back to article Mini-Heartbleed info leak bug strikes Apache, airborne malware, NSA algo U-turn, and more

As ever, it's been a doozy of a week for cybersecurity, or lack thereof. The Equifax saga just keeps giving, the SEC admitted it was thoroughly pwned, and Slack doesn't bother to sign its Linux versions. We do spoil you so, Reg readers. And that was only yesterday. Here's the rest of the week's shenanigans we didn't get round to …

  1. Semtex451
    Mushroom

    While not software security you ought to mention Amazons odd suggestions hiccup:

    https://gizmodo.com/amazon-hello-customer-you-appear-to-be-making-a-bomb-1818524365

    1. handleoclast

      @Semtex451

      Ummm, because it's not a hiccup.

      It's telling you what other customers bought as well as that item. So if you bought a dildo it might suggest a big tub of KY jelly, not because it has any knowledge of sexual activities but because it knows that other customers bought those in combination. Like if you buy a soldering iron it might suggest a reel of solder and a desoldering pump. Or if you bought the Despicable Me CD it might suggest DM 2 and DM3 as well. Not because it has any idea of what those CDs are, or even that DM 2 and DM 3 are sequels to DM, but purely because some customers bought them together.

      Anyone with the slightest knowledge of how this stuff works (so not the TV company, then), knows that this is the case.

      What is worrying is that enough people bought those items in combination for Amazon to suggest them.

      1. tom dial Silver badge

        Quite so. A human clerk with a little knowledge might alert on some of the "purchases together" and possibly even notify someone in authority and indirectly prevent an incident. A machine, without the additional programming that, by now, is being reduced to specifications or code, not so much.

        I expect the fact they are seeing these things bought together (or by the same individual at slightly different times) is evidence that the intelligence and craftiness of terrorists is on the decline.

        1. handleoclast

          Re: human clerk

          @tom dial

          Ummm, maybe. How many purchase clerks have a good knowledge of chemistry? And they would be easy to foil by ordering each item from a different supplier.

          For example, there are legitimate uses for aluminium powder. There are legitimate uses for finely ground iron oxide. In fact, both have legitimate uses in producing coloured concrete, amongst other uses. So even a human clerk with a good knowledge of chemistry might not see anything wrong with both being purchased together (especially if the purchase includes a load of cement), even though aluminium powder and iron oxide powder can be combined to make thermite.

          Not so many legitimate uses for magnesium ribbon, though (it's hard, but not impossible, to ignite thermite without it). But that wouldn't be available from the sort of outlet that supplies aluminium and iron oxide powder for colouring concrete, so a human clerk still wouldn't see any connection because the magnesium would come from a different supplier.

          Amazon and eBay orders are processed automatically, so no human clerk to notice you've purchased aluminium power, iron oxide powder and magnesium ribbon. Software checks could be implemented, but so far have not been.

          Then again, not so long ago I was looking at the price of aluminium powder. I had a vague idea in mind as an additional enhancement to something I was vaguely considering doing (the whole project never got beyond an idle speculation). Totally unrelated to thermite. But in eBay's search results for aluminium powder were thermite kits. Aluminium powder, iron oxide powder and magnesium ribbon. Because there are legitimate uses for thermite.

          Oh, and there are legitimate uses for 36% hydrogen peroxide. Go to Boots and you can only get 5% (if that), because terra-ists can use more concentrated hydrogen peroxide to produce explosives. But hairdressers use the 36% stuff, and can get it quite easily (on eBay, for example).

          It's going to be hard to deal with this sort of thing. Because if the terrorists ever cotton on, they'll have different people purchase individual items. Split their purchases over eBay, Amazon and others. Etc. Stagger the orders over weeks rather than doing them all on the same day. Recruit people in different towns to make the purchases. Etc. There are legitimate uses for most of the stuff that can be used to produce nasty things, so you can't really ban them outright.

          Shock horror! Arsonist burns down building using petrol which he ignited with a box of matches. Newspapers call for a ban on both.

  2. aregross

    "Adaptive access control firm SecureAuth announced plans to merge with vulnerability discovery outfit Core Security on Wednesday."

    This sounds like something to invest in... You're Welcome! Send half your profits to me.... OK, I'll settle for 30% :P

    ... oh and De-Soldering pumps suck! (pun intended) I'm not sayin I'm just sayin. Braid everytime for me.

  3. Anonymous Coward
    Meh

    "There are quite a lot of people in NSA who think their job is to subvert standards"

    There are quite a lot of people in NSA who's job is to subvert standards. It doubtless says so in their job description, and like the Stasi and the KGB before them, they harm their fellow citizens with the religious zeal of someone who believes they are performing a patriotic duty.

    There is no point blaming these moral simpletons though, as they work for a thoroughly poisonous organization whose priorities are set by the political leadership. And we know what ethical characteristics you need to get to the top of that greasy pole.

    1. Nick Z

      Re: "There are quite a lot of people in NSA who think their job is to subvert standards"

      A recent study has found that simply being a part of a group can make you more dishonest and less moral, than you would normally be as an individual.

      https://www.eurekalert.org/pub_releases/2017-09/ifor-llp090617.php

      Perhaps this explains how governments end up violating people's freedoms and rights and doing all kinds of unethical things. While individual dissidents often point out the wrongs and protest them.

      1. FlamingDeath Silver badge

        Re: "There are quite a lot of people in NSA who think their job is to subvert standards"

        Sounds like something out of the Milgram experiment.

        Pro-tip: You are responsible for your actions, always. 100%

      2. Sierpinski

        Re: "There are quite a lot of people in NSA who think their job is to subvert standards"

        Researches discover "peer pressure".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like