Have to be honest if I saw one single SSD perched on the back of an otherwise empty truck I'd be tempted to take it. That's just screaming 'nobody cares about me'.
262 posts • joined 11 Jan 2019
Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online
Good grief. It's a CERT Coordination Center document, from a database funded by the US Federal government, and authored by a man who appears to have been born, educated, and worked his entire life in America and you expect them to use British English definitions of words? That ship sailed many centuries ago.
"As far as I know, 'exploit' has for a long time been both noun and verb"
A long time yes, but before that it was only a noun and presumably there were fuddy-duddies up in arms about it changing. Yet it did and our language is the more nuanced for it. Using one yourself while baulking at someone else's use of the other seems to make you a hypocrite, doesn't it? Both can be replaced with 'use' with only minor(*1) loss of meaning(*2).
"'Leverage' is a noun being used as a verb for no reason."
Both dictionary.com and Merriam-Webster list it as a verb. The language has already evolved, too late to complain. The second M-W verb example seems particularly relevant:
"Definition of leverage, transitive verb 2 : to use for gain : exploit"
Do you moaners also have a problem with the word 'exploit' in computer security? :)
"I exploited the vulnerability in the system" -> Implies gaining access to the system
"I used the vulnerability in the system" -> For what? To help write an exploit for a bug bounty program?
"I leveraged the password hash" -> Implies to crack the password
"I used the password hash" -> For what? To check the user's submitted password was correct?
Of course these are sentence fragments (the original in a bullet-point). A full sentence should specify the goal being leveraged toward and then the implication is less helpful but here it seems to me to do the job of narrowing down the type of usage very well.
Re: 'In the Public Interest'
Superficially it's a legit act of whistleblowing that lead to a swift resignation. You don't need to know the identity of the whistleblower to know that going after them is the wrong thing to do in a society which attempts to protect public interest whistleblowing. The law is absolutely still protecting the anonymous person(s) if it makes it unlikely a conviction will follow, and your investigation is thus a waste of resources.
I do think however given where the leak came from there's a responsibility to perform some investigation to make sure there's nothing extra going on which could impact national security. There probably isn't but it'd be serious if there was. That investigation should surely be handled by the Parliamentary Security Department, the police, or even MI5. Not the ICO.
Re: 'In the Public Interest'
Interested what you think the other agenda is? If it's 'political' then it's surely still in the public interest because political rivalry is essentially what helps hold government to account in a democracy, and holding government to account is widely considered to be in the public interest.
I wonder if the public interest whistleblowing protection law might be relevent too, aside from the GDPR-specific exemption. You are supposed to whistle-blow about a 'crime' (acknowledging it's not 100% clear Matt & lover did break the law) to a prescribed body, which doesn't normally include the press. But perhaps it could be argued for whistle-blowing on someone as powerful as a Secretary of State there is no more appropriate method than publicising it as widely as possible - and as it is the person(s) still appear to have been raided, which is the kind of retaliation whistleblowers are supposed to be protected from.
But we don't know what other wrongdoing has gone on. Perhaps they've been abusing the CCTV system for years and stashed away hours of footage of MPs jacking off in their lunch hour, then the book will be thrown and the kissing incident may not even come up in court. I just hope they get a decent solicitor anyway.
Immediate thought: It can't be the UK because our test and trace is far too hopeless for that level of detective acumen.
At a guess it's the US because they tend to put cardholder name right there on the paper receipt. And because it's then a quick Google for anyone to find the person's address, mobile number, car registration and so on because all that stuff is often public too. A few dollars if you should want to buy their mobile location data... and so on.
So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into
Re: Why would it be a target for breakins?
According to a more complete translation: "the submission [to the central database(*)] should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products."
So - depending precisely what 'technical characteristics' comes to mean - possibly quite vague, but if you have a bunch of these reports a good fraction will still signpost a skilled researcher to a vulnerability very quickly. Searching for a needle in a haystack is the most tedious part of this work, and if you know there's a needle near the bottom of this particular haystack it gets a whole lot easier.
(*) 'Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform'
Also: "The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Coordination Center."
So there'll be at least three copies of 0-day database. It sounds semi-public already to be honest.
Re: Abe Lincoln knew the truth about QKD.
"Please don't conflate a self-serving political system and the industrial-military complex with a cryptographic protocol. The article was about the protocol."
Yup I think you should follow that advice and realise how pointless your original comment was.
Big organisation investing - for them - miniscule amounts of money into hyped tech proves nothing about the intrinsic value of that tech. It points to them seeing the possibility of some commercial value. At most it indicates they see an outside possibility of some intrinsic value and they don't want to be left behind in case it turns out that way when the cost of keeping up is so low.
The clearest mathematical detail is that all these organisations already make extensive use of low cost cryptography without any meaningful key distribution issues and no mathematician is up in arms about how insecure all those protocols are.
It's interesting blue sky research. It doesn't solve any of the many very big current computer security problems.
Re: Abe Lincoln knew the truth about QKD.
"[Federated Quantum System] initiative, which includes companies from each country to design and test the system."
Jobs + tax revenues for all. They're definitely no fools.
"[EuroQCI] agreement is worth several millions of euros"
Behold the shear scale of resources the world's foremost supranational economy is capable of bringing to bear on such critical technology. I hear Dr. Evil was overjoyed to be chosen to head up the project.
Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
Do you want speed or security as expected? Spectre CPU defenses can cripple performance on Linux in tests
Re: ridiculous offence?
If you give insider information to your friends planning or merely knowing they'll use it for insider trading, or you find out later they did and fail to report it then you'll be guilty of some kind of conspiracy to commit or accessory to insider trading crime.
If you blab confidential financial information in the pub genuinely oblivious to the fact your friends later trade on it then that's just going to be between you and your employment contract (unless perhaps you're an officer of the company in which case you might be held to higher standards and given a proper good telling off by a judge before getting off scot free).
It is a slightly confusing term, whatever the history of it 'insider' now refers to the information not to the trader.
Re: How cynical
If we're really getting cynical, how about the idea the FBI gave up the backdoor because they realised God Mode on the criminal comms threatened to make too many law enforcement jobs obsolete (also: 'now you have AN0M I assume you won't be needing this huge and very poorly accounted for CI budget?').
At least leafing through reams of irrelevant Whatsapp convos requires serious numbers of analysts and proportionately high salaries for their managers. Plus it's more fun because of the smut. The criminals just geek out over crime non-stop, what a yawn fest.
At least where there's good data I think it's surprising how little street prices are affected by these international busts. I suspect outside of the big cities local disruption to dealer networks has way more impact on price, purity and availability. (Purity also may be more driven by how savvy users are than by supply & demand, since a lot of drug markets operate as near monopolies. The UK's cocaine purity has risen massively since test kits become common place and all the newspapers ran stories about how crappy their reporters were finding it).
With the international busts there's always more supply ready to step in quickly, it just needs approval from those in control of the market. Import prices might jump to ease that extra supply but that's not passed down to street prices. The profit margins are such that it's in everyone's interest down the supply chain to keep decent stock on hand to smooth over disruption, and fluctuations in supply price are easily absorbed. A lot of it's on credit too so capital requirements aren't big and there isn't huge pressure to optimise for just-in-time supply. I suppose the other factor is that for some drugs if there are any supply issues close to street level a lot of substituting takes place, both at the cutting and buying level. There's also more mid and low-level importing over the internet these days which might help smooth over supply.
Still, this bust seems unprecedented in scale and scope so it'll be interesting if it has much impact beyond hastening the rise of a fresh generation of smugglers more wary of phone apps than the last one.
Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in
It's the gaming of the process that became partisan rather than who's appointed, which always has been.
In England High Court judges have of course always been appointed by the Monarch and thus entirely apolitical.
(Hah just kidding, since 2005 though there's a committee process intended to remove political bias and ostensibly appoint on merit, plus the newer UK Supreme Court judges have to have input from Scotland and N.Ireland so I'd imagine it's way harder for any party to influence the outcome. Of course they still end up drawn from particular class demographics and therefore exhibit bias. It all matters less than the US though since they're not defending a written constitution from overreach by the legislature).
To get anywhere near the Supreme court you have to be a methodical and rational human being, it's not as if Trump could find appointees in his own image (the exact opposite of those qualities). The real drama will come when they're asked to rule on clash-of-values type cases where there's no objectively sensible answer. And perhaps the real long-term problem with Trump's appointees isn't even who they are but that it set a precedent for partisan meddling in the court at the exact moment the parties are becoming entrenched in several opposing value systems the judges will need to rule on.
Re: If this was my idea...
"The Ring Of Fire doorbell is equipped with seven firewalls. That's one for each of the five advertised wireless protocols you can attack it over, one for the unpublished remote Amazon-telemetry protocol, and one physical butane burner which can be configured to protect the bell's push button itself from pre-identified individuals in the facial database as well as general classes of undesirable such as chuggers, preachers, and sellers of rival doorbells."
JBS Foods ransomware gang: White House 'engaging directly' with Russia about attack on massive meat producer
Re: Even simpler explanation
That doesn't make any sense. There's so much meat and oil production in the US - and such massive global trade in both - that you'll never significantly impact prices with the odd ransomware attack even against major multinationals. Plus beef prices are up every other month anyway (1st world problems which occur when food suddenly becomes a symbol of the rest of the world too).
Better to target rare earth mineral mining or semiconductor production or something else 'the West' sucks at but is heavily reliant on.
Case in point is the 2012 Shamoon attack on Saudi Aramco which impacted oil prices basically not at all but caused a significant demand shock which drove up hard drive prices.
Re: Hack the Planet!
"Any England/UK Hacker movies from the 90's? Doubt it.. :)"
Not a movie but Channel 4 being hip, edgey and way ahead of their time (uuh relatively speaking that is) did a hacker docu in 2000 called Hackers In Wonderland that was quite good and basically covers late 90s material. It's available on YouTube. Big UK names in it, and inevitably a few yanks too.
"This man [Cold Fire] was once considered one of the most dangerous criminal hackers in Britain. Not wanting to reveal his home address he met us at a local laundrette." And there's the obligatory paranoid yet understated tone set with a line that could have been uttered by Alan Partridge himself.
Re: Capsizing oil tankers via software
Oil tanks are certainly split up on the big supertankers. I don't know how possible pumping one to another is at sea. A lot of work goes into making sure oil doesn't end up spilling so you likely couldn't just dump all tanks on one side. However they also have ballast tanks and those can be emptied/filled with water specifically to rebalance the ship. If you unbalanced those, do it in rough weather, steer the ship the wrong way, and focus on exploiting some design flaw involving natural frequencies of half-filled oil tanks maybe, just maybe it'd be possible. Especially if you can remotely lock the doors to contain the crew and stop them overriding everything, since it's take a good while to pump.
Or you could just drive a single tanker into the bank of the Suez canal with one quick rudder override, carefully clean up and exfiltrate the system, then spend a whole week laughing as manically as someone who wanted to do that would probably laugh. I wonder how effective the cover-up would be if that actually happened? Initially the captain and the shipping company would probably come out with different stories and everyone would blame each other rather than blame the hacker they don't want to admit exists, but they'd go silent as the lawyers got to work, and lay observers would likely call out the weather before possibly settling on some novel but scientifically pleasing fluid dynamical explanation that was impossible to verify. (I jest, I jest).
Turns out there's 3 albums worth of soundtrack so they really ran with 'the music is the one good thing about this film'.
As both a teenage hacker and skateboarder at the time I remember seeing the trailer and being doubly exasperated that my crafts of choice were being lampooned and probably misunderstood by unsuspecting adults who had the misfortune to see the movie. Now looking back I can kiiinda appreciate how so-bad-its-good the fur trench-coat wearing skateboarding "I is here" trying-too-hard-to-be-badass baddy looks, but still not enough to make me want to sit through 107 minutes of it all. Maybe in another 25 years.
Re: Half-Double Rowhammer
Pretty much. There's been a couple of iterations of hardware fixes now for Intel & AMD. If you want either software to not have to care about security compartmentalisation, or increased security without any performance impact at all you're going to be waiting forever because those things aren't desirable/possible.
I don't see how RowHammer/etc will ever be 'fully' fixed because it's essentially probabilistic and the surest ways to mitigate it significantly increase latency, power consumption, or silicon area in ways fundamentally linked to the physical laws of the universe. It could perhaps become the purest example of a security/cost/performance trade-off. The other dimension potentially worth trading against is uptime, because if hardware detects it might have been successfully Hammered the last line of defence is to halt execution rather than cede control to the attacker. Hard decisions.
Re: "Legacy of single user on a disconnected PC"
There were some very early 3rd party remote login solutions like WinFrame (which Microsoft subsequently based Terminal Services on). By the time Rupert is talking about, 2001 when MacOS launched, multiple users at the same time, either remote or locally with fast user switching was supported natively. The underlying multi-user architecture was always there because services used it, just interactive multi-login was missing.
"Legacy of single user on a disconnected PC"
I'm not sure this is fair. NT was multi-user and networked by design, and released in both workstation and server versions from the start. I don't think it shared a single line of code, or even any key designers with 16-bit Win3.1 - the single user legacy at the time - except insofar as it implemented an emulation layer for backward compatibility. That didn't affect it's essential security architecture (although it added a small amount of complexity to the kernel and resulted in at least one vulnerability - just a general hazard of all monolithic kernels).
If it had weaker security than some Unixes at the time (opinions vary in my experience) then I'd say that was down to it's relative maturity, being closed source, and Microsoft's changing commercial priorities rather than the company's separate single user OS legacy.
To bring this full circle: NT's better designed, 90s-modern, distributed access control compared to the whole Unix class of OSes is probably one of the key reasons why it does dominate in centrally administered hot desking workstation environments - the precise opposite of single user disconnected PCs. The most common scenario today where multiple actual human beings use the same Unix-running hardware probably involves Virtual Machines rather the native access control, doesn't it?
Australian Federal Police hiring digital evidence retrieval specialists: Being a very good boy and paws required
Mammoth grab of GP patient data in the UK set to benefit private-sector market access as rules remain unchanged
Re: Got my family's Opt-out forms signed & sent off to the GP yesterday
As I understand there is some suggestion they'll stop honouring them in future because the type 1/2 opt-out differentiation is going away in favour of the 'national data opt-out' which GP surgeries must honour from September, so make sure you've registered with that too.
"Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal."
And if you just filled in a GP form for a type 2 opt-out it will be ignored because:
"GP practices must no longer use the type 2 opt-out codes to record a patient's opt-out choice as they are no longer collected or processed."
Leaving the unsurprisingly shambolic possibility that people who believe they're opted-out won't have.
Re: I just walk away
Online supermarkets seem to be doing it lately post-login. I suppose airlines and supermarkets both attract bots trying to book slots, scrape prices constantly, or something like that?
I'd like to suggest I get a pound every time a company I'm paying makes me do a captcha, to help motivate them to find less irritating solutions to their bot problem (maybe they should just put up with it?). But the truth is they can probably already see a greater loss of sales than that in their usage stats and yet they're still doing it.
BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw
Re: Need trapping
You're both wrong. In general at hardware level they're neither signed nor unsigned, just fields of bits which are typeless other than for their width. Many common arithmetic instructions function exactly the same whether they're operating on bits you choose to interpret as unsigned integers or two's complement signed integers and so the instructions are ambivalent (but will set flags to enable you to check afterwards for conditions on both). Even when instructions or registers are notionally intended for specific types (signed/unsigned/pointers) they're routinely used for the 'wrong' type by compilers, sometimes in line with the CPU manufacturer's own optimisation advice, so the typing is really just a naming mechanism to refer to slightly differing functionality.
It's up to language designers to use the tools already available. Types exist at language level. The trouble is not the extra instruction but that checking for overflow generates a branch and modern CPUs hate branching. More so since the speculative execution game got leashed. The other issue Rust designers have found is that doing anything halfway useful after detecting overflow imposes a lot of limitations on general code optimisation, because the fault code needs to understand what was going on when it got triggered.
Billions in data protection lawsuits rides on Google's last-ditch UK Supreme Court defence for Safari Workaround sueball
Signal app's Moxie says it's possible to sabotage Cellebrite's phone-probing tools with booby-trapped file
Re: "We have strict licensing policies that govern how customers are permitted to use etc"
Agreed, I'm sure if they were being more honest they'd say they mean their policy is strict but that's not enough to prevent the technology falling into the wrong hands. And if they were being still more honest they might say their *written* policy is strict but not always strictly adhered to when enough money is on the line.
Still, it's a PR line that precedes Signal's blog post, and it's clearly intended to give the impression their technology won't fall into the wrong hands so it seems weirdly inappropriate here when it just has done. (But what do I know, it's probably some textbook PR gaslighting voodoo).
Cracked copies of Microsoft Office and Adobe Photoshop steal your session cookies, browser history, crypto-coins
Re: Open options
I may have mislead you with the word 'Very'. We're only talking a few hundred columns (not even hitting Calc's much hated col limit) by less than a hundred thousand rows. Excel proves perfect for the job every time, and is only one step in a toolchain that probably includes whatever you're thinking is the correct tool.
Nevertheless they prove very large from the perspective of other spreadsheet software.