Posts by arobertson1

Smoke and Mirrors!

You do not need to crack the encryption or read it in transit - you merely need to know the phone number and use SS7 to gain access to the phone. Once you have access you can just read the messages in plain text as the phone has the keys to decrypt the messages.

All phones are back-doored - if the phone can do it, then they can do it. No amount of encryption, firewalls, permissions, domain blocking etc. will stop this. Your messaging apps, social media, SMS, contacts and photos etc. are all easily viewed remotely. Why exactly do you need to break the encryption in transit?

Sim Toolkit exists even with eSIM’s, and combined with S@T Browser has access to your phone. Compatibility Test Suite can download “updates” to your phone and modify the phone temporarily in order to gain access. The same is true with the Dynamic System Installation Service. Managed Provisioning can remote control the phone. Maybe Opportunistic Network Services could connect your phone with my phone for access, or perhaps a buffer overflow bug in MMS could trigger code execution. Perhaps you use a predictive text service that checks the spelling by sending everything you type to a remote server to be “spell checked”. Or maybe you just use plain old WAP from yester-year which still exists today to modify ring tones on your phone or more likely install apk’s or shell code. Or maybe just push an “update” specifically for your phone over the air. I mean nobody is going to take the digital signal processor, pipe it to netcat going to a server and listen in on the phone, are they? What, even when your not using it? While you’re at it you might use the Easter Egg apk to modify the system permissions and send the print spooler all those supposedly encrypted files to an online “print service”.

This is all smoke and mirrors much like you having to download an app that uses bluetooth to determine whether someone with covid was too close to you for an extended period of time. The phone companies already store all the data with triangulation - there was no need for a covid app, but that would bring too much attention to the data being collected on you every day. How do you think you can make uninterrupted phone calls while travelling - you’re connected to several towers at the same time and the strongest signal is selected. This allows accurate triangulation down to a square metre. See - no covid app was required, just like breaking end to end encryption isn’t required either. All your phones are open books in many, many ways.

Snaps and Flatpaks are a bloated security nightmare

Okay, first off, could somebody peel two different coloured stickers off a Rubik’s Cube, swap them, jumble it up, and give it to all the KDE users. That should keep them busy for a while. Next tell all the GNOME devs that Pop!_OS has themed the window title bars in a really cool way. That should keep them busy too. Right, now the silent majority can get a word in edgeways…

Snap and Flatpak are the worst ever idea that has come to Linux in a long time. The idea of wrapping an operating system around an app and distributing it as a binary blob is stupid. It might work for the server market, but on desktop it’s just slow and bloated.

Take OBS Studio, on Fedora (RPM Fusion) the download size is a mere 7.6Mb and the installation size is 25Mb. The Flatpak is a whopping 198Mb download and a 520Mb installation size. So that’s a staggering 26 RPM’s to just 1 Flatpak in download size, and an unbelievable 20 times in size on your hard disk! Really?

In a world that’s becoming more energy conscious, how can this be better for the environment if you are doing twenty times more disk reads just to load the application? What about all the e-waste as you throw out all the (now) junked computers. Wasn’t Linux meant to support older computers? What about your poor SSD now wearing out at twenty times faster?

As for security, what’s going to happen when the next Heartbleed comes along and that TLS library embedded inside that Flatpak is vulnerable. Are the devs who created the software going to update it? Maybe, maybe not. There are no guarantees on this. Will Flathub or Canonical’s Snaps remove the app due to the vulnerability? Will they leave it for a while until the dev updates the library that’s vulnerable? Will they just ignore the problem completely?

Then, there’s containment... If there’s anything I’ve learned in forty years of computing, it’s to accept the fact that nothing is 100% secure. Here is a quote from O’Reilly’s Java in a nutshell, “Another layer of security protection is commonly referred to as the “sandbox model”: untrusted code is placed in a “sandbox”,” where it can play safely, without doing any damage to the “real world,” or full Java environment.” Oh the optimism of 1997! Also, what a load of crap! How many Java sandbox escapes have there been? How many virtualised hosts have been popped? How many AppArmor failures? And... How many “immutable operating system” failures will there be?

You see, if you are going to run potentially vulnerable code in an “immutable operating system” then you better make sure that it really is immutable. Unlike say these Snapd CVE’s from only four months ago as I write: CVE-2021-44731, CVE-2021-44730, CVE-2021-4120, CVE-2021-3155. You have everything from privilege escalation to snap confinement escape. Are you sure that app can’t escape it’s confinement?

If you look at the current system with RPM or Deb, then the vulnerable library would get upgraded with the system updates. In a lot of cases the software that uses the library wouldn’t even know, and if it did break some software then the devs would have to update their own software otherwise it would be perpetually broken. Either way the vulnerability goes away.

To be perfectly honest, I would rather run ChromeOS than Linux using containerisation - far more choice with far better support. Not looking forward to the absence of GPL apps, mandatory anti-virus software, endless permissions maze, and paid calculator apps in the Store though... Oh wait, that’s Linux hubstore in the future too!

Time for an Audit?

So the assumption being that it's open source so everyone can read the code, so there's no point in checking it / hey what the heck, it's Friday syndrome, let's go / it's from a Uni, it's probably fine. This happened with Netgate and Wireguard which nearly ended up in BSD. It's also not the first time that something dubious has sneaked in - Canonical found that out with crypto miners being sneaked into snaps. Thank goodness they have an Ubuntu Security Team...

I think we have to face facts that this is going to become more of a problem with time and, yes, you're going to have to check the code prior to it being released. You could use automation to a certain degree but in reality it's an independent audit that's going to minimise this.

The bigger question should be how many commits have sneaked through without anyone noticing? Kind of like the sudo privilege escalation vulnerability that sat there for years. Accident / intentional, does it matter? I would imagine some of the best backdoors would come with a healthy dose of plausible deniability.

This is so Googlish...

I don’t think anyone cares about the share holders and to be honest I’m not sure that argument would stand up if you replaced Google with [tobacco company] share holders - nobody would care about those share holders if tobacco was made illegal overnight.

As for Android, let’s not forget that Google bought Android in 2005 - prior to that it was just an open source project. The fact that the name Android has become synonymous with Google is only because the Google apps come pre-installed with Android and people are used to it. You can actually use Lineage where there are no Google apps and it still runs on Android. In other words Google modified it to suit themselves. The same is true with ChromeOS - it’s Gentoo Linux with Google modifications on top. Then there’s DoubleClick, again acquired by Google in 2008. Are you starting to see a common theme?

Google has deliberately inserted itself between internet users and the content providers in a very manipulated attempt to try and extract (a lot) of money out of people using the internet and those supplying content, services and products, and yet it doesn’t have to be this way... There are alternatives if you care to think them through:

Have you ever tried to block ads using DNS with Youtube? Good luck - it won’t work. Why? Because they are supplying the ads on their own servers. In order to block the ads you would also end up blocking Youtube content which defeats the purpose (if you use DNS blocking). The reason why it works with other websites using DNS is because those other websites use content from external advertising servers, and if you block those ad servers then it does not also block the main content of their website. In other words if the people who host websites used their own ads from their own website then DNS blocking would fail to work. This also has the added advantage that you’re not being tracked from website to website which also addresses the privacy issues that the current model of advertising Google has. It’s not the ads that are wrong, it’s the tracking between sites that’s wrong. This would also cut Google out of the advertising model which is why they oppose it strongly, however it would make for a better, safer, and more private internet. Content providers would also have to become responsible for the ads they were showing - no more third party finger pointing.

So how would Google make their money? Well, let’s look at the chain: Your laptop / phone -> your ISP / phone carrier -> Google -> content websites. Clearly welding extra money on phones for development of Android isn’t going to be favourable with users, and if websites are hosting their own ad’s then Google wouldn’t make money, so... Your ISP or phone carrier could pay a percentage of how much they charge the end user for Google services (and other companies) based on usage. What’s wrong with that? That way the phone manufacturer gets paid, the ISP / carrier gets paid, Google gets paid, content providers get paid and more importantly we get to keep our privacy. It would cost more but I consider this a price worth paying if I don’t end up with the metaphorical equivalent of the creepy dude down the road following me around everywhere or coming home to find them rummaging through my underwear drawer and cataloguing it!

Okay I realise this is a simplistic model and there are probably anomalies all over the place, but surely it has to be better than the tracking / spying / phishing / malware / badware / ransomware / malicious / spam / annoying / crypto mining / porn / privacy invading ads that we have today?

How about a law that forces manufacturers to support their products for a mandatory period of time and to fix vulnerabilities within a timely manner to a satisfactory standard?

How about a law that ensures there are no backdoors and their equipment is not vulnerable to Krack, or Broadpwn, or the BeEF Metasploit network, or mDNS / DNLA packet flooding?

What about a law that forces the manufacturers to have a minimum level of security like changing admin, admin login, disabling WPS, default WiFi passwords which aren't Numpty1 or Dummy1234?

How about a law which criminalises the crippling of routers so that you cannot use all the features?

Aren't these the reasons why people use third party firmware in the first place?

Maybe if they sorted out their shoddy kak then people wouldn't choose third party firmware. It's a bit like saying people are choosing to cook their own meals as the restaurant food is so revolting that nobody wants to eat it, so let's pass a law forcing everyone to eat it.

P.S. Anyone want a free "Super Router"? I could always find another door stop.

I don't know what all the fuss is all about

Go into settings, about phone, tap the build number until developer options are enabled

Go into developer options and under "PwnMyPhone"

Untick "Enable Googlebot Private Network Traversal"

It's right next to "Mask Telnet" and "Index My Pics"

"Our protection systems kicked in immediately and the attack was contained by 10:40am"

That will be why my website is still down at 15.10 - some containment!

123 Reg Support Tickets are useless - they always wait until the problem is fixed several hours later and then proceed to tell you (cut and paste style) that they just checked your website and it is fine, just like there was nothing wrong in the first place.

I get that this is an unusually large DDoS, but at least be honest to everyone when they claim everything is fixed - it's not and it's still ongoing. Tumbleweed....

Just Baidu it - I'm sure they'll have a copy.

Genie, bottle, get back in - no chance!

The advantages of adblocking:

1) Prevent malware attacks.

2) Stop tracking / spying.

3) Internet speeds up.

4) Save money on bandwith charges.

5) Less irritation.

The disadvantages:

1) Your favourite websites lose out on revenue.

2) Ermm...

Solutions:

1) Paywall - bye, bye users.

2) Time sensitive - paid users view first, non-payers later.

3) Product placement / paid endorsement - works to a degree depending on relevance.

4) Host the adverts on the same site (won't get blocked) - will never work as the advertisers won't trust the site owner.

5) Charge the ISP's as a revenue source - would have to be voluntary but could work if planned properly.

Just give me something that has good javascript control, ad blocking, tracker blocking, super cookie blocking, secure ciphers with forward secrecy, geo-tracking removed, dom-storage disabled, network referrer off and click to play flash. Oh, wait, doesn't Firefox allow all this already?

The dummies that use Chrome do so because it came free with the packet of Corn Flakes software they installed the other day and they were too lazy / ignorant to understand that said software was also going to install Chrome. Maybe Mozilla should adopt the same tactics? "Free Kardashians wallpaper - now with Mozilla Firefox".

I laughed at this at first and then I realised that Microsoft was probably quite pleased at the result - people interacted with a machine and tried (successfully) to corrupt it. They're probably in the process of putting a few guarded keywords in long blacklist to keep the P.C. brigade happy, but to be honest they would have been better off leaving it alone and appealing to a wider user base to make counter arguments against such extremist view points. Would the extremism have naturally died out with a larger consensus of opinion? That would have been more interesting to find out. Fascinating developments.

Key = 4 digit passcode + serial + salt. Salt = phone number? I hope not!

Macwrite, Macdraw and Macpaint - them were the days. Games of Risk and Apache Strike. Fun times. Gently having to pat the Mac II's on the side to get them to boot because of bad graphic cards and the rewarding "bong" as they started up. Shortly followed by "I'll be back" shutdown or "That's all folks". To be honest the SPARC II's were abused more - in those days the whole campus was wired up with little or no security. Port 135 buffer overflows, dictionary password attacks (no salts then), call the same process in an endless loop.... crash. etc. etc.

Linux Mint

I run a small business. Here is the current set up:

1 PC using Windows 7, 3 PC’s using Linux Mint (not virtual) & 1 PC stuck on XP (short version - driver issues / don’t ask).

Most of you talk the talk about switching to Linux Mint / (Ubuntu if you must) etc. but I doubt many of you will. In most cases management will decide and you’ll just scurry along with upgrading to Windows 10, while you complain vigorously about privacy all the way (but not actually doing anything about it). That way your backs covered when the customer accounts all turn up on Pastebin - right? “Must have been Microsoft”. Wrong! P45 for you….

By far, the Windows 7 and XP PC are the most problematic in terms of keeping patched and up to date - I can spend a whole day on each fannying around with both of them getting them to work and be secure. Windows update, Adobe Flash, Baseline Security Analyzer, various software update checkers, Adobe Flash emergency out of band extra patch, Internet browsers (including IE windae licker edition), undoing Microsoft’s upgrade to Windows 10 and retro Windows 10 spyware on Windows 7 cagar, Adobe Flash extra, extra out of band update fix the second part b (honest gov - it’s the last one this month), uninstalling the obligatory Microsoft “Bork my PC now” booby trapped BSOD recommended update, Surprise!!… Pain in the arse.

Conversely, Linux Mint just works. Updates (at most) take around ten minutes. No fannying around, no double checking here there, wing and a prayer - just works.

Every once in a while I scan the network for any issues with security. Surprise, surprise it’s always the Windows PC’s that end up with the problems. In most cases Mint is so quiet on the network that nMap can’t even identify it let alone find a weakness. Windows 7 on the other hand - shut the f*** up! Yet another piece of software required…. Antivirus, Antispyware, Firewall, USB autorun prevention, ASLR, OS configurations, Application rights, Group Policy this, that, this and this, oh wait a minute that one needs a registry edit…… The list is endless. Oh s*** here’s yet another javascript OS vulnerability that bypasses the UAC. Hmmm, yes that sounds like a really sensible idea to allow .js to run natively in the OS. I luv my ransomeware Microsoft!

Look guys, the only way you will secure your data and prevent Microsoft from grabbing it all (keyloggers, wifi passwords, big jugs online or whatever) is to dump Windows 10 and use Linux. Go on, you know you want to - try it and get your social life back (No, Facebook doesn’t count).