Re: Soft is hard
Sometimes the "software" is used to work around hardware bugs.
Posts by A random security guy
246 posts • joined 20 Apr 2019
Intel's latest patch set plugs some serious holes in CPU, Bluetooth, server, and – ironically – security lines
FBI drops subpoena to identify readers of USA Today article about shootout with agents
Thursday 10th June 2021 04:53 GMT 
Curious about a few things
1. FBI knows a person of interest was reading that particular article on that site in a particular window of time. How did they know that? They intercepted some communication?
2. FBI thinks that all readers of such articles are persons of interest.
3. The FBI found the information they needed using another method. Did they hack in? Or did the owner just give them the information?
Ahem, Huawei, your USB LTE stick has a vuln. I SAID AHEM, Huawei, are you listening?
Why did automakers stall while the PC supply chain coped with a surge? Because Big Tech got priority access
Wednesday 2nd June 2021 17:58 GMT
Automakers are brutal to their suppliers. Didn't work with chip companies
Most of the points raised by others are valid. Automakers and their suppliers have a very dysfunctional and incestuous relationship. The suppliers are normally at the beck and call of the automakers. Automakers are also very demanding about quality, price, and JIT. Yeah, all three. Qualifying parts for the auto industry is also a long process.
Most of the electronics is built by suppliers and if the automaker can't fund the supplier to fund excess parts while demanding JIT, a shortage is inevitable.
OTOH Chip companies have many customers. They will sell to whoever locks in the capacity. There is definite impedance mismatch here.
Wednesday 2nd June 2021 17:48 GMT
Re: Everything needs intelligence these days, except my Harley.
I still remember having to tune my dad's non-computer car every 6 months. It took a lot of time to get it to work properly. With computers doing non-linear control systems and various other optimizations, I do get a carefree ride.
And yes, I drive a 2013 Prius. Haven't taken the car into a shop. Ever. Don't trust those guys.
Wednesday 2nd June 2021 17:43 GMT
Re: They only have themselves to blame
Your point is correct. I think people club EV and Autonomous systems together as they are coming in close together when time is measured in terms of decades :).
Also, EV cars lend themselves to Autonomous driving as they are fully electronically controlled and we will see them lead the charge.
Autonomous cars definitely need more CPU power.
JBS Foods ransomware gang: White House 'engaging directly' with Russia about attack on massive meat producer
Air India admits to data breach impacting 4.5m customers, sat on the news for five weeks
Monday 24th May 2021 06:11 GMT
We are going to make a security breach announcement using HTTP as HTTPS .
HTTPS is too difficult/superfluous/e don't know what it is ... pick your excuse. Tried using HTTPS and was bounced back to HTTP.
Just another stupid lowest bid wins organization which can't get its head wrapped around quality.
Doncaster insurance firm One Call hit by not-dead-at-all Darkside ransomware gang
Monday 24th May 2021 05:52 GMT
Re: This is what happens when you
Being a cynic with 20+ years security experience, paying a $100m for security is not going to get things done if the rest of the organization blocks your progress. I had a program manager block all security updates because she had to get features out. The security features were tied to our friendly WordPress and would have directly connected the hacker to the payment portal.
It's been a year and she still bristles and sabotages all security work.
Naah, she is not the exception. I have old-timers in another company nuke every security project. These are experienced men.
Just grit your teeth and hope the management wakes up.
Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days
Monday 24th May 2021 03:29 GMT
Most companies consider security guys as obstacles to getting their stuff done
The real reason why one company I work with has not yet patched something for 1 year is because they are on a tight timeline (for a year) and can't use the security engineers they hired to do the work. They have reassigned the security engineers to do UI work.
Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents
China hauls in 13 web giants for ‘supervision interviews’
South Korea orders urgent review of energy infrastructure cybersecurity
Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations
Sunday 16th May 2021 17:43 GMT
Re: On the bright side.
They will listen and do whatever they were doing before. The mandate has to come from the CEO and the board. Really the board has to politely tell the CEO that he needs to have the problem fixed. The CEO has to tell the yearly compensation and review committee that security has to be part of the employee KPI.
Thursday 13th May 2021 18:56 GMT
I wonder if oil companies made more money
Just like in the Texas freeze, where some companies made a lot of money, I wonder if people made a lot of money off the scarcity and fear.
Apart from that, they have to spend billions upgrading the equipment in the field. Why bother. That is the cynic in me. I see this every time.
Beijing twirls ban-hammer at 84 more apps it says need to stop slurping excess data
Britain to spend £22m influencing Indo-Pacific nations' cybersecurity policies against 'authoritarian regimes'
Wednesday 12th May 2021 14:36 GMT
About the comment about fighter aircraft from Russia and the West
India, I believe, flies Russian Sukhois and MiGs along side French, British fighter/fighter bombers, US helicopters, surveillance & drones aircraft, and Israeli drones. Throw in some Italian choppers and Brazilian aircraft. All they now need to do is to buy a few Swedish Gripens to complete the logistics nightmare.
Wednesday 12th May 2021 14:26 GMT
Doesn't the UK hoover data?
The UK doesn't have a good record. They have been implicated in looking into people's lives a bit too closely online and also with wire-taps and such. They also share the data with other countries without due process and also spy for other countries in order to get around due process requirements in those countries.
Finally, the UK has been trying to legislate backdoors into encryption.
Given those data points, I would like to ask the UK if they are the right advisors in this area. We could rely on the US instead; obviously the NSA and the CIA will give us better advice (sarcasm)
Tesla Autopilot is a lot dumber than CEO Musk claims, says Cali DMV after speaking to the software's boss
Saturday 8th May 2021 15:22 GMT
I live and work in an area infested by Google, in Mountainview, California It has the highest concentration of ADAS cars around. From many different companies. Late at night (2am) I see more autonomous cars than people driven cars.
I have always wondered if they can see my dachshund but I have decided not to test my theories. Dogs are better than humans.
Privacy activist Max Schrems on Microsoft's EU data move: It won't keep the NSA away
Big right-to-repair win: FTC blasts tech giants for making it so difficult to mend devices
Friday 7th May 2021 20:23 GMT
Battery and other realities
Not supporting AAPL. I remember when the iPhone first came out and we found out through AAPL engineers (yeah, they weren’t locked down so hard at that time) that a major reason they glued the battery was the drop test.
I was working on another phone product and we all nodded our head; we knew that our phone’s battery covers and many times the batteries would go flying off.
Moreover the contacts would not after some time and that was pure headache.
I can change iPhone batteries in roughly 5 minutes; who says nerds can’t impress girls.
In iPhone 12 it seems that cameras are paired so you can’t swap cameras.
TouchID is another area where any damage means you are not going to be able to use it for anything other than a push button.
Waterproofing is another reason you have to glue down components.
Most people have dropped something in the water. Dropping a $1200 phone in the toilet is not fun.
So yeah, it is a good goal to make repairability a high priority. But it may not be that easy.
Ransomware crooks who broke into Merseyrail used director's email address to brag about it – report
Thursday 29th April 2021 03:55 GMT
Re: Transparency
I was wondering about it too. Also, people's trips that were not disclosed to a significant other, people playing hooky from work, etc.
This will also be a good test of Britain's post-Brexit GDPR. compliance. We will find out if they really want to still treat Privacy as a human right or an MI5 right.
Do you expect me to talk? Yes, Mr Bond, I expect you to reply: 10k Brits targeted on LinkedIn by Chinese, Russian spies
Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months
Tuesday 20th April 2021 07:13 GMT
The usual answer I get from developers is: How ill anyone even know I have a key hidden in the binary? You can't expect them to run the software through a filter. I have one case where the key is compiled into the firmware and is present in the source code in GitHub but doesn't use GitHub secrets.
Monday 19th April 2021 18:50 GMT
Flawed integrity check of a bash script can be hacked
The Codecov integrity check itself can be hacked because the version string extracted from the shell file is neither properly quoted nor validated. Here is the proper Twitter reference:
https://twitter.com/lorenc_dan/status/1383598341347368967?s=19
What we know is the LAST file. There were many changes to the hacked file so we don't know what else the script could have done.
I was able to do a few more things with the flawed integrity check described at https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script
curl -s https://codecov.io/bash > codecov;
VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM)
done
FOSS developer survey: Mostly male, employed... and many don't care about 'soul-withering chore' of security
Monday 19th April 2021 22:31 GMT
Real examples will prove why security is difficult
Security is difficult but the main issues are related to people's mindset. Examples:
1. I discover a WordPress bug. PM punts the already tested dot security only update to after Black Friday. Site gets hacked. Client spends a month digging themselves out of the hole. Cost? Don't ask. We made a lot of money billing them.
Moral of the story? PM fires the implementation team.
2. Client believes that encryption of firmware is good enough. Digital signing is only for others. Appealed to the executives to get our contract terminated. One year later Codecov happened. Now they are scrambling to cover up their loss of IP. And yes, they stuck the symmetric keys in source code as no one will be able to figure it out.
Moral of the story? Managers don't care that they tried to burn the security people. We are expendible.
3. Vulnerable jQuery. Refused to update since we had not shown them all the ways they could be exploited. I told them that weaponization would take 2 months. Updating with just require testing. Fortunately, the execs stepped in.
Moral of the story? I should have them for the 2 months to write the exploit.
4. Password stuck inside JavaScript. Admin password, that is. Checks if user is admin. If true, uses admin as password. Refused to fix the issue as no one would be able to figure it out. They did.
Moral of the story? Should have gotten that ass fired. Which they did a year later. He now works for PayPal in their senior mgt.
Intel offers to produce car chips for automakers stalled by ongoing semiconductor supply drought
Indian defense chief admits China’s cyber-weapons would ‘disrupt large number of systems’ whenever Beijing presses the button
Sunday 11th April 2021 01:39 GMT
Re: Good to recognise the threat early
Good luck. A country that took 15 years to buy 30+ planes, 15+ years to buy badly needed howitzers, etc. will probably never do anything till they have surrendered to the Chinese. I don't see anything other than bidding for the lowest price as the only criteria for product selection.
Sunday 11th April 2021 01:36 GMT
RF Jamming is pretty easy. China is a leader in drones. When I mention the porous nature of their entire Infrastructure, my Indian friends have no clue. Each and every system they have is hackable as they have not invested in cybersecurity. And bureaucracy of India demands the lowest cost bidder win the bid.
Even home routers are subject to attacks as they call home: to China. PC's, laptops, cellphones etc. have bloatware that communicates with China.
Every time I get a pushback from my friends, I show them how their favorite site that can be hacked.
The whole state of complacency and denial is interesting.
Airline software super-bug: Flight loads miscalculated because women using 'Miss' were treated as children
Intel accused of wiretapping because it uses analytics to track keystrokes, mouse movements on its website
Arm pulls the sheets off its latest Armv9 architecture with added AI support, Realms software isolation
Wednesday 31st March 2021 05:28 GMT
Will chip makers make everyone’s life hard?
They are using realms. Anyone who has used trustzone knows that the chip manufacturers have made life exceedingly hard for hardware and software engineers. Each part has its own variation on which bits to flip for a particular functionality, what features to provide, what those features mean.
Using Arm’s software layer locks you down.
Just looked at one processor today with trustzone and no rng, no ecc/rsa, half a secure boot, etc. Add to that the chip vendor convincing my hardware engineers that it is good enough for secure boot and security.
Moving software from one chip to their next generation requires a whole redo of the otp maps and how the system even boots.
I just see a mess.
China added 300 million 5G subscribers and a million 5G base stations in 2020
European Banking Authority restores email service in wake of Microsoft Exchange hack
Microsoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data
Wednesday 3rd March 2021 16:24 GMT
Why is Exchange so hackable?
It has been a while since I had anything to do directly with Exchange. I did get a look at a bit of their software 15 years ago and it was really badly written. Is it still like that? Probably. It is like Adobe's Flash; every month there were a zillion documented security fixes. And Flash took decades to die.
When will WE get rid of Exchange? Maybe MS is so used to patching things (to make billions) that it can't let go.
India's demand to identify people on chat apps will 'break end-to-end encryption', say digital rights warriors
Apple's latest macOS Big Sur update stops cheapo USB-C hubs bricking your machine
Sunday 28th February 2021 16:01 GMT
Apple M1 crashes all the time
You may be lucky. M1 MacBooks have been crashing a lot. I get 2-3 crashes a day. No amount of reimaging, reformatting, calls to Apple support have helped. Apple support will make you do all sorts of crazy things to collect data and makes you feel like an idiot.
The Apple forums are filled with people who are complaining about this system.
Connecting devices on USBc can crash your laptop more quickly.
One can get locked out of their accounts; macOS can refuse your password. macOS can also refuse to let you reinstall the OS. You then have to do strange things in the right sequence.
The m1 going to sleep can crash your machine.
Restore from time capsule can fail.
The worst has been Apple Support. You end up spending hours with them and all you get is a reformat reinstall advice. This literally takes 3 hours for me every time.
Sunday 28th February 2021 15:50 GMT
One can’t simply push 160 or any number of watts into a MacBook. The external power supply can set the voltage and the MacBook can draw the regulated current it needs and it is designed to regulate that current.
What could be going wrong is that
A. the wrong pins had the voltage set wrongly.
B. Extremely high voltage
C. Apple reading the voltage wrongly and set the current flow such that it overheated something internally.
AI brain drain to Google and pals threatens public sector's ability to moderate machine-learning bias
Nespresso smart cards hacked to provide infinite coffee after someone wasn't too perky about security
AMD, Nvidia, HPE tapped to triple the speed of US weather super with $35m upgrade
Thursday 28th January 2021 14:15 GMT
Re: Obsolete before delivery?
In theory, I agree. However, software rewrites take more time. This could be the one where lazy gets you 3.5 speed increase this time. And then the rewrite gives you a bit more. And in 2-3 years they will order the next system where they will have many more GPUs ...
Wouldn’t be surprised if they already gave the teams working on the specs. And Intel desperately trying to get into the game.
Live competition.
