* Posts by Blazde

330 posts • joined 11 Jan 2019


In Rust We Trust: Microsoft Azure CTO shuns C and C++


Re: Replacement versus successor

You can always auto-translate C/C++ code to Rust. The issue is you're left with lots of unsafe code or you have to tidy up your memory ownership to satisfy Rust's strictness (which could involve big architectural changes to pull off cleanly), however the fact your code doesn't already satisfy Rust's ownership model IS a valid reason to call it broken if you care a lot about security, and will make it easier to maintain if you reduce the firehose of CVEs.

As for Rust being difficult to learn, it isn't really. It's more accurate to say it's difficult to learn how to code in a memory safe way and Rust happens to force (or at least strongly convince) you to learn that fairly invaluable skill. I'd even say it's much easier to learn the skill with Rust as a crutch rather than spending years of your life debugging mysterious memory corruption bugs as punishment for not being born with the skill.

Can reflections in eyeglasses actually leak info from Zoom calls? Here's a study into it


Without thinking about it too much.. static scenes wouldn't benefit from multi-frame interpolation (in a not dis-similar way to how detailed photographs don't benefit from resolution enhancement as much as cartoon images do - the required information just isn't present), and there a lot of static scenes in old TV shows so the results would be uneven, glitchy and probably feel more unreal than simply watching the low-res version and letting the more worldy-experienced AI in our heads figure out the detail.

Zoom meeting eyeglass reflection is probably a best case scenario because there'll always be small amounts of head movement to provide differing information over multiple frames.

Uber reels from 'security incident' in which cloud systems seemingly hijacked


"I announce I am a hacker and Uber has suffered a data breach"

This now has to be rock-bottom for cool hacker aesthetic, and confirmation a revival is imminent. Time to dust off the mirror-shades and stop using the letter f.

Warning over Java libraries and deserialization security weaknesses



The problem is that serialisation is awfully convenient.

A well known MMOG - written in a non-Java language I won't mention because it would probably give the game away - uses serialisation for network communication. Many years ago I dug into it that part of it and quickly found a dozen separate vulnerabilities (some of them caused heap corruption, some just causing memory violations that would bring down the targetted client or server without taking it over, etc).

The most egregious involved them allowing a limited set of method calls to be serialised. A sort of a la carte direct-'gadget' menu. My creative juices began flowing dreaming up the most majestic exploit that could be written with such tools. Of all the possibilities for combining them which would I choose? But the inventive process was cut short when one of the methods turned out to be "Hey, run this arbitrarily long string of code for me please".

The more difficult problem was how to get across to the company the breadth of the problem. You could see why they'd done it, apart from the gaping security issue, the architecture was powerful but clean. You could abstract really complex object behaviour, throw the object across a TCP connection or some shared memory to another process, put it in a database, and retrieve it years later when your codebase had moved on, all without caring much what the object was in the first place. Knowing the genesis of the game, how rapidly it was prototyped with so few developers, it's quite likely it wouldn't have come to market without some form of serialisation of untrusted input. And the world would be a poorer place for that *shrug*

Janet Jackson music video declared a cybersecurity exploit


Re: Lay off Janet

"hardly anybody listens to Janet Jackson anymore." Which is absolutely untrue.

Indeed. She's got 5.5mil monthly listeners on Spotify. That's fully twice as many people as listen to Aqua's Barbie Girl each month..

CIA accused of illegally spying on Americans visiting Assange in embassy


Re: Publicity seeking bullshit

In neither of these places does US law .. apply

There isn't a nation on Earth that more resolutely applies it's laws overseas than the US does.

Microsoft's fix for 'data damage' risk hits PC performance


Re: Data damage come again ?????

I suppose, to be fair to them - and they don't deserve it - the data is only lost if you didn't make a backup. Having to restore from backups is therefore arguably a data damaged and in need of repair situation, and in this day and age Microsoft can fairly assume their users have backups because they should.

Assholes nevertheless.

Post-quantum crypto cracked in an hour with one core of an ancient Xeon


Re: all of that grant money

The same hardware crops up in a number of their papers, I think it's just what they have. Honestly mathematicians rarely need good hardware. Either they spend a few days making their algorithm a thousand times faster, or it's this kind of result common in cryptography: "We show the primitive can be broken in 10^40 billion years instead of the expected 10^50 billion years", which doesn't benefit from computational resources at all.


Re: Sike

Watch us wreck the Mic. Watch us wreck the Mic. Watch us wreck the Mic


and they only get a lousy fifty grand?

They'll get some major props too - worth a lot in the small world of crypto research. Although the authors of these major crypto breaks don't have a strong history of becoming household names. Everyone here is familiar with Mitsuru Matsui, right? David Wagner.. anyone?

Bounties for this work are a relatively new thing, and don't forget most of it is done by researchers on their dayjobs (in contrast to lots of freelance software vulnerability research). In this case: 'We acknowledge support by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant agreement No. 101020788 – Adv-ERC-ISOCRYPT) and also by CyberSecurity Research Flanders with reference number VR20192203'.

US court system suffered 'incredibly significant attack' – sealed files at risk


Let's focus on the perp..

If a Congressman still young enough to almost-but-not-quite read the word 'ostensibly' without hesitating is willing to call this an 'incredibly sophisticated' attack we can probably rule out all those suspects below the age of, say, 9 years old?

Edit: I've not been able to uncover evidence of rep. Nadler in the same room as a computer however he is capable of using telephones someone else is holding, so he knows tech: https://www.gettyimages.co.uk/detail/news-photo/rep-jerrold-nadler-d-n-y-does-a-phone-interview-in-statuary-news-photo/74896896

Amazon sues 10,000 Facebook Group admins for offering fake reviews


Re: Verified Purchase

In general only 1-2% of real buyers leave a review

Better incentives from Amazon (rather than the seller) for real buyers to leave genuine reviews would help a lot, but right now with lack of competition and any relevant legislation Amazon have no motive to divert a significant slice of their margin to that. They would also point out their reviews are read by consumers who end up purchasing the item elsewhere so perhaps an industry-wide independently-incentivised review database is the answer. Would also require splitting Amazon into separate retailer and marketplace companies, so the marketplace side of them could independently manage reviews about Amazon's own products.

Even if they committed to all that Amazon's quote about achieving the goal of "Permanently ridding fake reviews" is worthy of a good chuckle.

Calls for bans on Chinese CCTV makers Hikvision, Dahua expand


Re: I've got zero faith in anything gov.uk says anymore...

Eh? It's not gov.uk though is it, it's opposition parties & back benchers. Almost all the signatories to this letter are all the same people and organisations who've been calling for the banning of facial recognition and biometric profiling for a long time. Linking it to the more recent concern on human rights abuses in China is a tactic to highlight the danger of being complacent about civil liberties here, and to gain more widespread support.

China offering ten nations help to run their cyber-defenses and networks


Re: There are two ways of taking over a country

The bill the UK paid was a tiny fraction of overall US Lend-Lease, mainly related to supplies which arrived after the end of the war and ended up being handed over on very favourable terms.

There were a few other quid pro quos, notably so called Reverse Lend-Lease from across the British Empire, and the Tizard Mission but overall the US deployed an awful lot of resources to shore up it's European allies against Facism and subsequently against Communism in the post-war period. Of course it reaped diplomatic and strategic rewards, but that's a longer subtler game than tired tropes about control over raw materials. The US has more than enough food and oil it doesn't need to go starting or supporting wars just to get more.

Ukraine war a sorting hat for cyber-governance loyalties: Black Hat founder Jeff Moss


Re: Team Rule Of Law ?

Nevertheless the names really need some work. 'Team Authoritarian' would also point to the careful underpinning of everything they do by laws, enacted by a legislature (*).

Meanwhile many in 'Team Rule Of Law' point to their authoritarian internet censorship increasingly being rolled out, and with dubiously minimal electorate collaboration in some key areas.

(*) Or at least everything that would be done that way in a modern liberal democracy. Starting wars, and okaying diplomatically sensitive black ops of the kind Russia is frequently accused of, aren't typical legislature fare anywhere.

Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point


Re: No software can be trusted

Even the full time software security specialists put holes in their code. Doesn't matter who you are, your own vulnerabilities are the hardest ones to see.

False-flag cyberattacks a red line for nation-states, says Mandiant boss


Re: False-flags are a "feature"

That might be typical but it's not a given. The environment is different in that there are less laws to adhere to so for example reverse engineering and re-using a peer's software is fine. For nation states or particularly well motivated political groups in some cases the most important thing may well be to provoke misattribution rather than make an attack successful. Some of the best known historic 'kinetic' false flag operations weren't or were never intended to be successful attacks per se.

But you have a point, requesting it as a half-hearted feature late in the development cycle is going to be the cheaper and apparently more common scenario, for those who don't have the resources and foresight to develop a convincing false flag capability ahead of time. If you do you'll need a separate development effort for each entity you want the capability to impersonate. They'll need maintenance to stay current. And they'll be less effective the more they're used, especially if used carelessly enough to land on Kevin Mandia's desk. I suspect those factors have more to do the lack of evidence than any desire to create an international norm against false flag use.

Beijing-backed gang looted IP around the world for years, claims Cybereason


Re: Wait, what ?

This is a huge scandal. Could there even be un-logged documents around somewhere too?

Stolen-data market RaidForums taken down in domain seizure


A bit of a Google shows Europol names tend to be non-random but cryptic. Eg. Operation OPSON targets food crime because (apparently) opson means ‘food’ in ancient Greek. Operation Lake? Illegal trade in endangered eels (which is funny because a lake is about the worst place to look for trafficked eels where they hide among the non-trafficked ones).

What *is* random is the capitalisation. Sometimes Opson. Other times OPSON.

In my book capitalisation means shouty and tourniquet is never used in non-shouty situations so it feels appropriate in this instance.





China thrilled it captured already-leaked NSA cyber-weapon


Re: Every country does this. Every country whines about it.

I doubt any of that is the motivation for such announcements. It always feels more like:

- Our own counter-intelligence is awesome, we're on top of this stuff

- We've captured their thing (go us)

- We're watching what they're up to, so they better watch out!

- Average Joe don't panic

- Law-makers keep giving us the resources to do our jobs

- Security pros help us by looking out for these attack signatures

- And now here's a 30 second message from our partner Symantec

Where are the (serious) Russian cyberattacks?


Re: There are several answers to this.

It's not helping him now though is it? Public opinion in the free world is firmly on Ukraine's side. In one move he's squandered what small vocal support he spent years building up. Even in Russia young people (who matter re revolution etc) fear arrest or worse and keep their heads down, but for the most part are not brainwashed.

Perhaps he needs to wash his own brain once in a while..

Use Zoom on a Mac? You might want to check your microphone usage


Re: "it looks like it's safest to only run Zoom while on active calls"

"keep a list of how many you find where the manufacturer took the effort to supply you with a real physical ON/ OFF button. One of those old fashioned concepts, common in the last century which sets power usage to 0W.

Spoiler alert: make sure you can reach that power plug easily..."

The problem nowadays is that the switch needs to be on the wall side of the transformer, typically dangling awkwardly in the middle of the power cord, and by the time you're there it's often easier to go for the wall.

Presumably somewhere there are power outlets with their own standby circuits that can be turned off over the cloud by a smartphone app... to save you the trip to the wall. A new LED to rage against.


Re: "it looks like it's safest to only run Zoom while on active calls"

"Do these people ever turn off the lights ?"

If you mean the little standby LED on the TV, nope. Almost nobody turns that thing off at all ever. Probably a good proxy for how many turn off random unused apps on a Mac. Martin Lewis should do a campaign.

US carriers want to junk three times more Chinese comms kit than planned


Re: I

Plausible plot-twist that makes all this irrelevant: US buying cheap Chinese-made F35s before 2040

DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off

Paris Hilton

'XSS' bug is clearly user error

Solution: Don't put html in the text box

Ticket closed

[Really common 20 years ago]

Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic


Re: Lazy

The irony is rape prosecutions are at an all-time low, in part because of the huge volume of unencrypted digital data the police trawl through now, and in part because victims don't tolerate those levels of intrusion into their data.

Perhaps some lessons could be learned before this issue burdens all the other crimes as well.

Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k


Re: Nice to see Apple pays out

Apple don't have a perfect track record of payouts either. In all these programmes most researchers ultimately end up at the mercy of the big company's charity and it'll remain that way until the industry sets up some kind of genuinely independent dispute resolution process. Which they have little incentive to do because headlines involving $100k feel good stories make bigger waves than bitter he-said she-said tales of individual and corporate grubbiness.

For those worried about Microsoft's Pluton TPM chip: Lenovo won't even switch it on by default in latest ThinkPads


Re: What's the real function?

My experience was a lot of hours wasted hunting down motherboards where Secure Boot could be disabled. Valuable hours which could have been more enjoyably wasted on ballyhoo, furore and hoopla.


Re: hmmmmm

Predicting it will end in tears around the same time Microsoft's Windows Update process falls victim to SolarWinds-style supply chain attack. That's already a nightmare scenario but imagine if you can quietly control a single well documented CPU firmware interface on 75% of desktop PCs. Do you brick them all, or something more elaborate? Really tough call.

Privacy is for paedophiles, UK government seems to be saying while spending £500k demonising online chat encryption


Re: What do you expect for £500,000?

Are Barnardo's chipping in a few quid too maybe? Very disappointed to see them wading into such a far-reaching political argument.

Vulnerabilities and censorship tools among hot new features in Beijing's Olympics app


Oh gtfo CCP

Apart from the shear ridiculousness of 14 days of pre-visit tracking this feels like a pretext to ban various foreign athletes who represent a threat to Chinese medal hopefuls for not 100% complying with the probably quite vague requirements. Aka cheating. (If that turns out to be the case the Australian government's tennis interference will have a lot to answer for too)

Leave the curling alone that's all I ask!

Ukraine shrugs off mass govt website defacement as world turns to stare at Russia


Re: Despite assurances from Western leaders and NATO commanders …

The sad reality is that such assurances can only be given now because Ukraine is unstable and under threat from Russia, and hence not actually wanted in NATO. Putin knows that so he can't simply withdraw the threat and leave Ukraine to it's own devices. The best case scenario now is probably that he judges an unstable Ukraine is more valuable than a wholly occupied Ukraine, and the threat of mega-sanctions is enough to dissuade him from formally annexing the eastern half.

Meanwhile he knows given half a chance the West would happily push Russia itself toward being a stable liberal democracy with NATO membership. That wasn't looking completely unlikely 20 years ago, and it's probably an even more desired scenario now since China's rise (for the West, but perhaps also for Russia's citizens). No words from temporarily elected politicians are going to change that long-term geopolitical reality. Even a dramatically signed international treaty won't do anything if a future Russian regime wants to tear it up - not that Putin's Russia respects international treaties much anyway.

US Army journal's top paper from 2021 says Taiwan should destroy TSMC if China invades


Dr. Strangelove would be proud

Like the Swedish, what the Taiwanese really need is a credible plan to fill in their mine-shafts! I'll get writing a paper at once..

Intel ‘regrets’ offending China with letter telling suppliers to avoid Xinjiang


Re: Grow a pair

"equally as repressive"

No. The Uyghur genocide is not remotely comparable Texas banning abortion, even if both are regrettable. Why do these kind of nonsense false equivalences come out of the wood work every time China is involved?

Of course a Bluetooth-using home COVID test was cracked to fake results


Re: Bit of a leap...

There's a tear-down in the link I gave above. Higher false positives than virtually any other lateral flow test so I think their optical reader was failing sometimes rather than the assay pad itself.


Re: Bit of a leap...

"The UK lateral flow reporting is easier to fake, you just tick the box on the website that says negative rather than the one that says positive, and throw the strip in the bin."

Or tick the box that says positive and get 10 days off work/school.

I think the idea is as long as the system encourages(*) you to actually have a test in your hand with an ID then the majority of people are going to go ahead and do their test out of curiosity, report and act on it honestly. It's secure against casual laziness which seems a good security/usability/cost compromise to me.

(*) Apparently the IDs could be made-up but hopefully there's some kind of checksum digits so that's not completely trivial. The codes are probably not long enough.

Making it marginally harder to fake might have some value in zero-Covid countries like Australia before the autumn. Maybe why this $25 single-use electronic trash was designed there.


Re: Bit of a leap...

Price $26.10 (Walmart) says it's mostly bare-faced lie.

Ridiculously easy to 'crack' by having somebody else who's negative use the swab, which in some circumstances is going to be even easier than acquiring soda or water.

Nothing obvious in the way of physical tamper-resistance for the reader inside either (but why would there be considering the above): https://www.youtube.com/watch?v=UvArprBmdFA

However you can see there is some kind of detailed optical recording of the flow process, and perhaps at least some of that data is uploaded for scrutiny by 'AI' (hah) or manually. Obviously that failed to detect F-Secure's simple status flip proactively so it's not worth much, but they may feel it gives them the ability to detect similar cracks after the fact, which is then the basis for issuing optimistic-sounding bullshit like they've done here.

In essence it's no more secure than uploading a picture of your $5 lateral flow test.

UK National Crime Agency finds 225 million previously unexposed passwords


Re: Trust

"A database of known passwords and usernames, is highly valuable because it probably indicates just how un-unique most peoples passwords are"

Because of just how nonunique many passwords such a database doesn't need to be very big and good ones have been in existence for 2 or 3 decades (of course there's been some evolution in common passwords over that time). Troy's database is a different beast and really just levels the playing field for the good guys by giving access to information the bad guys already have.

RAF shoots down 'terrorist drone' over US-owned special ops base in Syria


Re: Technically fantastic but...

Highly doubt firing a single ASRAAM is going to cost the UK £200k. More likely it's one less obsolete Block 4 missile to decommission as the Block 6s enter service, a bunch of useful live fire data, and a shiny new page in the marketing brochure.

Is VPOTUS Bluetooth-phobic or sensible? The answer's pretty clear


The chances of anything hacking from Mars

Are infinitesimal he said

The chances of anything hacking from Mars

Are infinitesimal

but still they pwo-own

Leaked footage shows British F-35B falling off HMS Queen Elizabeth and pilot's death-defying ejection


Re: Well...

On the bright side the ejection was absolutely timed to perfection. It's almost like they've practised that very specific failure condition..

Government-favoured child safety app warned it could violate the UK's Investigatory Powers Act with message-scanning tech


It's never going to be tested in court if it's ridiculous enough. The offence has effectively been in place since RIPA 2000 came into force and any dumb prosecutions would surely have been reported by El Reg.


Re-reading along side the CPS guidance I struggle to see what the issue is. Section 45 gives authorisation for 'telecommunications services' for 'purposes relating to the provision of services or facilities aimed at preventing or restricting the viewing or publication of the content of communications transmitted'. Section 261 defines 'telecommunications service' very broadly and surely covers things like 3rd party spam-filtering even if they're not the primary provider of the telecommunications system.

We're not told exactly what feature SafeToNet planned. I can only see a problem if it's something along lines of a 'hack back'? That doesn't sound like the case though so I think they should get new lawyers.


(IANAL either) but I don't see recipient-authorised email-scanning passes Section 3(2), parent involved or not.

I suppose it hinges on whether the relevant 'private telecommunication system' is 'my email address' in which case I surely have the right to control it's operation and any service providers I designate to scan my email, trash it, forward it to me, or automatically broadcast it straight on Twitter are simply operating it with my authority.

Or whether the 'private/public telecommunication system' is 'the creaking email system in general' or even 'the internet', in which case the sender could somehow have an expectation that what..? only 1990s email technology were being used to transmit the email and no scanning takes places? (Or the switches and SMTP servers are unlawful too and the magic IPA-immune fairies are supposed to transmit it?). That still doesn't make sense, but conceivably it's an interpretation a supremely tech-illiterate judge might reach forcing costly appeals and an over-cautious lawyer might advise about that.


This is a ridiculous interpretation of the law. Surely if you have permission from the recipient to intercept then you are simply acting as their agent and the law applies as if the intended recipient 'intercepted' it, so to speak. They might need some extra legalese to nail down that relationship, but all kinds of similar arrangements would be unlawful if you couldn't do this.

('Aah that is good coffee. Now I'm ready for you to read me my email Jeeves. Do the silly voices again would you. And skip the parts where mother tells me to get a job, good chap.')

Alleged Brit SIM-swapper will kill himself if extradited to US for trial, London court told


Re: No excuse

"I'm sick of people using Asperger's as an excuse for not facing punishment for their acts"

It's not actually the excuse. Suicide risk is the excuse (rightly or wrongly). Asperger diagnoses are being used as evidence of heightened risk of suicide (3 times higher risk according to a quick Google - I've no idea the veracity of that figure), but I'd hope a range of other type of evidence would do equally as well. We just don't see many of the other risk factors disproportionately represented among criminal hackers facing extradition to the US.

Crypto for cryptographers! Infosec types revolt against use of ancient abbreviation by Bitcoin and NFT devotees


Re: how about "Cryptography means Cryptography"?

How about 'analogue currency' because cryptocurrency is an analogue of the physical currencies that proceeded it, or because blockchain transactions are not actual economic transactions but merely recorded electrical representations of them.

Language is weird sometimes.


Re: But it is crypto

'I always assumed that crypto-currency was short for "cryptographic currency"'

It is, I think that's the issue. When some says 'crypto' but assumes one specific narrow use of cryptography they're almost gaslighting the existence of the entire rest of the important field of cryptography. It's a hierarchy error. Like when someone says 'Can you bring up the internet' but they really mean 'Open the Google homepage'.

Unlike with other uses of the crypto prefix unrelated to cryptography you often can't tell what they mean from context, because a lot of cryptocurrency context *is* cryptography context.

"I'm going to invest in crypto" -> Fine, mostly

"Crypto has changed the world" -> Completely ambiguous

"I'm very interested in crypto, would you like to talk about it over coffee?" -> Recipe for rage, and a paraphrase of an actual question I was presented with just last week that turned me on to how much of a problem this has become. For context: I'm very interested in cryptography but absolutely sick of hearing about not-technical aspects of crypto-currency, so I don't know.. do I want to talk about crypto over coffee?

FYI: Code compiled to WebAssembly may lack standard security defenses


Re: programs that run but produce the wrong result don't really fall under the "security" heading

From the point of view of server security yes, but the client may have it's own security goals in opposition to the server ('no sensitive information is uploaded to our servers' type guarantees), and usually will be part of a joint goal with the server to secure the process against 3rd parties between them, or in other applications etc adjacent to the client.

"(e.g. enabling/disabling action buttons and menus.)"

A classic example of something a client can be responsible for the integrity of, with security implications when it fails.



Biting the hand that feeds IT © 1998–2022