Can anyone explain
Why is a key logger in any way useful in a mouse or audio driver?
For the second time this year, HP Inc has had to patch its laptops after a security researcher found a driver-level keylogger – and this time, other laptop-makers might have to check their own products. The debug trace was in the Synaptics Touchpad driver used almost across-the-board in HP laptops, and while it is turned off …
Possibly on-screen keyboards. If you have a touchscreen laptop, keycodes might be generated via three different mechanisms (physical keyboard, touchscreen soft keyboard, touchpad operated soft keyboard) and you might want logging to ensure they are all working consistently.
Some of them may intercept keyboard shortcuts, and mouse/touchpads can generate key sequences to be assigned to buttons or gestures. I may somehow understand such code in debug builds, it has to be fully removed from production one, being 'protected' by a registry key is not enough.
That's why I hate languages that don't have IFDEF or something alike, to easily allow removal of code from production builds.
That's why I hate languages that don't have IFDEF or something alike, to easily allow removal of code from production builds.
Feel smart, hey ? In which language were these written, do you think ?
In this case, synaptics f'd up as they left dev stuff in the enduser software. The audio driver, apparently, was another issue entirely causing the same effect, keyloggers on punters systems ....
I didn't mean this instance bug was due to a lack of IFDEF or similar facilities - just the less people are trained to separate and isolate debug code from production one, and the increased number of languages believing preprocessors are bad (just because C allows to do nasty things with it), the more debugging code will be kept in production environments.
That Synaptic left the keylogger code there is really nasty. Probably someone thought it would have been smart to leave it it here protected by a switch, instead of isolating it in sections that could be removed in production builds.
A language doesn't really need a preprocessor as powerful - and dangerous - as C. But some facilities to remove code from the final output are usually welcome.
But some facilities to remove code from the final output are usually welcome.
They usually exist as well, but it takes more work to use them. For example, if you're using vanilla JavaScript then there's no ifdef, but if you're using it with a compiler (transpiler) and a linker (webpack) then you can use ifdef-loader. Python has ifdef.py. I'm sure you can do something similar with Ruby etc.
The issue is really that ifdef only makes sense if there is a "build" step and with an interpreter that isn't automatic so pre-processor functionality can never be as consistent.
Even with scripting languages would be very useful to have standard facilities available everywhere, and not depending on some third party efforts which may introduce issues, to transform a "source" file to a "production" one removing correctly code marked in some way. I understand just copying files is easier, but it may also become a security liability. Or we can keep on preferring easiness to security.
Sometimes even when there's a "build" step such facilities have been removed for "purism" - just look at Java. Using switches is dangerous (they can be activated by bugs or intentional attacks, while compiler side effects made code harder to read.
If we're being pedantic, there's no such thing as an "interpreted language", there are simply interpreted implementations of languages. Interpreters exist for C and there are compilers for JavaScript buried in the bowels of JS VMs (two of them in the case of V8).
Dunno about for audio, but it would be useful for mouse, especially if you want to allow modifier keys (eg Fn+Click does something special).
Looking at the screenshot, it mentions "stick" and "SuppressAfterKeypress" - I am thinking this is maybe to do with "nipple" mice?
I think what it maybe does is suppress movement of the mouse while you are typing - maybe without it, the vibrations from keypresses wobble the mouse pointer around.
I know that Dell uses a Synaptics driver on some of it's touchpads. I own two Dell laptops that both use a Synaptics driver and I just repaired my sisters Dell XPS laptop that (had) the Synaptics touchpad driver as well.
I say "had" because I she had a trojan as well as a fileless rootkit in the Windows RUN registry hidden by a null character so rather than take a chance I replaced the hard drive and fresh OS but never installed the Synaptics touchpad driver.
(The touchpads work just fine on all 3 Dells with the generic Windows drivers)
You have a point that the driver in the operating system may be written by Synaptics as well.
However, I don't see anything under the Synaptics name when I did a registry search or listed in the Windows Device Manager.
According to another researcher, HP did not remove the keylogger in their newer version after the Audio driver fiasco and could be enabled in the registry just like this new keylogging incident.
(Or did I not read the researchers Twitter correctly? It was confusing.)
https://securityaffairs.co/wordpress/66502/hacking/keylogger-hp-driver.html
This post has been deleted by its author
Look at all that juicy profit we made when we took the business decision not to test our shit properly for mistakes.
Software coders, to use an analogous comparison, building architects
If your structure does not hold up, you will be known as a cowboy.
The same needs to apply to software, what makes you think you're so special that we should just tolerate your mistakes?
I can forsee a future when software developers go to jail for their stupid mistakes, that's my prediction.
How long before a software coding mistake results in the loss of life on a grand scale, can you predict the next 100 years?
I think I can do a bit of extrapolation
"How long before a software coding mistake results in the loss of life on a grand scale, can you predict the next 100 years?"
Toyota accelerator pedals? ECU receives conflicting signals - fully open throttle and fully applied brake, so decided to act on the throttle signal and leave the brakes to fend for themselves.
People died as a direct result. Quite a few. Was anyone prosecuted?
As an anecdote about software failings, the Toyota accelerator pedal really isn't a very good example.
On Wikipedia, we find a somewhat different version of events:
'On February 8, 2011, the NHTSA, in collaboration with NASA, released its findings into the investigation on the Toyota drive-by-wire throttle system. After a 10-month search, NASA and NHTSA scientists found no electronic defect in Toyota vehicles. Driver error or pedal misapplication was found responsible for most of the incidents. The report ended stating, "Our conclusion is Toyota's problems were mechanical, not electrical." This included sticking accelerator pedals, and pedals caught under floor mats.'
Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news.
"Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news."
Readers who dig deeper, e.g. with primary sources, will find that NASA and NHTSA investigators were initially denied meaningful access to important parts of the Toyota design and implementation, which may account for the claim that "NASA and NHTSA scientists found no electronic defect in Toyota vehicles."
Reputable experts who did eventually get better access to design info that mattered came to very different conclusions than the NASA/NHTSA quote above.
Read the facts, and draw your own conclusions. Further definitive reading includes any or all of:
https://www.eetimes.com/document.asp?doc_id=1319903 (25 Oct 2013)
"Could bad code kill a person? It could, and it apparently did.
The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.
This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.
The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error.
[continues]"
https://embeddedgurus.com/barr-code/2013/10/an-update-on-toyota-and-unintended-acceleration/ (26 Oct 2013)
"Michael Barr, a well-respected embedded software specialist, spent more than 20 months reviewing Toyota’s source code at one of five cubicles in a hotel-sized room, supervised by security guards, who ensured that entrants brought no paper in or out, and wore no belts or watches. [continues]"
http://www.safetyresearch.net/blog/articles/toyota-unintended-acceleration-and-big-bowl-%E2%80%9Cspaghetti%E2%80%9D-code (7 Nov 2013)
"Last month, Toyota hastily settled an Unintended Acceleration lawsuit – hours after an Oklahoma jury determined that the automaker acted with “reckless disregard,” and delivered a $3 million verdict to the plaintiffs – but before the jury could determine punitive damages.
What did the jury hear that constituted such a gross neglect of Toyota’s due care obligations? The testimony of two plaintiff’s experts in software design and the design process gives some eye-popping clues. After reviewing Toyota’s software engineering process and the source code for the 2005 Toyota Camry, both concluded that the system was defective and dangerous, riddled with bugs and gaps in its failsafes that led to the root cause of the crash.
Bookout and Schwarz v. Toyota emanated from a September 2007 UA event that caused a fatal crash.
[continues]"
https://betterembsw.blogspot.co.uk/2014/09/a-case-study-of-toyota-unintended.html
"Here is my case study talk on the Toyota unintended acceleration cases that have been in the news and the courts the past few years."
https://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf (18 Sep 2014)
You can read about Koopman himself at
https://users.ece.cmu.edu/~koopman/
(CMU is Carnegie Mellon University, where Koopman is Associate Professor)
etc
Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news.
Question. Did this issue affect other car makers to the same extent? Even 90% the same extent? Hell, I'll settle for 70% the same extent, on a per car/per capita type basis.
Just Toyota? But surely if this is driver error you'd see a similar rate across similar styles/price ranges of cars.
I still haven't figured out how you can have your floor mat UNDER your pedal when you first put your foot on it but SOMEHOW the mat gets between your foot and the pedal without you noticing.
(El Reg we still need that "something fishy" icon!)
It is called Agile and is the reason that so much shite software is produced. Agile is touted as the "must have" methodology" develop. The reality is that it s a piss-poor sorry excuse conjured up by management consultants and highly paid idiots that believe they are developers. The result is constantly changing software that is full of bugs that no one gives a toss about because it has been delivered quickly. They then use the next "sprint" to layer another pile off untested shite on top of what is already there.
As with all these fads some other equally bonkers scheme will come along to improve productivity, responsiveness or profit for someone.
Or, more accurately arrest the Project Manager that told the developers to get the code done on x date or they're fired.
I can say with certainty there are few qualified software developers that WANT to ship shoddy code. But, if "the boss" says there is no budget for fixing problems and testing, then you get what you get.
There is never time to do it right, and rarely even time to fix it until the customers start suing.
"...debugging code the developers forgot to remove from production models."
I suspect this was the cause of the Volkswagen diesel commotion. Then the software passed a test brilliantly. After that, Management said to Resources: "You are not going to be difficult about this, are you?"
Maybe we ought to slow down here.
How certain are we that this is not an effort by HP to installa keylogger as the result of some secret order by US authorities, now that they have finally managed to get Kaspersky out of the way?
Against this theory: discovered by an independent security researcher
For: recent efforts.
I'd want that "update" checked too first. Just in case.
1. Take any HP equipment you or your family own and smash it sufficiently so it's beyond use. There, that's better.
2. Ask yourself what you were thinking ever trusting HP for anything.
3. Ask yourself again. Remind yourself that HP hasn't made a decent product since the original Laserjet and the HP-12c. Remind yourself of what idiots HP management are. Remember Meg Whitman, who even made Hilary Clinton look nearly honest and upstanding.
4. Add them to the list of companies who will never receive any more money from you (see also: Sony, Microsoft.)
5. Calm down and have a beer. You can buy a new computer in the January sales.
1. Take any HP equipment you or your family own and smash it sufficiently so it's beyond use. There, that's better.
I thought that was the default state of their consumer-grade laptops anyway? Though not so much smashed as cooked due to a) stupidly designed cooling system and b) even stupider lack of thermal cutout...
No need to smash it. Just let it run for an hour or two and it'll make sure the electronics are all nice'n'toasty for you.
You have not read the article, it is in the Synaptics software, written by Synaptics, not HP specific. It has been found on HP devices.
"Take any laptop with a Synaptic touch pad and smash it. That will cover most laptops and who is to say that what you replace it with does not have some other hidden gem?
Dumb oversight or the new normal? ... Maybe it was deliberate because 'you know, the data might be useful sometime' (see early classics like LG Smart TV's slurping USB filenames or googhoul street-slurp etc). Or lets be friendly to the 5-Eyes... Either way, the number of reasons to air-gap your PC just went up like Bitcoin returns in 2017. 2018? Ain't going to be better...