords are not 'encrypted' in the usual, reversible fashion per these standards; this is why all reputable outfits will not be able to tell you what your password was when you forget it.

When you log in, the login process hashes your password through the same one-way function and compares the sausage-meat result to the stored sausage-meat result; if they match, then you've put in the correct password.

"Cor, but wot if summat else makes t' same hash?" I hear you object--that's called a hash collision, and that's why they come out with new hash functions from time to time.

The long and short of it is that even if you trust these people's laptop setup--which, given their very basic misunderstanding of how passwords are to be stored is far from guaranteed--they STILL should not have passwords available for customer accounts, ever.

The correct way that reputable outfits use is to use the engineer's credentials to get to a restricted page on which the customer then inputs a password for their specific account, and then tell the customer to change it themselves once the engineer leaves.

And that, lad, is why everyone jumped on the 'downvote' button.

LG: You can stop hiding from your scary SPY TELLY quite soon now


If it's transmitted, it's collected

Their statement that the data's not been collected is farcical--anyone who has ever administered any webserver knows full well that the httpd logs have a full record of every single one of those POST operations, regardless of the response code sent.

I had a notion when those 'smart' TVs started coming out that they'd be too vulnerable an attack vector, but I was thinking that the attack would materialize through bad actors' compromise of poorly patched proprietary firmware in the set, rather than active vendor exfiltration of information.

My decision to avoid purchasing such a device is looking wiser every day.