* Posts by A random security guy

130 posts • joined 20 Apr 2019


Here's a headline we never thought we'd write 20 years ago: Microsoft readies antivirus for Linux, Android

A random security guy Bronze badge

Run like crazy

No Microsoft software.

NEC insists its face-recog training dataset isn't biased, but refuses to share details of Neoface system with UK court

A random security guy Bronze badge

NEC will never let go of its data sets

Just the nature of NEC; it will never let go of its IP. However biased. It just doesn't make sense for ANY country's legal system to outsource the training data set to a foreign agency. Essentially, the UK government just abdicated its responsibility to protect its citizen's privacy and legal rights to a foreign entity.

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

A random security guy Bronze badge

Will this be a problem for embedded device certs?

If we have have an embedded device which has a tiny web server (e.g. router, temp monitor, etc.) and it supports TLS, then do they expect the embedded server to renew its certificates every year or so?

For that to happen automatically, they need to be connected to the internet. However, many of these devices should never be connected to the internet.

After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

A random security guy Bronze badge

Re: LAEDA Omissions!

Thanks for explaining your position. It would be helpful if you could show how the crypto would actually work. That is a multi-billion dollar solution. We would all be interested in knowing how you are going to do this. Brilliant minds have failed.

A random security guy Bronze badge

Re: stupidity out of ignorance or avarice

Can I steal your comments?

Hey NYPD, when you're done tear-gassing and running over protesters, can you tell us about your spy gear?

A random security guy Bronze badge

When police beat up protestors

Hard to watch but this is similar to what happened in DC so that trump could get his photo-op.


RIP ROP, COP, JOP? Intel to bring anti-exploit tech to market in this year's Tiger Lake chip family

A random security guy Bronze badge

I can see a lazy programmer disabling it if he can

Just finished some audit of code and the programmer ranting about DEP. Seems like it got in his way of inserting unsigned and un-tested code.

UK.gov dangles £400k over makers of IoT Things: Go on, let's see how you'd make a security cert scheme

A random security guy Bronze badge

Re: What about our networks?

Because we never designed our systems to be designed that way. It is a design problem, not a user error.

A random security guy Bronze badge

Re: My simple request for Kitemark.

You assume that a customer knows what to do. Assume I sell you a million webcams with a guarantee for security updates for 10 years. After 3 years I decide to shut shop and retire. You installed these devices at YOUR customer's premises (a grocery chain?) and you also made a ton of money and retire.

The grocery chain knows how to move vegetables. They have no IT skills.

Old Joe installed the webcam at his home but he got run over by a truck. His widow is now getting scammed by people watching her ...

A random security guy Bronze badge

Re: Educate consumers

By that you mean not only consumers but the developers in the Bay Area who are actually building these devices right? You mention security and they say they don't have the time, ship the products without a security assessment and even hide their schedules and software from the security team.

If that is the attitude, how can you blame the common man?

Clearview AI sued by ACLU for scraping billions of selfies from social media to power its facial-recog-for-cops system

A random security guy Bronze badge

Other tech companies are upset because they could make money of it

"Tech companies have also tried to thwart Clearview's slurping of photos. In February, Google, YouTube, Twitter, and Facebook all served the startup cease-and-desist letters ordering it to stop stealing images from their platforms, and to delete existing pics in its massive database"

The only reason FB, Twitter, and others will object is if they can't monetize that information they have collected. When was FB ever interested in our privacy? They want to sell our information, pure and simple.

Even if it breaks the law.

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

A random security guy Bronze badge

Re: I wouldn't buy insurance then

I’d like to know too.

Galaxy S20 security is already old hat as Samsung launches new safety silicon

A random security guy Bronze badge

A chip helps but doesn't make something secure

How many devices have ARM's TrustZone? And how many actually use them? And how many devices actually inject keys into the devices? And which software actually uses the processors?

The secure element that Samsung is making needs to be USED properly. I'll believe it when I see it.

Microsoft announces official Windows package manager. 'Not a package manager' users snap back

A random security guy Bronze badge

Because they are MS they will prevail

They are Microsoft. Whatever broken system MS comes out with, it will prevail. That is how MS has always operated. It starts killing the competition right away by putting a question mark regarding the viability of their competitors‘ product life.

So familiar:

Find a popular product space.

Make a Badly implemented competing product

Rinse and repeat.

My bet is cc that they also talked to all the companies with the professed intention of acquiring them and then, after learning everything from them including their revenue model, dumped them and started a project with the same PM who ran the evaluation game.

Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl

A random security guy Bronze badge

ADT does NOT sell security

ADT just makes you feel good and complacent about security. In reality, most of their systems can be hacked. What you get is lower insurance premiums. And the hope that the burglars make off with your old toaster oven and not your life.

Cyber attack against UK power grid middleman Elexon sparks in-house IT recovery efforts

A random security guy Bronze badge

Re: AC Amperes....

I can just imagine the shocked look of my professor... if I had used those words ages ago :).

A random security guy Bronze badge

Re: What ?

I think we are putting the onus on the people and assuming that a perimeter mindset And security training alone would work.

I would like to postulate that operations should not be so porous as to allow a simple workstation hack to bring down the castle.

This is really a back to the basics badly engineered systems That have been configured And maintained poorly.

A random security guy Bronze badge

Re: Backups

A sophisticated hacker would infect backups for months before pulling the trigger.

FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

A random security guy Bronze badge

When a Google engineer says no to something obvious

I'd suspect that some PM in Google is actually envisioning something along the lines that the security guys are worried about.

GitHub blasts code-scanning tool into all open-source projects

A random security guy Bronze badge

Re: Because GitLab?

Yup. Even their business approach is flawed. Now with GCC including static code analysis, these vendors will have to lower their prices and also make it easier to work with them.

Long after Linux, Windows Server Containers finally arrive on Microsoft's Azure Kubernetes Service

A random security guy Bronze badge

Re: Only a Matter of Time

I don’t think their business processes have changed even a bit. It is just that the advent of the iPod, then the iPhone, the cloud, the business around cloud services, the rapid growth of better web services api, The non-sql Database systems, etc. left MS behind and for the first time exposed to the whole world and themselves what a laggard they were in everything.

Plus the fact that the entire software security ecosystem was really fed by MS. It was only after the DoD twisted its arm that MS even decided to look at security.

Even then, MS is still playing catch-up on securing its systems.

If it weren’t for AAPL or Google, we would still be struggling with Palm PC.

On the embedded side they tried to take over with windows embed.

So, no, your brother has a big heart but the machine will do what it always does.

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

A random security guy Bronze badge

Re: Great to have a tool but...

I audit C code and I hear these mystifying commentS all the the time:

1. “Once the code is tested we don’t need to have the checks in place.”

2. “These parameters have been checked before. Yeah right“. Probably at a certain point in time.

3. “Prove to me that this is a security issue.”

4. “This code is complex because...”. Trust me, if I can’t read a snippet of code after 40 years of programming no one else should waste their time either.

5. “Only Jack/Jill/Godfather can explain what this code does”.

6. Please add a few more.

Right now I am fighting a Program Manager who doesn’t believe her project needs to fix a Critical website vulnerability.

India says 'Zoom is a not a safe platform' and bans government users

A random security guy Bronze badge

Zoom is the breach. Sometime Keys were served out of China, 80% of their workers are in China, their end-to-end encryption is a lie, they run analytics (and probably transcription), and they have very close relationships with hacking schools in China.

After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops

A random security guy Bronze badge

So they are using AES-GCM? and decrypting at the server? With what keys?

Don't trust them at all.

What does "using AES-GCM" even mean?

How is the counter mode managed?

How is the key chosen?

How is the key exchange performed?

How are users actually authenticated?

Why are they decrypting at the server?

Are they running analytics or transcription services on the streams?

Can we question their engineers and support staff about their accessing the data? I know we can't; 80% are in China.

Any company that deliberately wrote extra code instead of using TLS for secure streaming is suspect.

Attack of the clones: If you were relying on older Xilinx FPGAs to keep your product's hardware code encrypted and secret, here's some bad news

A random security guy Bronze badge

Agreed. Did a good job.

A random security guy Bronze badge

Most people don't realize how how vulnerable FOGAs are

Talked to a famous device company here in the Bay Area. The engineers claimed that no one would be able to steal their IP because their bitstream was so complex.

And no one could hack it and make their devices do dangerous things like killing people because (see above).

Hence they didn’t need to encrypt their bitstream. Nor did they want to sign it.

You're a botnet, you've got a zero-day, so where do you go? After fiber, because that's where the bandwidth is

A random security guy Bronze badge



Zoom adds Choose Your Own Routing Adventure to keep chats out of China

A random security guy Bronze badge

Only paid accounts? What about end to end encryption?

Is this a joke? Everything can and will go through Analytics and maybe speech to text.

Routing with a dubious encryption algorithm, clear text on the server, single key, a virus type installer on Mac, etc.

OTOH WhatsApp has been able to achieve the lofty goals except that it is owned by Zuch. So there is that. But technically Zoom could use the Signal protocol. But how will they make money? And the Chinese military will not be happy.

Cloudflare dumps Google's reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)

A random security guy Bronze badge

First honest statement about blockchain

"company only uses blockchain technology when it's appropriate. "If there is no multi-party transaction there's less benefit to it, although having an immutable audit log can be nice in some scenarios,"

Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay

A random security guy Bronze badge

Re: Anti-mortar system?

Damn. I was thinking of a giant badminton racket.

White House creates 'Team Telecom' to probe whether foreign telcos should be allowed near US networks

A random security guy Bronze badge

Too little Too late?

All our IoT devices, laptops, phones, etc. are riddled with security bugs, call home features, spyware, etc.

Throw in Zoom. Add printers, scanners, car parts, etc.

Round it up with a large amount of disposable capital.

Isn’t it too little too late?

China has grabbed the end points.

Or is it just the large companies we are worried about?

For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog

A random security guy Bronze badge

Some observations about the report

1. FISA was bound to be abused due to the secrecy

2. The nature of the violations are not clear.

3. Most warrants are requested in a hurry, with no real oversight They are bound to have issues.


4. Was this review used to clear Carter Page?

5. Is the FBI is being dismantled and/or being made the boogeyman?

6. The Investigation was run by the very people who support Carter Page.

7. The heads of the organizations are clearly not capable of defending their organizations as they report to trump.

I am absolutely against the PATRIOT act and the way FISA works is wrong.

But one has to wonder if this is a case of The executive branch neutering our FBI to protect one of their own.

China and Taiwan aren't great friends. Zoom sends chats through China. So Taiwan has banned Zoom

A random security guy Bronze badge

People ignore security issues

Just saw a note from a person, a technology director at a video streaming company, who said that Zoom’s security issues aren’t a problem because the ease of use is more important.

Someone asked him if he had read Bruce Schneier’s blog. He was was very dismissive

Another was a CISSP who stated that the issue was overhyped.

So it is very clear that people don’t care unless they are personally impacted. Like they get fired or lose money.

AMD dials 911, emits DMCA takedowns after miscreant steals a load of GPU hardware blueprints, leaks on GitHub

A random security guy Bronze badge

Re: Hardware blueprints of a GPU... ok...


UK.gov is not sharing Brits' medical data among different agencies... but it's having a jolly good think about it

A random security guy Bronze badge

I thought that politicians were the STI

You have to cross the pond to see it in action.

California tech industry gets its first big coronavirus hit: RSA Conference attendee infected, in serious condition

A random security guy Bronze badge

No one going to an MS conference will get infected. Professional courtesy.

Chips that pass in the night: How risky is RISC-V to Arm, Intel and the others? Very

A random security guy Bronze badge

Re: Also security risks..

Never attribute to malice that which is adequately explained by stupidity.

A random security guy Bronze badge

Re: Been here before

A technicality, but Andy Grove was not considered one of the founders of Intel. He was employee number 3 so I guess we are splitting microns.

A random security guy Bronze badge

Re: Installed base

Intel moved to a RISC core ages ago. It makes sense. The x86 architecture, based (sort of) the VAX architecture is successful because of the RISC simplicity. They also have had a lot of expertise in build RISC processors: the 80960 was a processor I worked on.

And as someone pointed out: more ARM processors get shipped than x86 chips.

If you ever have to use AWS, you will see ARM processors as options. I have seen this story before: IBM had to lose market share on the lower end (they were EVERYWHERE) to DEC PDP/VAX which gave way to Sun Sparcs, which gave way to Intel, which gave way to ARM.All of this was happening at the lower end. And soon, the scale of the invasion overwhelms the entrenched processors.

A random security guy Bronze badge

Re: The trade war changed everything

There are several ways to fight. You can either have a pitched battle (World War I) or drive around the Maginot wall. We chose the direct frontal attack. It has its advantages, especially when you have overwhelming superiority. I guess we don't have the financial clout any more. China can do as it pleases.

A more subtle approach escapes the general US public's view of the world, however. Sometimes I am ashamed and sometime I think it is our strength. This time it is not the best thing we could have done.

A random security guy Bronze badge

RISC-V extensionsibility may kill it

If every CPU vendor could extend the Risc-V instruction to his liking, we would have an incredible software mess .

Look, I work in security and one of the major reasons ARM processors are so hard to lock down and boot securely (most hardware manufacturers skip the start entirely) is that there may be very little in common between processors families from the same CPU vendor, let alone different CPU vendors. As far as I am concerned, TrustZone is vague suggestion to CPU vendors to do something. Each CPU vendor implements TrustZone differently.

Every part number may have to setup differently and the software has to be customized differently. And a little bit of 'different' is the difference between secure and not-secure. The kernel patches are exhausting to maintain.

And that is just about security.

ARM is trying very hard to fix that by shipping its own version of software (e.g. mbed) but that is a hard sell: companies are not willing to be tied to a single vendor of anything, even free.

I can see China using Risc-V to create a whole class of instructions that give them a competitive advantage. The software stack may be decider, though.

Check Point chap: Small firms don't invest in infosec then hope they won't get hacked. Spoiler alert: They get hacked

A random security guy Bronze badge

Secure by default?

I think people designing and implementing software are not making software (and HW) secure by default.

'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

A random security guy Bronze badge

Decapping and retrieving the master key: 1 day?

It would take a day at most for a company doing reverse engineering in China (yeah, you can reverse engineer most processors there) ... The only obstacle would be the small scale. Just a matter of money.

A random security guy Bronze badge

A single key used as a KEK for an entire product

Why would they even do that? There are better ways of generating, storing, and protecting keys in HW during manufacturing. Unless Intel, in its infinite wisdom, decided to 'simplify' this whole process by simplifying the injection of keys.

WTF. Basic ABC of root of trust.

It has been 15 years, and we're still reporting homograph attacks – web domains that stealthily use non-Latin characters to appear legit

A random security guy Bronze badge

The Unicode standard tries very hard to make characters that look the same to map to the same Unicode character across many scripts. e.g. Many Han (CJK) characters belong to both the Japanese and the Chinese character sets and have the same Unicode.

In fact, most scripts use the same numeral system.

However, as this article points out, it is still possible to have two very similar looking characters with different codes. It just slips through or it just happened that something that looks like an 'o' also exists in another script. To pull the 'o' from one script into another can create a pockmarked character set making many string operations difficult; (is 'o' < 'p') if 'o' is pulled in from another script?

There are also political ramifications.

Pulling in characters from other, similar scripts, can create a sudden rise in the temperature of the injured party. However, if the characters look similar, it is probably because they probably fought a few battles leading to an exchange of ideas and knowledge.

What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware

A random security guy Bronze badge

The idea of Zero trust is to do your OWN security checking and not let someone else (the perimeter) do your checking for you. Perimeter checking has gotten us into a state where 90% or more of IoT devices don't even have a password for authentication. Each component must verify its inputs and outputs. That is just good engineering.

If I want to build a reliable hardware product, I want check all my inputs (length, types, buffers, commands, etc.) rather than have MS Windows verify it for me. Firmware upgrade verification is just another type of verification. Just an ECC or an RSA check against a public key burnt into OTP/ROM/etc.

Having done tons of these devices, I have realized that the manufacturers do not want to do any software as they only make money off the sale of parts, not software. Hence the reluctance.

A random security guy Bronze badge

Re: So what?

There are solutions ... Some processors have the OTP (One Time Programmable) option to boot even when the signature check fails if a particular line is held high (or low). There are other variations to the theme.

Nothing prevents a manufacturer putting a jumper on the board to help bypass the signature verification. That way, people like us can use the system for white-hat analysis.

A random security guy Bronze badge

Re: Reality

Signed firmware is just ONE of the fundamental tools we use to protect against hackers. Without signed firmware, it is hard to prove (impossible?) that what the processor is running is legit. That doesn't mean that signed firmware will protect you from buffer overruns and other memory issues, MITM, etc.

A random security guy Bronze badge

I completely disagree. I have lead teams of security engineers where we did secure firmware updates on extremely low powered devices. These devices run for 20 years on a pair of batteries, communicate using encrypted communication (nowadays it is AES),

We have probably 50 million of these devices out there.

It is possible to do these things with careful design and implementation. Many processors don't permit these things directly so you have to use good design principles.

Furthermore, our devices were evaluated for security vulnerabilities by well reputed research labs, security testing companies, and certain government agencies,

Sketchy behavior? Wacom tablet drivers phone home with names, times of every app opened on your computer

A random security guy Bronze badge

Can we file a lawsuit using CCPA in California?

Apple would be interested in knowing that Wacom is spying on their equipment. Time to test if the CCPA has any teeth.



Biting the hand that feeds IT © 1998–2020