* Posts by Rajesh Kanungo

70 posts • joined 23 Apr 2018


Hackers bragged that pretty vanilla breach included FBI watchlist? Well, colour us shocked

Rajesh Kanungo

Re: Remember that the FBI is seriously criminal

Look up 'ad hominem attack', please.

Juniper slips out update after hardcoded credentials left in switches

Rajesh Kanungo

Re: Get your act together, Juniper!

Sometimes developers will mask the static code analysis results (mark it inapplicable or something) so it avoids the reviewer's inspection. Sometimes the code is just not analyzed. Sometimes the software is supposed to be just a 'tool' and not considered important. Sometimes developers don't understand what it means. Sometimes the managers override the engineers. Also, peer code reviews can get a bit chummy.

Pretty reprehensible.

Mostly, when you see one such mistake, look for more of the same.

Ex-Mozilla CTO: US border cops demanded I unlock my phone, laptop at SF airport – and I'm an American citizen

Rajesh Kanungo

I wonder what Tim Cook has to say

Most employees have company confidential information, sometimes information belonging to OTHER companies. For example, it could be financial, technical, security, personnel, etc. related. So AAPL will not only be concerned about the border cops access to AAPL information but also be very concerned if someone else's information is compromised.

I wonder how lawyers handle this; they carry information covered by attorney-client privilege. Are there cases of the border cops attacking lawyers?

Rajesh Kanungo

Re: They don't even know how

You are a brave man :)

Only one Huawei? We pitted the P30 Pro against Samsung and Apple's best – and this is what we found

Rajesh Kanungo

Re: Rayleigh

How do you beat 1.22λ/D resolution limit? You really can’t beat Raleigh diffraction criteria by using longer exposures. The only reasons you want longer exposures is to collect more photons, to get better color and improve dynamic range. The resolution doesn’t change.

Rajesh Kanungo

Good review. RAW image options available?

I have been photographing with a 3kg full-frame Nikon setup but it gets harder and harder to justify the back and shoulder pain. Also the best camera is the camera you have.

There is a limit to the resolution that can be achieved by a small lens (Raleigh diffraction criteria). Small aperture lenses still create problems for me while shooting nature. But the Nikon lens is close to a Kilogram.

I prefer to shoot RAW and spend more time post processing than the actual shooting. Are raw+jpeg supported?

Rajesh Kanungo

Re: Nice review

Sigh. Overexposed? Asia has 3+ billion people. South Asians generally prefer bright colors and East Asians have such a variety of tastes that you may want to read up on it.

I doubt anyone likes overexposed, though.

Huawei savaged by Brit code review board over pisspoor dev practices

Rajesh Kanungo

You don't need explicit backdoors when the code is that bad.

Rajesh Kanungo

Re: The biggest threats to security


Rajesh Kanungo

Re: I'm looking at the list of sins...

China doesn't normally outsource to India ... competence is rare but incompetence is universal.

Rajesh Kanungo

It is not a security hole if only our spy agencies can exploit them. Didn't you get that memo? From the report it seems that EVERY spy agency can exploit Huawei's products. /Sarcasm. However, sarcasm aside, I really think that the US was actually serious when they said the Huawei products were really open like a gown that they give you to wear in hospitals.

Rajesh Kanungo

Re: Real point here

The issues isn't really if there was a security hole; there will always be vulnerabilities. Cisco has processes in place to reduce these vulnerabilities. And the idiot who came up with the mitigation should not have received an OK from the security team. And Cisco doesn't make money off the their small stuff. So they are guilty to some degree too.

However, Huawei has no processes or they are ineffective. Big difference.

Rajesh Kanungo

Security is not a part of the of organization's KPI

I have dealt with organizations like this ... Top Mgt. gives lip service, hires a few security experts, the developers get trained and every time the developers want to make a change the managers pull out the "schedule slip" card. The engineers go cowering to their corner. Please don't blame the engineers (that much). I even worked in an org which refused to allow static code analysis.

This will only work if every manager has security as part of his KPI. Every fix should be celebrated, every slip should be evaluated for how it could have been fixed. I found that secure code actually runs more reliably. And for people screaming about performance: crashed software has no performance. Buggy software has 0 performance. And hacked software has negative performance.

Rajesh Kanungo

Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

Come to think of it I can see this being turned on incrementally. Critical outward facing modules first running the checked version (turned on by another #define). I remember a system refused to boot after we turned on stack protection ... I guess we had, unknowingly, been corrupting parts of the stack for a long time. It was a brutal fight to get the developers to go find and fix the issues.

Rajesh Kanungo

Re: One wonders...

It would be considered only if the code, build process, supply chain, and design WERE reviewed by security experts.

Huawei's half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it

Rajesh Kanungo

Little story on UPnP

Way back when I was at Sun and we were fighting MSFT (you know who won). I went to a UPnP conference in Redmond and I asked an unnamed architect about security. He said that there was absolutely no security (at that time) and it would actually make things worse. I was surprised at his candor but MSFT does hire some really smart people. Moral of the story: it is all about business. There were better protocols, better solutions. MSFT did what worked for them. The rest of the industry bought into the dream and are now picking up the pieces.

TP-Link 'smart' router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence

Rajesh Kanungo

I doubt if TP-Link is organizationally capable of handling security issues. When a guy from Google sends me an email I respond right away. Whoever is TP-Link decided to ignore this request is deliberately hiding his head in the sand.

Bandersnatch to gander snatched: Black Mirror choices can be snooped on, thanks to privacy-leaking Netflix streams

Rajesh Kanungo

Initialization Vector: In general, "Hello World" would encrypt to a different cipher string if you add a constantly changing Initialization Vector (IV) in front of the real message. Most IV's are at least pseudo random or monotonically incrementing counters. (simplifying here)

M = "Hello World"

Key = k

IV1 = "bwbwebvw"

Ciphertext1= Encrypt ("bwbwebvw" + "Hello World", k)

IV2 = "bcebbewbb"

Ciphertext2 = Encrypt (IV2 + "Hello World", k)

Ciphertext1 =/= Ciphertext2

After decryption you strip out the IV.

In your, if the protocol uses CBC, the last encrypted block would be fed into the encryption engine as IV for the next block; only the first IV would be a real IV. I am skipping over some obvious vulnerabilities reported especially where padding is concerned.

Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?

Rajesh Kanungo

Agreed. I have implemented many a class loader and this problem would have been caught by the byte-code verifier. We never thought it was a good idea to punt on the byte-code verifier but do remember that the earliest SIMS were very underpowered.

SIMs nowadays are more powerful and can use byte code verifiers and decent class loaders.

Rajesh Kanungo

To add: The issue here is not Java or its architecture. It is the off-card verification adopted by the Java Card standards bodies. For this to work, the applet signing keys have to be compromised and the hacker has to slip in a malformed class file; they can go to the guys who hacked Asus for lessons. I don't want to dismiss the threat; instead of two barriers we now have only 1.

Now you've read about the bonkers world of Elizabeth Holmes, own some Theranos history: Upstart's IT gear for sale

Rajesh Kanungo

Re: My boss' analysis

Naaah. 1k doesn’t cut it. 1m? Yes.

Rajesh Kanungo

The Husky didn’t deserve this.

I have no idea why they got a husky. Hudkies are really amazing dogs but ... Huskies talk back to you, argue with you, are high energy, loyal, need activities that you participate in, will invent said activities, and will get destructive if they are not engaged.

I know; I attend to dogs at the local shelter and the huskies are the most fun.

'This collaboration is absolutely critical going forward'... One positive thing about Meltdown CPU hole? At least it put aside tech rivalries...

Rajesh Kanungo

Re: What an absurdity!

I, for not a single moment, believe that the Intel security team did not realize that there were security holes. I think that they were, like in most companies, pushed aside. It was a business tradeoff. Most businesses have to make trade-offs based on the projected Loss. Speculative instruction execution, always raises the hackles in most security engineers. I remember quizzing a certain chip vendor about it and they were not surprised by my line of questioning.

Intel will only change if the market pressure is high enough or because of regulations and fines. Maybe GDPR can be used against Intel. The fines are 2-4% of global revenue. The previous CEO sold his stock when these issues were discovered.

Let's look at it in a different market: We all know that cars are extremely hackable. Even the Tesla gets hacked (nowadays with great difficulty). The reasons that Auto companies can skate around cyber security is:

1. No car has been hacked in the field by the bad hackers (white hat hackers not included)

2. No one has died.

3. They have cyber insurance.

4. Market doesn't care enough.

5. There are no NHTSA requirements to do so. Guidelines only.

ACLU: Here's how FBI tried to force Facebook to wiretap its chat app. Judge: Oh no you don't

Rajesh Kanungo

Re: Lets approach this from an application design perspective

It is simpler than that. FB voice calls are not encrypted end to end. They are encrypted to the cloud and back.

Rajesh Kanungo

CALEA with warrant applicable or not?

Can someone explain why simple CALEA can't be used to force FB to intercept and relay voice calls when a warrant is produced, please? Is it because it is not an actual PSTN kind of service? Right now, all my calls go over cellular so the govt can intercept it. Or is it that the govt wants to have unrestricted access to all phone conversations?

At least Sony offered a t-shirt, says macOS flaw finder: Bug bounties now for Macs if you want this 0-day, Apple

Rajesh Kanungo

Bug bounties pay almost nothing on an average ...

Seems like it is vary hard making a living off finding bugs. Given that fixing a regular bug in the field costs $100K or more, the payments are measly.


Rajesh Kanungo

Re: just sell it

As someone else pointed out, it is an ethics issue. Also, once you cross over you are tainted for ever.

Rajesh Kanungo

Re: Market share

The MacBook share and numbers are growing in a shrinking overall PC market.

Cops told: No, you can't have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scans

Rajesh Kanungo

Does it apply to US ports?

I know that the US Customs/border have a lot of leeway (a polite way to say that they ignore the Constitution). Would the legal types be able to say if this ruling could be applicable at the US border/Airport/etc. ?

At some point or the other I fully expect them to copy my laptop drive and my phone not because I have super secret documents but because they can.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Rajesh Kanungo

What is the penalty?

I have been in security for 20 years and I have come to the following realization:

People will not fix security issues unless there is a penalty (market share drop, people die, lawsuits, recalls, etc.). No one follows SDLC unless there is visible harm or a profit. Even GDPR is not a concern here.

Rajesh Kanungo

Airgap a wireless device?

Airgapping a wireless device is an oxymoron unless you have a Faraday cage surrounding the device.

Poland may consider Huawei ban amid 'spy' arrests – reports

Rajesh Kanungo

Re: RFC...

MAC address can be easily spoofed. In fact most Ethernet chips come with the chip manufacturer's MAC ID but once you place it on a device (e.g. a router, camera, etc.) you switch it to the device manufacturer's IDs. It is easy to masquerade ... unless we also have some form of digital signature at the MAC layer. Which would imply that each processor has a private key. There are signature anonymization techniques that would protect the privacy of the device ...

Facebooker swatted, Kaspersky snares an NSA thief, NASA server exposed, and more

Rajesh Kanungo

Re: Jira

I don't know the specifics of THIS case, but I have seen this all to often. Most developers like remote access. Sometimes Jira is opened up for customer/partner/collaborator/vendor access too. They may have done it to 'simplify' access.

Senator Wyden goes ballistic after US telcos caught selling people's location data yet again

Rajesh Kanungo

Re: Instead of piecemeal legislation

The trouble in the US is that this is all you can hope for.

Rajesh Kanungo

Re: Re-seller

An MVNO uses a regular carrier. I would not be too sure that the carrier is not able to get to your whereabouts. You are still using the carriers' towers.

Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

Rajesh Kanungo

IBM should settle, shut down the App.

It will be better for IBM to not get its brand-name tainted, all for this silly app. Large corporations, governments, non-profits, etc. rely on IBM to be trustworthy. If they fail, they should just own it, slaughter the culprits, quickly, and move one. The longer they fight it the more they will look like FB. And customers will challenge them all the time. I hav a lot of respect for IBM as an entity and I have worked in security long enough to know that these mistakes occur but one needs to correct the mistakes and move on. I'd have said, 'Oh shit, we will fix it, and here is $20M for your city, used for buying IBM stuff (at full price, and we get a tax break), and lets smile for a photo-op and thanks for helping us. We love you for how you have helped us and make us a better IBM. Thank you.'.

Rajesh Kanungo


2-4% of Global revenue or $2M in fines, whichever is higher.

Rajesh Kanungo

Re: Yes

Thank you !!!

Hope you're over that New Year's hangover – there's an Adobe PDF app patch to install

Rajesh Kanungo

Case for a Minimalistic PDF Reader?

Is there a way we can get a minimalistic PDF reader that just renders stuff. No code execution, no access to local files, etc.? Oh, you mean documents which include other documents? Should be a local file read ... if other software can safely access files Adobe can too.

Adobe seems to have done a good job capturing the market and then doing everything possible to give it away. I once was invited to a security Webinar requiring me to install Adobe Flash. I sent Intel a polite note explaining the problem ...

Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws

Rajesh Kanungo

Re: No No No -- Not The "Referer" Alone

I simply don't understand why they don't use client side HTTPS/TLS authentication along with the server side authentication. It is so seamless that I have a hard time explaining it to people.

Oz opposition caves, offers encryption backdoor compromise

Rajesh Kanungo

#5 is completely true; have worked with many Aussies who go into pre-frontal cortex deficient mode when I tell them that govt spying is bad or that the stuff they are proposing will nor work. By using the two trigger words, the govt captures their brains. If you tell them that it is easy to bypass those controls, their usual comeback is, "So you support the terrorists and pedophiles". SMH.

Rajesh Kanungo

In order to read it, they have to store it somewhere, transmit it, search through it, catalog it, etc. Why hack the communication when the Eve can just hang around and steal the processed and digested information.

Rajesh Kanungo

In order to read it, they have to store it somewhere, transmit it, search through it, catalog it, etc. Why hack the communication when I can just hang around and steal the processed and digested information.

Rajesh Kanungo

Re: Would this be illegal?

Good point. Compromising the RNG would be bad for the health of ALL crypto. That may be what they may be alluding to. Or push for. They might actually propose Dual_EC_DRBG. Hard for a normal human to test for randomness. I am sure that quantum computing will be put to "good use" when it becomes available. (sarcasm).

Rajesh Kanungo

Would this be illegal?

Alice and Bob, Aussie and British citizens respectively, each create Elliptical curve key pairs.

Alice and Bob call each other and exchange their public keys.

They then send messages to each other, using ECIES.

Suppose they do rapid ephemeral key exchanges. Would the govt like to keep track of the ephemeral keys too? How many?

Can I generate an ephemeral key every 100 ms or so.

Will the government like to keep track of all the keys?

Programs like Signal: can Dick ban them? How?

Alice’s homeland dictator, Dick, may get overwhelmed.

Linux kernel Spectre V2 defense fingered for massively slowing down unlucky apps on Intel Hyper-Thread CPUs

Rajesh Kanungo

Intel Hyper threading is an oxymoron anyway

In general I have associated hyperthreading to imply a large number of threads.

Intel uses 2 threads per core and calls it hyper.

I know companies which have built processes with 64 threads per core.

Threads were really meant, in these systems, for computational separation but not memory isolation. For example, you establish a pipeline of processes that data has to flow through to end up at a socket endpoint.

Intel, at some point, may have pushed this as a mkt advantage, selling ‘more’ cpus than they really had.

Are there many applications that get a performance boost IRL from threading? The requirements for cache coherence is extremely tight. I can think of same instruction same data as the basic requirement.

Rajesh Kanungo

Re: That can't be right!

He swore off profanity.

MIT to Oz: Crypto-busting laws risk banning security tests

Rajesh Kanungo

Re: Aussies just will not let us win at anything


Empire state of mind: NYC scatters palm leaves for Bezos' cloudy web shop juggernaut

Rajesh Kanungo

Re: DC and MD are the big winners

1.2B per year subsidy, I.e. 48k per year per employee subsidy for the first 4 years. State + city taxes are roughly 12-15k per year. So payroll taxes doesn’t make up for the loss.

I guess it is corporate welfare.

My bet is Jeff Bezos already knew where he wanted his HQ2 but was trying to get a good bargain.

We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70'. Our survey says... Top answer!

Rajesh Kanungo

Re: What would happen

I have seen this argument used many times. The problem is you end up with a Maginot Line effect. Any compromised device on the network can be used to compromise the router. Plus there are ways for JS to initiate a login to the router. So badly implemented browser security can let that happen. The right way to do secure design and implementation is to have security well implemented in ALL components.



Biting the hand that feeds IT © 1998–2022