Posts by Pier Reviewer

Re: What I said in February 2022 on the Computer Misuse Act ...

Any law that relies on the government of the day pinky promising to use it in a specific way is a bad law. The way in which it should be used needs to be explicit so the courts can determine Parliament’s intent.

A future government could readily decide to use the CMA as a political weapon and prosecute someone in circumstances the current government said they wouldn’t. Either fix it, or suck up the consequences, which are primarily a huge amount of UK businesses sitting on unmanaged risk that the bad guys will happily find and abuse for profit because no sane person will report a vulnerability they stumble across even accidentally

Remember - outside of extremely limited circumstances English law never punishes inaction. Under the CMA, if you know/think an org is sitting on a tech time bomb, unless you already have written permission you STFU and move on. You do not ask for permission, because you basically admit to an offence under the CMA in doing so. Is that really what we want? Because that’s where we’re at.

Re: Facepalm

It feels a *little* over-egged if I’m honest. There’s some truly interesting and impressive work in there, particularly around the engineering side. Winning the race condition between the UE and gNB is far from trivial!

On the impact front they’ve gunned for headlines a bit. They can capture the SUCI from <20m away. At that distance you may as well take the lad’s photo and run it through a reverse image search if you want to ID him. The SUCI is useless for that purpose - that’s its entire function! The SUCI can be abused as a session identifier, but not a permanent device identifier. You can say “this SUCI moved from the office at 123 Blah Street to Wetherspoons at lunchtime” but you can’t correlate that with other movements on other days, or even as they state themselves, between the UE going into and out of a lift/other poor signal area. If the UE loses signal and needs to handshake again, it’s using a new SUCI.

If they’d managed to get a SUPI then that would be proper news! Not a great analogy, but think of it a bit like sniffing a TLS handshake (the SUCI in this example) vs the private key (the SUPI). The SUCI is expected to be exposed by design.

The attacks were mostly performed against non-realistic gNBs (basically test gear). When they used a proper one they discovered that they absolutely hammer bandwidth so there was no “slack” for them to inject messages and their success rate (already not great at 80%) tanked. Tbf attacks only get better, but there’s still a lot of getting better to do :D

They say that the benefit of their attack is it doesn’t require a rogue base station so it’s much harder to passively detect (they can use beam forming etc to ensure only the target UE “sees” their messages). Then, the only interesting actual attack (4G downgrade) uses a rogue base station :D The downgrade is interesting, but there’s no evidence it works on anything recent, and it’s wholly detectable.

Finally, the UEs weren’t exactly brand spanking new. Pixel 7?! Sure, plenty of people outside of the US/Western Europe etc are using older models, but are they even supported any more?

Like I say, great engineering, shit sample sizes, poor headline grab.

Re: So why not locate by rivers, lakes or the ocean?

That’s not how evaporative cooling works in practice. *Some* water is evaporated into the atmosphere. Some is not. Some recondenses within the evaporator.

Assuming you can avoid the dogs/angry men go stand under a power station cooling tower and tell me how dry you are 30 seconds later…

Can’t speak for the US, but the UK has a 2C limit on cooling discharge net temperature for rivers. That is, whatever you pump back into the river can be no more than 2C warmer than what you pumped out. If you get the river too warm, algae gets into its groove, then wipes out pretty much all aerobic life in the river when it dies off. It’s not pretty.

Re: "allowed Beijing to 'geolocate millions of individuals' "

The value isn’t so much in tracking all those users, it’s the insight data at that scale can give you. Given someone’s work mobile you can find their personal mobile (they’re physically located in the same place lots of the time), their kids’ mobiles etc.

Ofc they may well have had access to “wiretapping” functionality which is a mandated function telcos must have to support TCNs/whatever the Yanks call them. Again, listening to me and thee chat **** about the footy isn’t super interesting, but with that scale of access they’re likely to find *someone* they’re interested in nosing into.

tl;dr - it’s bad. Like, really bad.

Re: It's not the language, it's just the way it's "talking"

ASN.1 parsers written in C/C++ are a fantastic source of vulnerabilities! When I’m doing a secure code review of a C/C++ code base that includes a custom ASN.1 parser, that’s the first thing I’m looking at. So many devs screw it up.

That’s the problem with C and C++ - reality doesn’t necessarily meet spec, which is basically the definition of a software vulnerability. Rust’s compile-time constraint validation straight up guarantees you don’t get undefined behaviour wiping out the types of vulnerabilities responsible for ~70% of all published vulnerabilities.

The folk citing the “unsafe” keyword’s existence clearly don’t understand its use case. In C/C++ code bases the entire thing is “unsafe”. You’ve got millions of lines of code to worry about. In Rust, your primary concern is the few thousand lines explicitly flagged as “unsafe”. That’s a far more tractable problem for a human to review, so you’ll get far fewer memory safety issues making it to production.

“…if it happens repeatedly I do want Windows to eventually disable the driver so I can get on with my day.”

And you’ll be happy to know that Windows does just that! Unless you flag your driver as “required for boot”. Guess what CrowdStrike did?…

Windows was told it couldn’t boot without the driver, so it loaded the driver. This ain’t an MS issue. This was 95% CrowdStrike and 5% IT depts who are admittedly overstretched and have neither the time nor resources to deploy patches to their fleet in waves and stop if something goes south. But mostly CrowdStrike.

Srsly. No null check? Bypassing their own deployment protocols?! Jebus H Almighty…

Re: fingerprinting

The idea behind fingerprints etc is to avoid the kids holding onto transferable value. Cash, tickets, some cards all increase the risk that some kids get the **** kicked out of them so some other kids can take the valuable thing off them.

There’s always some risk. The key is to manage it appropriately. Fingerprints tend to be less invasive than full facial recognition and perform the same job. Whilst tickets avoid all the data protection risk, they don’t manage the risk of kids getting kicked about for the cash they use to buy the tickets, or the tickets themselves.

The school (hell, almost any school) looking to use facial recognition is insane. Them doing it without consulting their own DPO suggests the SLT aren’t competent or fit to run a school.

Re: Norway

Norway is coastal. Average winter temps are nowhere near the US mid-west which is in the middle of a massive land mass and gets *cold*! Like -50C cold.

Sure, nobody’s going to Norway for a beach holiday in February, but given its latitude it’s fairly mild, so EVs are pretty practical.

Netflix have a much easier job of reducing bandwidth usage. They can (and do) deliver a box to ISPs that is basically Netflix in a can (https://openconnect.netflix.com/en/appliances/).

Now that ISP’s subscribers fetch their films from that box, which means the ISP isn’t using (as much)!bandwidth from a third-party, making it cheaper and faster! Netflix provides them for free because it helps them too so it’s win-win.

Twitch can’t do that. Their content is live, so they can’t can it in advance. So yes whilst they’re both streaming services they’re both very different.

Re: Nuclear weapons research

We’ve had fusion bombs for decades. What do you think an H-bomb is? The problem is the weapons tech isn’t very useful for commercial use. Detonating a fission bomb to start your fusion reactor tends to have the unfortunate side effect of obliterating your power plant, entire staff and anything else within a 20km radius.

It would be nice to have a controlled fusion reaction that energy can be transferred from to generate electricity. This research is a tiny part of that plan. Tiny, but important.

“ 67 percent of zero-day vulnerabilities in 2021 were memory safety flaws”

There’s your answer. If you fix memory corruption at source you fix 2/3 reported vulnerabilities. Languages like Java and C# appear in far fewer vulnerabilities, so spending resources there gets you less improvement.

Which class of vulnerabilities are you hoping to squash with a new application programming language, how common is it vs memory corruption, and how will it fix it?

They’re still on their holidays for a couple of weeks yet! So 3 weeks.

The robot testing which of the stolen cards in its list are valid/not blocked :(

Sadly things like that are abused, and the little coffee/pizza shop gets dumped on by the card acquirer (higher charges due to reversals etc.) so they need to protect themselves.

It’s crap, but I can’t blame them.

Re: Teaser......Diffie/Helman might be more secure than described......

There are two forms of DH key exchange- ephemeral and elliptic curve. Both forms rely on the difficulty of solving the discrete logarithm problem (DLP) for their security. This problem can be attacked much more efficiently with a suitably large quantum computer.

So…

1. Yes

2. No - the exchange publicly shares intermediate values which can be used to recover the key by solving the DLP (currently not feasible, but Shor’s algorithm on a QC will do it)

3. Yes - this helps *now* (the DLP is extremely expensive to solve) but with a suitable QC doesn’t add much protection

Re: How was this made possible?

Properly segmenting data from the Internet is almost unheard of. I’ve worked in one one place where it happened - I had to go to another part of the building to Google stuff. Then write down/print the results and walk back to my desk. It’s not practical in most orgs.

If you want email to the desk, you have a route between the Internet and your PC. It may not be very direct, but it exists. Same with browsing the Internet.

Personally my money is on VPN access with no MFA. Got no evidence at all to support that, but Exchange is awesome for highly reliable user enumeration and cred spraying. Plenty of enterprise VPNs support LDAP authN (i.e. AD) - find valid creds via Exchange, use them to VPN in. We do it all the time at work.

Re: Fuck business

The UK’s new car consumption is disproportionately large for its size (1/7 of all new cars sold in EU+UK were sold in the UK). But that’s still a relatively small fraction of the overall market. Don’t fall for the “big hitter” trap - as a proportion of the EU the UK market is still small.

The EU’s choice is between protecting itself from US/China or not. “Not” means the EU battery market likely dies in the face of gov subsidies from US/China. 6/7ths of something is greater than all of nothing, so I expect the EU aren’t going to back off.

There may be a little scope for tweaking things at the edges, but pain is coming one way or another.

Re: SAMBA?

Errr 40 *additional* bits of security would make it one trillion times more difficult to brute force (2^40).

Re: SQL injection flaw

Legacy? Sadly parameterising queries *still* isn’t done every time :( Even where it is, dumb stuff happens. The other week I was reviewing some code. DB interaction looked reasonable on the surface - all the queries were parameterised so it was safe right? Wrong :(

They were calling stored procedures safely, but the SPs were then concatenating input and EXEC’ing it ^^.

It’s a fairly common pattern sadly - Java/.Net/whatever devs do their bit safely, but then the data team who write the SPs do random **** like it’s 1995. Neither team knows or understands what the other team is doing so you end up with trivially discoverable and exploitable SQLi.

Re: Passwords

I have a lot of sympathy for you - you’ve likely got a million jobs to do and no resources to get them done. RDP or RDWeb facing the Internet is *super* risky though. It’s really easy to differentiate between valid user names and invalid ones, so first of all attackers will enumerate a bunch of user names. It takes 1x request per user name, so no lockouts (well, very low risk).

Now they have a list of valid user names, and can try a noddy password against each one once every 45 mins or so. Slower if they want to be more stealthy. This is all automated so there’s no opportunity cost to the attacker - they can do this vs dozens of orgs at the same time.

If they hit pay dirt you’re stuffed. And *someone* will have a bad pass. If you really must have RD on the Internet at the very least mandate MFA!

Re: Hack to death ratio

Possibly a combination of two things.

1. People stealing cars probably aren’t wearing seat belts and adhering to speed limits, one way restrictions etc.

2. I wouldn’t be surprised to find the ignition bypass doesn’t arm the airbags, so when they do crash skull meets dash/windscreen and brain soup is on the menu.

Re: The future is still the future

ECC isn’t post-quantum secure :( As with RSA algorithms are known for breaking it on a suitably large quantum computer.

However, ECC does have benefits over RSA and anyone implementing asymmetric encryption in a new system/protocol would do well to avoid RSA and use ECC instead. Unfortunately they’ll both be broken when we make large enough quantum computers.

Re: Someone Else's Password

They won’t comment on salts because the vaults are aren’t hashed - they’re encrypted. There is no salt. There will be an initialisation/nonce depending on the encryption mode in use.

Rainbow tables are no good here - there’s no hash. Attackers will (assuming there are no weaknesses with how the encryption is used - not necessarily true!):

- guess a stupid password (eg Password1)

- throw it into a password based key derivation function (PBKDF)

- use the resulting key to decrypt a username field from *every* vault

- check if they got a sane plaintext (valid padding etc)

- repeat

The PBKDF will slow them down. The trouble is, it’s a numbers game for them. They can test one pass vs thousands of vaults and only need to do the slow PBKDF once per pass. They *will* pop some master passwords, because some ppl will have used weak master passwords :(

GitHub is committed to freedom of expression eh? Their actions say otherwise - https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

Re: "more agile way"

Inevitably means passing primary legislation (an Act) that says “the Secretary of State can make regulations doing whatever the hell they want”. Secondary legislation (the regs) gets far less scrutiny from Parliament, basically letting the government make any regs it wants with no input or oversight from Parliament.

Fun times -.-

Re: Thought exercise

The main problem you have with this kind of thing is that if you can compromise the app you can access an data/systems the app can access. If the app needs to show you your details, it needs access to them.

One option is to encrypt at rest, but then you have the key management problem - the app needs access to the key, so an attacker that compromises the app can get the key.

You can (partially) solve this using a HSM - the encryption key is itself encrypted using a HSM. When the app needs the key it passes the encrypted key to the HSM and asks it to decrypt it. There are still issues with this (performance vs security, eg do you use a single key, one per user etc). However it means at the very least the attacker either needs to extract the key as well as the DB, or individually exfil every record. If you have a blue team the idea is they spot this behaviour before too much damage is done. If you don’t, the you(r customers) are boned either way.

Neither HSMs nor blue teams are particularly cheap. Guess what businesses value most when asked to choose between definitely spending a wad of cash to protect someone else’s data, or pocketing larger dividends with a risk they *might* get popped?...

Re: Those laws are still perfectly good

If you’re relying on the law “figuring it out” it’s a bad piece of legislation. The comments here are reminiscent of the Daily Mail, and basically boil down to “I think you should have permission/a warrant so the law is fine”. Pity that’s not all the CMA criminalises. s3A(2) is particularly egregious -

“A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1,3 or 3ZA”

Releasing I proof of concept tool (even a non-weaponised one) is likely to assist attackers. Guilty. Releasing a scanner to help ppl test if their servers are affected by a vulnerability is also an offence. Release a patch to fix the vuln? Yeah sorry - criminals diff patches to determine what they fix then write exploits for the bug. You likely assisted an offence.

I’ll say it again - if you’re reliant on someone saying “oh but he didn’t *mean* anything bad” you are taking an enormous risk on. You could just as easily be thrown under the bus by a future regime that doesn’t like what you say/the colour of your skin etc. That’s bad law.

It also puts the U.K. at a massive disadvantage. Those risks don’t exist in many other countries. Businesses as a rule don’t enjoy risk. They avoid it. It’s therefore likely that the UK gets left behind in this field, or they simply move their operations overseas.

Nobody sane is saying it should be the Wild West. They’re saying the wording of the law needs clarifying so that it’s eminently clear what is permitted and what is criminal. At the moment there’s too much scope for abuse.

“... I would say the medical profession is probably the worst for it though.”

Telco. You can have a 90 minute meeting where around a dozen actual words are spoken - the rest is just letters :/ It’s horrendous.

Re: Zuck Nuggets

I think I’ve just become vegetarian.

Re: Legality?

Client and server side request forgery (CSRF and SSRF) aren’t really forgery per se. It’s more a case of social engineering the browser/server. “Hey, hand this card to the cashier over there will you?”. Cashier recognised the person handing over the card and acts on the instructions therein.

Vulnerability taxonomy can be pretty hazy, and I personally would describe this as an unsecure direct object reference (IDOR). However I think we can all agree it was an appalling weakness that should never have made it past the design phase never mind to production.

Using turds like S***point, SAP etc as some kind of framework is getting more common. The problem is it appears ppl pick their crap, overpriced middleware based on what they’ve used before rather than what is appropriate. Then you get stuff like this - “we need it to do X to keep the data secure”. “Sorry, it doesn’t support X”

" consumers could choose when deciding to buy an Android device or an iPhone "

That is one dangerous argument for Apple! Can’t believe they used it to be honest. They must not have anything else that might have a chance of being accepted. I think they just walked into Epic’s trap.

Yeah you can go to Android. And pay 30% commission there too. Two providers? Same high fees? Sounds awfully like a cartel...

Re: Rust, Rust, Rust

The things you mention are good practice for avoiding out of bounds access, however that’s already one of the less common CWEs. Use after free and type confusion are much more common, and very much a C++ problem. Rust prevents them at compile time.

You’re right that many issues can be avoided by using C++ properly. The problem is the compiler doesn’t enforce that. As a result people make mistakes that make it into the build, and in a 100 million line code base are hard to find. Rust simply says “no” and refuses to build, ensuring that such issues are dealt with ASAP.

“Stop using Windows...”

Won’t make you any more secure against this type of attack. It was a targeted attack using a VM (i.e. they can deploy it on anything a VM can run on). They simply phish users, gain network access then deploy the VM.

Using Win10 actually makes you less likely to be hit by this particular attack if you enable Hyper-V as any fool know.

Banning query parameters (the stuff after the “?”) doesn’t fix the problem sadly. A site operator could provide a start_url value like https://pwa.acme.com/start/123456 where 123456 is a unique number for each user. Voila, you can be uniquely identified.

Whilst the article appears to bemoan the fact that the issue is being left to browser makers to fix, I don’t see a reasonable and effective alternative. The solution needs to be where it’s most effective. Letting site operators like Facebook et al decide how to prevent tracking is laughable. The problem of course is that Google intentionally broke the Chinese wall by releasing a browser. The only practical solution to avoiding tracking in this instance is to have the browser makers fix the problem and keep away from Chrome.

Re: Review stuffing

Yeah. Poacher checks on hen house. Looks good gov’...

Re: Home buying

Cost. Living expenses are higher in the UK, so wages are higher too by necessity.

There’s little detail here - 5G was designed to move away from hardware and towards software as far as is reasonably practical. You can deploy a 5G core (SA or NSA) without owning any hardware (granted, your Azure/AWS bills will be something to behold!). It’s only the RAN side where you need specialist equipment. The radio tech for 5G is crazy. Even then, a significant portion of the RAN functions can be performed in software.

These folk may well be talking about a software only core offering. If that’s the case I don’t see how the UK could ever hope to compete. India has a large number of STEM graduates in a culture that values education, and significantly lower wages than the UK. The UK *could* produce a product, but it wouldn’t sell.

Re: Is there a reason we need YAPL?

“...zero advantage over C”

Well the first and obvious advantage is that you only need to worry about memory corruption vulnerabilities in the subset of code that you marked with the unsafe keyword, rather than the entire codebase (27 million LoC says hi). As a result you can spend all of your effort on a much smaller area and have much more confidence that it is safe.

As to having to use “raw memory” - Rust *does* access “raw memory”. It compiles to assembly language just like C. However the Rust compiler has a significant number of compile-time checks to ensure memory access will be safe at run time. Ergo it is basically as fast as C, and has far fewer vulnerabilities because you’ve just wiped out half a dozen classes of vulnerability at compile time.

Believe me - I hate doing vuln research on Rust code bases because 95% of the cheap RCE wins just don’t exist compared to C :( There are some crazy things that can happen in C that even experienced programmers make mistakes with, and where the language is broken (floats leaking memory content for example). Even stuff as innocuous as this can get you RCE -

size_t len = userSuppliedNumber;

unsigned char buf[len];

I love C but Rust is a great language, and I can see that because I bothered my arse to look into it. Linus’ concerns re: the compiler are valid, although gcc isn’t exactly covered in glory when it comes to “interesting” side effects and behaviour. Anyone wanting to work in systems programming would do well to look at both C and Rust, as it makes more of the jobs market available to you.

Alas it’s not necessarily that simple. Huawei aren’t publicly listed - the (Chinese*) employees own the shares. I would be extremely surprised to see them list publicly as it risks western involvement in the board.

—-

* non-Chinese employees are plentiful, but not entitled to own shares.

Re: Isn't it time for Google to face the Anti-trust strongarm squad?

Ahh, so they’re protecting us from from the reds under the bed? Thanks for pointing out who we need to be scared of. I’m glad corporate America can protect us from those scary reds.

Out of interest, what extra harm would a Chinese company having all this information cause vs the status quo?

Re: The law is fine and doesn't need changing

No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.

The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.

Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.

Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.

How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.

But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!

There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.

The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.

Re: My first thought:

It’s a stupid idea. The only ppl it benefits are white guys who don’t want to be reminded what their race/nation did in the past and might be in some way linked to them. Yeah, let’s bury references to slavery. That’ll help ppl currently subjected to racism.

The term slave in this context has nothing to do with slavery, racism etc. A poster above considers the use of “directed” in its stead. Directed also has more than one meaning. c.f. a directed graph. Is the graph taking instruction? Turns out words can have more than one meaning.

Finally, the entire argument “well if it stops one person being unhappy surely it’s good?” is childish. It fails to understand and accept that there will always be ppl unhappy about the status quo, whatever that be. Take democracy for example. The unhappiness of a significant portion of the population is a mandated feature of democracy. It’s about the will of most ppl, not all.

I’d be happy to make the bet that you can’t find a single thing that at least one person doesn’t find offensive. And that there is the issue with the childish argument - the grownups can and will game it for their own benefit.

Can we stop with the ridiculous “I’m offended on behalf of X” bollocks please, and actually think like adults. There are so many things that we can do to help make racism etc a thing of the past. Changing the word slave in your codebase is not one of them. It is however the least effort you could humanly make...

Re: Calling Isaac Newton...

Re: using the destination star to slow down travel.

The problem is it tends to defeat the purpose of the idea (to get from A to B within a human lifespan). By decelerating from about the halfway point you take about 42% longer to get there (sqrt of 2, on the assumption the target star will decelerate your craft at 1ms-2).

Anyway, I’ve seen Star Wars. And whilst that *is* a moon, I’m not wholly comfortable with an 8GW laser array on it.

Re: What next...?

You’re not buying it... It’s closer to the car PCP model. You rent it. You stop paying rent it goes back to the dealer/MS. You drive the car lots? You pay more to the dealer. You use SQLS lots? You pay more to MS.

I’m not a fan of MS’s licensing model to be fair for various reasons (complexity being high up on the list) but what you describe already exists, and for a physical object, not just software.