Posts by Loyal Commenter

Re: Instilling new timeframes of thought in a world beset by faster/shorter.

From the Wikipedia article on the Richter Scale:

"3.0–3.9 ... III to IV ... Often felt by people, but very rarely causes damage. Shaking of indoor objects can be noticeable. "

I would be absolutely astounded if a clock designed to last 10KA isn't designed to withstand the shaking equivalent to a large truck driving past outside, let alone significantly more. Given the amount of effort put into it, I reckon they might have considered this one...

Re: Still use Delphi

.NET executables are not run-time compiled. Both C# and VB.Net compile to the same bytecode. It might be runtime-linked and interpreted, but for most use cases, the performance hit is nowhere near the order of magnitude that people like to make out, and unless your application is CPU-bound, you're unlikely to get any noticeable benefit from compiling down to native code using a fully-compiled language. There are plenty of use cases for that sort of thing (real-time embedded code, for example), but by-and-large, desktop applications are not one of them. If an application is slow, it's most likely due to poor programming, not the choice of language it is written in.

Re: Still use Delphi

Oh really?

I've just done a release build of a Windows console app, written in C#, which comes in at 347KB, plus about 5MB for the libraries it uses (one of which is Entity Framework, which isn't exactly feature light).

Windows services aren't much more, technically, than a console app, with some different entry points. If I didn't need to do the data access, and logging, that 347KB would be all it needed to be.

Where are you getting that extra 150KB from?

Looking at another release we've got, there's a complete windows service, which is 253KB plus the same 5MB odd for libraries, so a standalone service (that doesn't do data access or logging) written in C# is significantly smaller than 600KB.

Your only valid point remains the requirement for the .NET Framework for the RTE. It's the nature of the beast for bytecode-compiled languages. You'll need to qualify your reasons for calling it a "horrible fucking kludge" - I take it you object to JAVA for the exact same reasons?

Re: Commodity..

open source doesn't need to make a profit

Only if you can find some programmers who don't need to eat, clothe themselves, and have somewhere to sleep...

To be fair, a docx file isn't executable, it's a zip file full of XML files (you can prove this by renaming it as .zip and opening it).

The fact that some contents may be interpreted as commands and executed by Word is the fault of Word, not of the file format per se, and I believe later versions fo Office products won't run macros by default.

Re: this report found shit all over $artefact$

The old "more bacteria than a toilet seat" thing ignores that fact that most toilet seats get a clean at some point, and the idea is that you do your business through them, not on them. Pretty much anything that never gets sterilised (or cleaned with bathroom cleaner) is going to have more bacteria on it.

The key things here are which bacteria in any case, not how many, and if I were to find, for example, more e coli on a phone than on a toilet bowl I would start being concerned.

Re: “unlikely event that admins have neglected to upgrade web servers”

If your hardware uses TLS 1.1 (or worse TLS 1.0, or even SSL3) and they haven't provided a firmware upgrade to fix it (and it is a fix, because those are vulnerabilities) then you should seriously be considering replacing that hardware, especially if it is in an enterprise environment. Attacks can, and do, come from within the corporate environment, and if you're using unsupported gear (such as switches, firewall devices, et al) then you have a vulnerability that should be fixed. End of.

Going from memory, the vulnerability in TLS 1.1 is currently theoretical, but could become a real threat in 5-10 years, the flaw in TLS 1.0 is exploitable by a determined attacker to e.g. hijack SSL sessions, and SSL3 is practically exploitable with a RaspPi.

Re: Frankensolutions

You don't work for Union Carbide do you?

Re: Ministry of names...

I think if you named your (presumably son) Mjölnir, he may get teased for being a tool...

Re: Too many words..

The residents of Monmouthshire might disagree with you, but then good luck finding someone who lives there who is actually Welsh and not an archetypal little-Englander...

Re: Ben-Gurion University

The point I was alluding to was that if you can compromise the computer to get the malware on, why not use the same mechanism for getting the data off?

For instance, if the machine is air-gapped, you must be getting the malware on via an external storage device. If you can get it in once, undetected, to get the malware on, the odds are you can get it in a second time to get the data off again.

Similarly, if the malware gets on via something like a poisoned link in an email, that presupposes network access, in which case that sounds like a far more likely route out again. Ignoring, of course, the fact that the access to that dodgy link would probably be spotted right away by any half-competent network monitoring, and the machine scrubbed.

I don't want to downplay the cleverness of all the various side-channel data exfiltration techniques but I do question their usefulness and applicability, considering that the target is either going to be in a windowless basement somewhere, with the sort of security that carries rifles, in which case, good luck seeing the screen, or accessing anything that can see it, or the target isn't going to be secure in the first place.

This kind of limits the usefulness to situations where not only do you manage to physically access the air-gapped machine to compromise it, but you also somehow manage to compromise other security aspects around it (camera systems, etc.), in which case, as the number of required exploits rises, so does the possibility of discovery. Good old-fashioned rubber-hose cryptography becomes the easiest route over the James Bond stuff.

Re: Another 007 scheme ?

In front of a (presumably sensitive) air-gapped machine in TEMPEST conditions? Nope.

I would hazard a guess that TEMPEST includes not taking your phone into the room with you, and quite possibly not the building, or indeed the site.

Re: Ben-Gurion University

Their methods all seem to have one thing in common:

Step 1) Gain access to a protected system and install malware on it

Step 2) Come up with some wacky way to exfiltrate the data from the already compromised computer that is orders of magnitude less difficult than getting the malware onto the computer in the first place...

Re: Better title

I consider myself suitable chastened.

Of course, I would expect sudo is available in many if not all types of *nix, not just the penguin-flavoured ones. I'm assuming it's the same in all of these, although I will confess to not knowing much about the deep innards of various OSs - presumably various *nix flavours bear enough similarity for sudo to operate in the same way in each, and for it to be compiled from the same source (potentially with OS dependent libraries)?

It does highlight the chain-of-trust that is assumed with tools such as this, and the potential need for some forensic analysis of flaws in such...

Re: Better title

Seems sensible. Presumably both of those distros are including a version of sudo that comes from the same verified source (if not the same version). Wikipedia tells me it is maintained by Todd Miller, but doesn't reveal whether it is a team effort, or entirely the fault work of one man...

*foom*

You're a sandwich

And your second wish?

Re: Better title

I'd argue that if the flaw is in the source (even if not the default configuration) then the flaw is in the compiled code. Whether it's turned on or off is largely moot, the alarming thing is that such a flaw exists in sudo.

If by "configuration", what is being talked about is whether the code in question is compiled in or not (i.e. due to an #IFDEF section), then it's slightly less alarming, although still alarming that such flawed code should make its way into the "official" source.

I am assuming here that such things are tightly controlled, and someone somewhere is responsible for maintaining an "official" source for the sudo command. Presumably, it's low-level enough to be distributed with the kernel (I've never dug into the innards of *nix enough to know, TBH, I don't fancy losing myself in that particular time sink). I would guess that various distros don't go around rolling their own forks of sudo for shits and giggles, because frankly, as a security practice, that would smell very bad.

Re: SUDO and +s is a design weakness

...a program running as root that receives user commands...

This is also a potential security hole; you'd better make sure your program has no flaws, or buffer overflow exploits, and if it allows a user to run certain other commands with root privileges, then those programs themselves have no such flaws.

By doing this via a common well-recognised route (sudo), you reduce that attack surface to only the vulnerabilities in sudo itself. Admittedly, in cases such as this, if sudo has a buffer overflow flaw, then you've got a problem. However, a known flaw (that gets patched, hopefully very quickly) is better than a hundred unknown flaws that may be getting exploited for years without you knowing anything about them.

Security is hard. Rolling your own is almost never the right solution. I am, frankly, astounded that something as basic and ubiquitous as sudo has such a flaw, not least because I would have expected it not to have changed substantially in many years. Whoever is responsible for doing that particular code-review needs a spanking, as does whoever is responsible for doing a security audit of the build. After all, a root escalation exploit in a tool used for controlled root escalation is an obvious place to look for well known flaws such as buffer overflows.

Re: "an update that reduces infection range to 1m or less"

See also: accessing the Wi-Fi across the street using a Pringles can, where "highly directional antenna" also means "normal antenna with a suitable waveguide"...

Re: SIMs

SIMs are easier to clone than cryptographically signed security dongles.

Presumably you would arrange for a fallback auth method to revoke a lost dongle, so you're not locked out.

PS. the verb you're looking for is lose, unless you're referring to the dogs of war...

Re: 3 laws for AI

Also worth remembering that in Asimov's books, humans never encounter any intelligent alien species, because the three laws mean that the robot pioneers that went first exterminated everything, in order to "protect" humanity. Maybe there should be a -1th law about not committing genocide on a galactic scale?

Re: Eurosceptics

...which it is also worth pointing out, is purely descriptive (as one who fears or hates the EU). They probably hate the term as well, since it's from the Greek Εὐρώπη (Europe) and Φόβος (Phobos).

Re: Seven years, not four

Thanks for taking this one and running with it @Dave K. Sometimes I like to argue with CJ for sport, I can just imagine the veins on his temples throbbing at the idea that someone might not agree with him. Today, I just can't be bothered with baiting the trolls.

It's not quite that simple though, is it. If you've "bought" your new handset on a 24 month contract, you can't just go skipping off after 3 months without paying some pretty hefty termination fees. Most people seem to be on 18 or 24 month contracts these days, so the opportunity to get someone to switch networks happens for probably 1 month every 2 years, if that customer can be bothered. Which most can't.

Re: that reason's name is "Organised Crime"

Well, yes and no. When police are investigating a crime, it's often useful to get information from a network operator about phone locations, using cell tower triangulation. This can be used to prove whether someone's phone was in a general area in a rough time-frame (about 30 mins IIRC depending on how often the phone communicates with the base station). It's not much use if they can't find out the SIM identity of the person they're looking for (be it perpetrator or victim) because they were using a throwaway PAYG SIM.

There are, of course, other issues of privacy around this, which is why the police should have to get a court order to access such information, but just remember - if you're the BOfH and you're going to go into the woods to dump a body, best leave your phone at home...