* Posts by Pier Reviewer

131 publicly visible posts • joined 15 Feb 2018


Veilid: A secure peer-to-peer network for apps that flips off the surveillance economy

Pier Reviewer

They’re still on their holidays for a couple of weeks yet! So 3 weeks.

So much for CAPTCHA then – bots can complete them quicker than humans

Pier Reviewer

The robot testing which of the stolen cards in its list are valid/not blocked :(

Sadly things like that are abused, and the little coffee/pizza shop gets dumped on by the card acquirer (higher charges due to reversals etc.) so they need to protect themselves.

It’s crap, but I can’t blame them.

Google Chrome to shield encryption keys from promised quantum computers

Pier Reviewer

Re: Teaser......Diffie/Helman might be more secure than described......

There are two forms of DH key exchange- ephemeral and elliptic curve. Both forms rely on the difficulty of solving the discrete logarithm problem (DLP) for their security. This problem can be attacked much more efficiently with a suitably large quantum computer.


1. Yes

2. No - the exchange publicly shares intermediate values which can be used to recover the key by solving the DLP (currently not feasible, but Shor’s algorithm on a QC will do it)

3. Yes - this helps *now* (the DLP is extremely expensive to solve) but with a suitable QC doesn’t add much protection

UK voter data within reach of miscreants who hacked Electoral Commission

Pier Reviewer

Re: How was this made possible?

Properly segmenting data from the Internet is almost unheard of. I’ve worked in one one place where it happened - I had to go to another part of the building to Google stuff. Then write down/print the results and walk back to my desk. It’s not practical in most orgs.

If you want email to the desk, you have a route between the Internet and your PC. It may not be very direct, but it exists. Same with browsing the Internet.

Personally my money is on VPN access with no MFA. Got no evidence at all to support that, but Exchange is awesome for highly reliable user enumeration and cred spraying. Plenty of enterprise VPNs support LDAP authN (i.e. AD) - find valid creds via Exchange, use them to VPN in. We do it all the time at work.

Post-Brexit tariffs on cross EU-UK electrical vehicle imports still going ahead

Pier Reviewer

Re: Fuck business

The UK’s new car consumption is disproportionately large for its size (1/7 of all new cars sold in EU+UK were sold in the UK). But that’s still a relatively small fraction of the overall market. Don’t fall for the “big hitter” trap - as a proportion of the EU the UK market is still small.

The EU’s choice is between protecting itself from US/China or not. “Not” means the EU battery market likely dies in the face of gov subsidies from US/China. 6/7ths of something is greater than all of nothing, so I expect the EU aren’t going to back off.

There may be a little scope for tweaking things at the edges, but pain is coming one way or another.

It's 2023 and memory overwrite bugs are not just a thing, they're still number one

Pier Reviewer

Re: Buffer overrun? still?

Well yeah - it’s a circle…

Microsoft Windows edges closer to SMB security signing fully required by default

Pier Reviewer


Errr 40 *additional* bits of security would make it one trillion times more difficult to brute force (2^40).

Crypto catastrophe strikes some Atomic Wallet users, over $35M thought stolen

Pier Reviewer

Re: Wallet Private Key

Based on the article it seems the thieves primarily went after larger values. If they had every user’s priv keys you’d think they would take everything (many small balances = one large balance).

The targeted nature might imply phishing. Would be interested to see how many victims use gmail after their recent “stamp of approval” SNAFU…

British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

Pier Reviewer

Re: SQL injection flaw

Legacy? Sadly parameterising queries *still* isn’t done every time :( Even where it is, dumb stuff happens. The other week I was reviewing some code. DB interaction looked reasonable on the surface - all the queries were parameterised so it was safe right? Wrong :(

They were calling stored procedures safely, but the SPs were then concatenating input and EXEC’ing it ^^.

It’s a fairly common pattern sadly - Java/.Net/whatever devs do their bit safely, but then the data team who write the SPs do random **** like it’s 1995. Neither team knows or understands what the other team is doing so you end up with trivially discoverable and exploitable SQLi.

'Strictly limit' remote desktop – unless you like catching BianLian ransomware

Pier Reviewer

Re: Passwords

I have a lot of sympathy for you - you’ve likely got a million jobs to do and no resources to get them done. RDP or RDWeb facing the Internet is *super* risky though. It’s really easy to differentiate between valid user names and invalid ones, so first of all attackers will enumerate a bunch of user names. It takes 1x request per user name, so no lockouts (well, very low risk).

Now they have a list of valid user names, and can try a noddy password against each one once every 45 mins or so. Slower if they want to be more stealthy. This is all automated so there’s no opportunity cost to the attacker - they can do this vs dozens of orgs at the same time.

If they hit pay dirt you’re stuffed. And *someone* will have a bad pass. If you really must have RD on the Internet at the very least mandate MFA!

Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack

Pier Reviewer

Re: Hack to death ratio

Possibly a combination of two things.

1. People stealing cars probably aren’t wearing seat belts and adhering to speed limits, one way restrictions etc.

2. I wouldn’t be surprised to find the ignition bypass doesn’t arm the airbags, so when they do crash skull meets dash/windscreen and brain soup is on the menu.

Chinese researchers' claimed quantum encryption crack looks unlikely

Pier Reviewer

Re: The future is still the future

ECC isn’t post-quantum secure :( As with RSA algorithms are known for breaking it on a suitably large quantum computer.

However, ECC does have benefits over RSA and anyone implementing asymmetric encryption in a new system/protocol would do well to avoid RSA and use ECC instead. Unfortunately they’ll both be broken when we make large enough quantum computers.

Pier Reviewer

It’s simple - PoC||GTFO. Anyone that can actually factor a 2048 bit semi-prime can provide evidence by factoring RSA-2048 from the RSA Challenge (https://en.m.wikipedia.org/wiki/RSA_numbers#RSA-2048).

Anyone making that claim without doing so is talking bollocks. It’s not about nationality - soooo many frausters have made wild claims about breaking RSA, then been shown to be telling lies. That’s *why* the RSA Challenge was created over 20 years ago! It’s not a new thing sadly

LastPass admits attackers have a copy of customers’ password vaults

Pier Reviewer

Re: Someone Else's Password

They won’t comment on salts because the vaults are aren’t hashed - they’re encrypted. There is no salt. There will be an initialisation/nonce depending on the encryption mode in use.

Rainbow tables are no good here - there’s no hash. Attackers will (assuming there are no weaknesses with how the encryption is used - not necessarily true!):

- guess a stupid password (eg Password1)

- throw it into a password based key derivation function (PBKDF)

- use the resulting key to decrypt a username field from *every* vault

- check if they got a sane plaintext (valid padding etc)

- repeat

The PBKDF will slow them down. The trouble is, it’s a numbers game for them. They can test one pass vs thousands of vaults and only need to do the slow PBKDF once per pass. They *will* pop some master passwords, because some ppl will have used weak master passwords :(

Banned Tornado Cash code reuploaded to GitHub in free speech test

Pier Reviewer

GitHub is committed to freedom of expression eh? Their actions say otherwise - https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

UK's new Brexit Freedom Bill promises already-slated GDPR reform, easier gene editing rules

Pier Reviewer

Re: "more agile way"

Inevitably means passing primary legislation (an Act) that says “the Secretary of State can make regulations doing whatever the hell they want”. Secondary legislation (the regs) gets far less scrutiny from Parliament, basically letting the government make any regs it wants with no input or oversight from Parliament.

Fun times -.-

Ethical power supplier People's Energy hacked, 250,000 customers' personal info accessed

Pier Reviewer

Re: Thought exercise

The main problem you have with this kind of thing is that if you can compromise the app you can access an data/systems the app can access. If the app needs to show you your details, it needs access to them.

One option is to encrypt at rest, but then you have the key management problem - the app needs access to the key, so an attacker that compromises the app can get the key.

You can (partially) solve this using a HSM - the encryption key is itself encrypted using a HSM. When the app needs the key it passes the encrypted key to the HSM and asks it to decrypt it. There are still issues with this (performance vs security, eg do you use a single key, one per user etc). However it means at the very least the attacker either needs to extract the key as well as the DB, or individually exfil every record. If you have a blue team the idea is they spot this behaviour before too much damage is done. If you don’t, the you(r customers) are boned either way.

Neither HSMs nor blue teams are particularly cheap. Guess what businesses value most when asked to choose between definitely spending a wad of cash to protect someone else’s data, or pocketing larger dividends with a risk they *might* get popped?...

Cyberup campaign: 80% of infosec pros fear they might fall foul of UK's outdated Computer Misuse Act

Pier Reviewer

Re: Those laws are still perfectly good

If you’re relying on the law “figuring it out” it’s a bad piece of legislation. The comments here are reminiscent of the Daily Mail, and basically boil down to “I think you should have permission/a warrant so the law is fine”. Pity that’s not all the CMA criminalises. s3A(2) is particularly egregious -

“A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1,3 or 3ZA”

Releasing I proof of concept tool (even a non-weaponised one) is likely to assist attackers. Guilty. Releasing a scanner to help ppl test if their servers are affected by a vulnerability is also an offence. Release a patch to fix the vuln? Yeah sorry - criminals diff patches to determine what they fix then write exploits for the bug. You likely assisted an offence.

I’ll say it again - if you’re reliant on someone saying “oh but he didn’t *mean* anything bad” you are taking an enormous risk on. You could just as easily be thrown under the bus by a future regime that doesn’t like what you say/the colour of your skin etc. That’s bad law.

It also puts the U.K. at a massive disadvantage. Those risks don’t exist in many other countries. Businesses as a rule don’t enjoy risk. They avoid it. It’s therefore likely that the UK gets left behind in this field, or they simply move their operations overseas.

Nobody sane is saying it should be the Wild West. They’re saying the wording of the law needs clarifying so that it’s eminently clear what is permitted and what is criminal. At the moment there’s too much scope for abuse.

Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Pier Reviewer

“... I would say the medical profession is probably the worst for it though.”

Telco. You can have a 90 minute meeting where around a dozen actual words are spoken - the rest is just letters :/ It’s horrendous.

Top 5 billionaires find that global pandemics are good for business – and their wallets

Pier Reviewer

Re: Zuck Nuggets

I think I’ve just become vegetarian.

Southern Water customers could view others' personal data by tweaking URL parameters

Pier Reviewer

Re: Legality?

Client and server side request forgery (CSRF and SSRF) aren’t really forgery per se. It’s more a case of social engineering the browser/server. “Hey, hand this card to the cashier over there will you?”. Cashier recognised the person handing over the card and acts on the instructions therein.

Vulnerability taxonomy can be pretty hazy, and I personally would describe this as an unsecure direct object reference (IDOR). However I think we can all agree it was an appalling weakness that should never have made it past the design phase never mind to production.

Using turds like S***point, SAP etc as some kind of framework is getting more common. The problem is it appears ppl pick their crap, overpriced middleware based on what they’ve used before rather than what is appropriate. Then you get stuff like this - “we need it to do X to keep the data secure”. “Sorry, it doesn’t support X”

Epic move: Judge says Apple can't revoke Unreal Engine dev tools, asks 'Where does the 30% come from?'

Pier Reviewer

" consumers could choose when deciding to buy an Android device or an iPhone "

That is one dangerous argument for Apple! Can’t believe they used it to be honest. They must not have anything else that might have a chance of being accepted. I think they just walked into Epic’s trap.

Yeah you can go to Android. And pay 30% commission there too. Two providers? Same high fees? Sounds awfully like a cartel...

C++ still rules the Chromium roost though Rust has caught our eye, say browser devs

Pier Reviewer

Re: Rust, Rust, Rust

The things you mention are good practice for avoiding out of bounds access, however that’s already one of the less common CWEs. Use after free and type confusion are much more common, and very much a C++ problem. Rust prevents them at compile time.

You’re right that many issues can be avoided by using C++ properly. The problem is the compiler doesn’t enforce that. As a result people make mistakes that make it into the build, and in a 100 million line code base are hard to find. Rust simply says “no” and refuses to build, ensuring that such issues are dealt with ASAP.

First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

Pier Reviewer

“Stop using Windows...”

Won’t make you any more secure against this type of attack. It was a targeted attack using a VM (i.e. they can deploy it on anything a VM can run on). They simply phish users, gain network access then deploy the VM.

Using Win10 actually makes you less likely to be hit by this particular attack if you enable Hyper-V as any fool know.

We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother

Pier Reviewer

Banning query parameters (the stuff after the “?”) doesn’t fix the problem sadly. A site operator could provide a start_url value like https://pwa.acme.com/start/123456 where 123456 is a unique number for each user. Voila, you can be uniquely identified.

Whilst the article appears to bemoan the fact that the issue is being left to browser makers to fix, I don’t see a reasonable and effective alternative. The solution needs to be where it’s most effective. Letting site operators like Facebook et al decide how to prevent tracking is laughable. The problem of course is that Google intentionally broke the Chinese wall by releasing a browser. The only practical solution to avoiding tracking in this instance is to have the browser makers fix the problem and keep away from Chrome.

What the duck? Bloke keeps getting sent bathtime toys in the post – and Amazon won't say who's responsible

Pier Reviewer

Re: Review stuffing

Yeah. Poacher checks on hen house. Looks good gov’...

Pier Reviewer

Review stuffing

It’s a known scam. Buy a load of cheap tat, giving a fake address. Get 100% buyer feedback. Convert account to a seller. Now you’ve got a seller account with loads of positive feedback. Totally trustworthy right?...

Indian conglomerate Reliance Industries says it's built its own 5G kit and hopes to sell to all comers

Pier Reviewer

Re: Home buying

Cost. Living expenses are higher in the UK, so wages are higher too by necessity.

There’s little detail here - 5G was designed to move away from hardware and towards software as far as is reasonably practical. You can deploy a 5G core (SA or NSA) without owning any hardware (granted, your Azure/AWS bills will be something to behold!). It’s only the RAN side where you need specialist equipment. The radio tech for 5G is crazy. Even then, a significant portion of the RAN functions can be performed in software.

These folk may well be talking about a software only core offering. If that’s the case I don’t see how the UK could ever hope to compete. India has a large number of STEM graduates in a culture that values education, and significantly lower wages than the UK. The UK *could* produce a product, but it wouldn’t sell.

Rust code in Linux kernel looks more likely as language team lead promises support

Pier Reviewer

Re: Is there a reason we need YAPL?

“...zero advantage over C”

Well the first and obvious advantage is that you only need to worry about memory corruption vulnerabilities in the subset of code that you marked with the unsafe keyword, rather than the entire codebase (27 million LoC says hi). As a result you can spend all of your effort on a much smaller area and have much more confidence that it is safe.

As to having to use “raw memory” - Rust *does* access “raw memory”. It compiles to assembly language just like C. However the Rust compiler has a significant number of compile-time checks to ensure memory access will be safe at run time. Ergo it is basically as fast as C, and has far fewer vulnerabilities because you’ve just wiped out half a dozen classes of vulnerability at compile time.

Believe me - I hate doing vuln research on Rust code bases because 95% of the cheap RCE wins just don’t exist compared to C :( There are some crazy things that can happen in C that even experienced programmers make mistakes with, and where the language is broken (floats leaking memory content for example). Even stuff as innocuous as this can get you RCE -

size_t len = userSuppliedNumber;

unsigned char buf[len];

I love C but Rust is a great language, and I can see that because I bothered my arse to look into it. Linus’ concerns re: the compiler are valid, although gcc isn’t exactly covered in glory when it comes to “interesting” side effects and behaviour. Anyone wanting to work in systems programming would do well to look at both C and Rust, as it makes more of the jobs market available to you.

Pier Reviewer

Re: Rust and kernel

Rust doesn’t require any kind of library support any more than C does. Both have a standard library (libc and libstd respectively) and should you delete those from your system you will find it becomes rather less useful. However, neither language *needs* those libs - they merely save you a lot of typing.

I’m secure code reviewing a few million lines of each (C/C++ and Rust) as we “speak”. The client is moving to Rust in a field that requires extraordinarily fast and reliable code. Not only is the Rust output able to match performance, it’s not a shitshow of buffer overflows, stack underflows, format strings etc. We’ll see a lot more Rust going forwards because it’s a good language.

At least use the language before commenting on its weaknesses rather than simply parroting what Dave said down the Nags Head (who likewise heard it third hand from someone scared that their skill set will be outdated and they won’t find much work in the future).

July? British government could decide to boot Chinese giant Huawei from the UK's networks by this month

Pier Reviewer

Alas it’s not necessarily that simple. Huawei aren’t publicly listed - the (Chinese*) employees own the shares. I would be extremely surprised to see them list publicly as it risks western involvement in the board.


* non-Chinese employees are plentiful, but not entitled to own shares.

Consumer orgs ask world's competition watchdogs: Are you really going to let Google walk off with all Fitbit's data?

Pier Reviewer

Re: Isn't it time for Google to face the Anti-trust strongarm squad?

Ahh, so they’re protecting us from from the reds under the bed? Thanks for pointing out who we need to be scared of. I’m glad corporate America can protect us from those scary reds.

Out of interest, what extra harm would a Chinese company having all this information cause vs the status quo?

Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

Pier Reviewer

Re: The law is fine and doesn't need changing

No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.

The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.

Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.

Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.

How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.

But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!

There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.

The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.

ZFS co-creator boots 'slave' out of OpenZFS codebase, says 'casual use' of term is 'unnecessary reference to a painful experience'

Pier Reviewer

Re: My first thought:

It’s a stupid idea. The only ppl it benefits are white guys who don’t want to be reminded what their race/nation did in the past and might be in some way linked to them. Yeah, let’s bury references to slavery. That’ll help ppl currently subjected to racism.

The term slave in this context has nothing to do with slavery, racism etc. A poster above considers the use of “directed” in its stead. Directed also has more than one meaning. c.f. a directed graph. Is the graph taking instruction? Turns out words can have more than one meaning.

Finally, the entire argument “well if it stops one person being unhappy surely it’s good?” is childish. It fails to understand and accept that there will always be ppl unhappy about the status quo, whatever that be. Take democracy for example. The unhappiness of a significant portion of the population is a mandated feature of democracy. It’s about the will of most ppl, not all.

I’d be happy to make the bet that you can’t find a single thing that at least one person doesn’t find offensive. And that there is the issue with the childish argument - the grownups can and will game it for their own benefit.

Can we stop with the ridiculous “I’m offended on behalf of X” bollocks please, and actually think like adults. There are so many things that we can do to help make racism etc a thing of the past. Changing the word slave in your codebase is not one of them. It is however the least effort you could humanly make...

Twitter, Reddit and pals super unhappy US visa hopefuls have to declare their online handles to Uncle Sam

Pier Reviewer

Question (not a Merkin)

Does the Constitution extend rights to people that aren’t American citizens? If I’m applying for a visa I’m not a US citizen - do I benefit from US constitutional rights at that stage?

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Pier Reviewer

If you don’t care about security, the bad guys care about you

Internet facing RDP... Jesus. I love it when you find it on jobs. It’s an easy win. It’s insane that people don’t put it behind a VPN (that requires MFA).

Ofc that alone isn’t a fix for ransomware. There is no single fix, which is why companies keep getting reamed. They’d evidently rather risk paying millions than definitely spend money avoiding the risk, even if it basically guarantees they won’t be badly affected. It’s 100% the board’s fault. They could force a change, but costs reduce their dividends. Better to risk it and make secret payments to the criminals if you get hit rather than reduce your take home pay innit?

The fix? Nothing new or exciting. Regular, tested off-site backups, maintain a register of installed software and audit it regularly, patch regularly, MFA for all sensitive services and accounts etc.

I've seen things you people wouldn't believe. Spacecraft with graphene sails powered by starlight and lasers

Pier Reviewer

Re: Calling Isaac Newton...

Re: using the destination star to slow down travel.

The problem is it tends to defeat the purpose of the idea (to get from A to B within a human lifespan). By decelerating from about the halfway point you take about 42% longer to get there (sqrt of 2, on the assumption the target star will decelerate your craft at 1ms-2).

Anyway, I’ve seen Star Wars. And whilst that *is* a moon, I’m not wholly comfortable with an 8GW laser array on it.

Pier Reviewer

Re: Calling Isaac Newton...

The problem is that the closer you get to another star the more pressure it exerts on your sail in the wrong direction. That’s why you need the laser. However you need to focus your laser on a 14m2 area at a distance of ~4 LY. Not exactly a trivial design requirement.

Then there’s the second issue - you arrive in the Alpha Centauri system at ~15% c. You need some way to slow down or you’ll just barrel straight through. If you’re spending that much time, money and effort getting to another star system you probably want to get some data back. You’ll have trouble getting through the submission phase if you’re basically proposing throwing billions of <currency> at a star using a giant **** off laser.

That’s the biggest issue with any kind of fast travel. You need to slow down without turning your payload to jam/dust. Consider the difference between going from 70mph to 0mph in a controlled fashion vs stopping fairly instantaneously through the help of a bridge support.

The point of containers is they aren't VMs, yet Microsoft licenses SQL Server in containers as if they were VMs

Pier Reviewer

Re: What next...?

You’re not buying it... It’s closer to the car PCP model. You rent it. You stop paying rent it goes back to the dealer/MS. You drive the car lots? You pay more to the dealer. You use SQLS lots? You pay more to MS.

I’m not a fan of MS’s licensing model to be fair for various reasons (complexity being high up on the list) but what you describe already exists, and for a physical object, not just software.

Uber, Lyft struck by sue-ball, no, sue-meteorite in California after insisting their apps' drivers aren't employees

Pier Reviewer

Re: Contracting...

The Cali law has some similar features to IR35 in Blighty. The differences in how the two are perceived is a little surprising tbh.

Lords: New IR35 off-payroll tax rules 'riddled with problems, unfairnesses, unintended consequences'

Pier Reviewer

Re: How to make it go away

Easy for MPs to show they’re outside IR35. They spend some (I won’t say most) of their time doing their job as an MP rather than consulting for one firm. They also tend to consult for multiple companies rather than just one.

Keen to go _ExtInt? LLVM Clang compiler adds support for custom width integers

Pier Reviewer

Re: Sounds like a good idea

You’ve basically described how security arise. Make assumption. Assumption is invalidated. Shit happens.

It’s also why we (should) unit test for such things before pushing to prod. But hey, testing is boring so we don’t do it right?

As to using unused bits - plenty of tech still does that. The Deflate also, ASN.1 PER etc. It’s not going away.

Something a bit phishy in your inbox? You can now email suspected frauds straight to Blighty's web takedown cops

Pier Reviewer

If only the NCSC has ppl capable of performing threat modelling and risk assessment before they rolled this out!... Luckily the commentards can pick up the slack, and the NCSC can hopefully fix this terrible oversight -.-

Zoom vows to spend next 90 days thinking hard about its security and privacy after rough week, meeting ID war-dialing tool emerges

Pier Reviewer

Re: Its much worse than that... Complete Infosec fail?

Whilst the encryption isn’t what they claim it’s still pretty decent. According to Bruce it’s AES-128-ECB (not CBC). The key and block sizes make it infeasible to brute force the key or abuse SWEET32.

ECB is commonly considered to be weaker than CBC, but it has a simpler implementation and thus less room for catastrophic error (POODLE says hi, and ECB mode isn’t vulnerable to SWEET32 either, whereas CBC mode is). The thing with crypto is the crypto nerds get hyper excited about theoretical attacks like breaking 3 rounds of cipher X, or having utterly impractical requirements. It’s great to publish those findings as they can be built upon to create more powerful attacks, but the media (social included) tend to run ridiculous headlines as a result.

The Chinese server involvement is certainly worthy of investigation, but would it be any better if that server were hosted in the US/Europe but rented by a shell company operated by Chinese sigint? Geolocation counts for shit.

Amazon says it fired a guy for breaking pandemic rules. Same guy who organized a staff protest over a lack of coronavirus protection

Pier Reviewer

Re: Unions

“ Unions have their place, but the guy leading the charge is being paid to be somewhere else, and he isn't doing what he was being paid to do, then the guy doesn't deserve a job.”

You’ve misunderstood Amazon’s reasoning. It’s cheaper for them to pay one guy to stay home and stop rocking the boat, than to implement effective measures to protect the rest of their employees. They basically wanted to pay him off ( as cheaply as possible). It has similarities to Weinstein. “Shut up and take the money”.

FYI: You can trick image-recog AI into, say, mixing up cats and dogs – by abusing scaling code to poison training data

Pier Reviewer

Re: how they want some attention...

It’s not a bug. It’s intentional. When you’re scaling an image to a smaller size you lose data, as you are only able to represent a fraction of the original data. You need to decide which parts of the data are more important and which can be thrown away.

The side effect of this is that in this very particular use case, the classifier can be tricked into classifying an input incorrectly, and human auditing is less likely to detect it (“hey, who flagged this cat as a traffic light?!”).

Yes, it has limited use at the moment, but when ppl start selling data sets on a larger scale, and for sensitive use cases, it could be a more significant issue.

Austrian foreign ministry: 'State actor' hack on government IT systems is over

Pier Reviewer

Re: Source article interesting, kind of

The good guys (as in competent, not white hat) don’t use random outbound ports. They use 443/tcp to a cloud host along with domain fronting to avoid TLS interception. All the victim sees is a request to a Microsoft.com domain or whatever.

If you think detecting decent, custom, memory resident malware is easy you should go work as a front line SOC analyst and see just how easy it is to detect that kind of thing in amongst the network noise. Generally threat actors will compromise the network (maldoc, cred spraying, 0-day), quickly obtain persistence then lie low for a while. If you don’t manage to detect the initial compromise (often the riskiest phase as it’s noisy/prone to failure) you are flat out stuffed.

I know what you’re thinking - don’t open random email attachments. Competent attackers don’t use random email addresses. They cred spray/phish your organisation then send emails/instant messages using your own infrastructure. Got a spreadsheet from Alice in Accounts? Must be safe to open, right?...

You're always a day Huawei: UK to decide whether to ban Chinese firm's kit from 5G networks tomorrow

Pier Reviewer

Re: Treasury Notes

“ If Huawei is allowed into western teleco networks, the governments will have to cover the purchase of this equipment by issuing treasury notes.”

Wtf are you smoking? The gear will be purchased by EE, O2, Voda etc using their own cash, not the UK government bonds. They are private companies, and the money Huawei receives is kept by Huawei, which is owned by its (Chinese) employees, not the state. Ffs stop reading Breitbart propaganda and get some kind of clue as to how business works.

Boris celebrates taking back control of Brexit Britain's immigration – with unlimited immigration program

Pier Reviewer

Re: Good, good.

“ Well done Boris and Priti for delivering on your promise.”

Can you point to what’s actually been delivered? It’s just talk at the moment. The visa changes cannot apply until 2021 at the earliest, so best hold onto your thanks until then. It might not work out quite as you’d hoped.

Saying you want the best engineers etc to come to the UK is one thing. Convincing them to accept your kind invitation is quite another.

It will be interesting to see how the hostile environment policy pans out with all these foreign engineers on our shores. I rather suspect that more than one poor soul will find that a PhD, full work history, and Nobel Prize will count for nought when the Home Office comes a-knocking :(

This episode of Black Mirror sucks: London cops boast that facial-recog creepycams will be on the streets this year

Pier Reviewer

Numbers game

It’s a numbers game. This guy’s number was 100k - https://www.bbc.co.uk/news/uk-scotland-south-scotland-51255287 :) I hope the Met have deep pockets!