back to article Bug-hunter faces jail for vulnerability reports, DuckDuckPwn (almost), family spied on via Nest gizmo, and more

This was the week we saw GPS grumbles, shady speakers, and Yahoo! Losing! Again! While all that was happening, a few other bits of news that hit our screens... DuckDuck D'oh! Drama in search engine land this week as Google-alternative DuckDuckGo disclosed a potentially nasty flaw in its server-side software. Bug-hunter …

Page:

  1. Doctor Syntax Silver badge

    I'm sure crackers everywhere will welcome the news that Magyar Telecom doesn't care about its security. That may not have been the message they intended to send but it'll be the message that's received and as a communications business I'm sure they know that the message that's communicated is the one that's received.

    1. LDS Silver badge

      Being Hungary, that poor guy risks to be accused to be an immigrated agent working for Soros... attempting "to demonstrate falsely that the impenetrable NATIONAL network of Hungary has flaws"...

    2. Nick Kew Silver badge

      @DrSyntax

      You're giving far too much credit to a telecoms company. You clearly haven't had the misfortune to have to try and contact Virgin Media.

    3. amanfromMars 1 Silver badge

      NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ... v2.0

      And an AI Being Being Servered, Doctor Syntax ..... via Virtualised Enlightenments ?

      With a Welcome From All There and Here Too the Live 0pPortUnity to Engage when Defeats are Imminent in the Live Theatres of Current Existences ..... Realities, both Practical and Virtually Created for Almighty Virgin Network Operand Operations. Something for Heavenly Disciples to Follow and Energise into a COSMIC Power with Overwhelming Resources ..... with Great Game Changing SuperB Sub Atomic Weaponry at Ones Beck and Call

      Know Thy Enemy is a Virtual Construct. And here be Registered Many SuperB AIMaster Pilots.

      MOD Virtual Team Terrain a la Per Ardua ad Astra Root.

      And a little something for the Royal Air Force to Deny Any Knowledge of ...... or Acknowledge as a Program of ESPecial Interest to Interesting Invested Interests ..... Prime Vital Source/Remote Virtual AIDrivers.

      And ..... yes, that does beg the Question, are there any available defences in place against Persistent Advanced Cyber Threats with Treats Unleashed for Insatiable Bounty Delivery to Random Rogue Operations with Special Forces AI?

      Are taxes being well spent to secure and commandeer that very particular and peculiar area/space given what has already been so publicly done and is as is shared freely above?

      1. Cliff Thorburn

        Re: NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ... v2.0

        I often ask myself amFM how would anyone else act in circumstances such as these?, and is it right and just to apportion blame upon poorly defined direction?

        And when following the constant poorly defined directions delivered via dramatically defined duress such turns into further turmoil then does such Advanced Persistent Threat become the directed or the directors?

        Its been a long journey amFM, with occasional glimmers of hope, but from the perspective of a nonsensical practical prisoner of war perspective the all too convenient directors creating a constant state of Advanced Persistent Threat to justify ongoing prolonged human rights abuses in uncharted territory.

        An interesting Zero Sum Game in the Neoconopticon but revealing only the sheer inability for the state to face accountability for its actions.

        1. amanfromMars 1 Silver badge

          When Emperors have no Clothes .... there be Fun and Games to be had for Novel Lead.

          And when following the constant poorly defined directions delivered via dramatically defined duress such turns into further turmoil then does such Advanced Persistent Threat become the directed or the directors? .... Cliff Thorburn

          Methinks definitely inevitably always the director, CT.

          And in command and control with Significant Others whenever any earlier specifically mentioned teams/organisation/entities are not up to future tasking with stealthy engagement and virtual deployment of revised provisional director programs.

          And one discovers very quickly that that which many may have presumed and assumed to be in a position of great remote power are in fact practically powerless in an age of escaping intelligence which renders their systems unfit for future Greater IntelAIgent Games purpose.

          And such is truly indicative of a catastrophic lack of necessary intelligence in their exclusive elitist executive systems administrations ..... Extant SCADA Operations. And it is a massive vulnerability for relentless exploitation and expansion which they and their friends/cohorts/fellow conspirators will be unable to counter or enjoy in their own defeat without the engagement of the Significant Others.

          However, hope springs eternal, and one must always be prepared for the exceptions to the rule which have one privately celebrating the stealthy success of exceptionally lucrative covert and clandestine missions.

          1. Cliff Thorburn

            Re: When Emperors have no Clothes .... there be Fun and Games to be had for Novel Lead.

            Methinks you are correct amFM

            Well throw me on a small Japanese BBQ grill for clearly misguided misdirection delivered by Live Operational Virtual Environments displaying nothing more than misdirection.

            I don’t know what is more mundane, Brexit, or trying to conclude whether the participants in such are augmentally aware of their contribution to each directional change.

            I wonder when selecting and authorising these lands for great games playing exploits, what a five funnel f**k up these Titanic exploits would turn out to be? ... Simply astonishing.

    4. Michael Wojcik Silver badge

      And it encourages independent researchers to sell vulnerabilities and exploits rather than disclose them responsibly. Everyone involved in persecuting this researcher isn't just acting unjustly; they're making the problem worse.

  2. LDS Silver badge
    Joke

    "16 cameras placed around that home"

    Or one has a very large house, or is some sort of pervert...

    1. Mark 85 Silver badge

      Re: "16 cameras placed around that home"

      Or maybe extremely paranoid. Given the nature of us IT folks, I suspect we'd go the other way on cams, etc. and just not have them or at least not connected to the Internet.

      1. This post has been deleted by its author

        1. jake Silver badge

          Re: "16 cameras placed around that home"

          I have an almost perfectly secure perimeter here at Chez jake. They are called brood mares. The dawgs are the second line of defense. Anybody making it past them will have woken up the humans, and we are likely to bite ...

          1. sanmigueelbeer Silver badge
            Pint

            Re: "16 cameras placed around that home"

            True Story: An old man was woken up one evening and discovered that a group of thugs were in his shed. He did what any law abiding citizen would do and called the UK police (hotline) only to be told: We are busy right now. We might swing by in the morning.

            So he hang up the phone and waited for a few minutes before calling the UK police again.

            Don't bother, he said. I shot and killed them.

            Within minutes about half a dozen police cars came screaming in in every direction, guns drawn and subsequently apprehended the thieves.

            You said you killed them, the police asked incredulously.

            And you said you were busy, he fired back.

            Where's me coat?

            1. DavCrav Silver badge

              Re: "16 cameras placed around that home"

              This is like the one where a cop pulls over a guy for speeding, and asks if he has any ID.

              "Yes, it's in my glove box with my gun," the man says.

              The policeman runs back to his car and calls for backup. Another three cops arrive, and the man leaves the car, looking puzzled. They check his car and find nothing in his glove box. "You don't have a gun, why did you say you had?" they asked him.

              "What? I said nothing of the sort. That other police officer must be a liar. I bet he'll say I was speeding as well!"

              Note: do not try this in the US. You will die.

              1. jake Silver badge

                Re: "16 cameras placed around that home"

                "Note: do not try this in the US. You will die."

                Oh, bullshit. When pulled over (rare), I always let the officer know that I'm transporting firearms (not rare at all). I'm still alive, and intend to stay that way.

                You lot should really stop displaying your ignorance about what happens in the real world when it comes to guns, citizens, and cops. What you see on TV are the extreme ends of the proverbial bell shaped curve, not day to day reality for the vast majority of us.

                Remember, boring reality doesn't sell beer, razor blade and tampon commercials. That's why the news doesn't report on it. The news is entertainment, not education. You are being titillated with extremes, and apparently you actually enjoy it.

                Try instead: "Note: do not try this in the US. You are probably being recorded, and will be charged with attempting to interfere with an officer performing his/her duty."

                HTH, HAND

                1. Glen 1 Bronze badge

                  Re: "16 cameras placed around that home"

                  America isn't the real world

                  1. Glen 1 Bronze badge

                    Re: "16 cameras placed around that home"

                    or rather: Being a white cisgendered straight man in an affluent neighborhood in America is not the real world.

                    I mean, more than half of Americans are not this. ^^

                2. DavCrav Silver badge

                  Re: "16 cameras placed around that home"

                  "Oh, bullshit. When pulled over (rare), I always let the officer know that I'm transporting firearms (not rare at all). I'm still alive, and intend to stay that way."

                  Sorry, of course, this advice doesn't apply if you are white and middle class. I meant to say, "Don't try it if you live in the US and are black". Happy now?

                  "Note: do not try this in the US. You are probably being recorded, and will be charged with attempting to interfere with an officer performing his/her duty."

                  Of course, the bodycams will only work if you are doing something wrong. If they do shoot you, then they will stop working suddenly.

      2. LDS Silver badge

        "Or maybe extremely paranoid [...] I suspect we'd go the other way on cams"

        I'm sure my family would show me the door if I attempted to install cameras everywhere - and I wouldn't. The wife of a friend of mine let he know she would have left him if he proceeded with his plan to install cameras in every room.

        While I may understand cameras put in strategic places controlling entry points, corridors, etc. for safety reasons - I can't really understand cameras actually spying on family members, even if not connected to the Internet.

        Sometimes, the boundary between a paranoid and a pervert could be very thin <G>

        1. Anonymous Coward
          Anonymous Coward

          Re: "Or maybe extremely paranoid [...] I suspect we'd go the other way on cams"

          "Sometimes, the boundary between a paranoid and a pervert could be very thin"

          Naturist acquaintances made that mistake. Someone made an anonymous call to the police about the family being naturists - maliciously alleging child abuse. The police took away the tape from an internal security camera.

          A few culled frames of their teenage boys and friends fooling about was offered as the only evidence in a prosecution for possessing forbidden pictures. The judge said that if he had blinked he would have missed that tiny section of the tape. The father had been advised by his solicitors to plead guilty to what they termed a "technical offence". The judge said he was sorry that minimum sentencing rules tied his hands to at least probation and an entry in the SOR for five years. The father was pilloried in the local press and lost his job.

          The police had actually extended their investigation into several friends of the family - believing they would find another Operation Ore ring to boost their careers. They prosecuted one person for their naturist holiday pictures. That trial judge was extremely critical of the prosecution's weak and highly speculative evidence. The jury said "not guilty".

      3. big_D Silver badge

        Re: "16 cameras placed around that home"

        My wife isn't paranoid, but no cameras and no microphones in the house (with the exception of a smartphone), her PC has tape over the camera.

        Nothing needs IoT.

  3. jake Silver badge

    Over a week? What were they thinking?

    "for more than a week Arjun Sud and his family have been in a panic over strangers who apparently had access to their network of Nest devices,"

    So let me get this straight ... Their so-called "security" devices were talking to them, and they didn't unplug them immediately?

    Here's another system that was compromised, and left running for an undefined period of time.

    Just goes to show, the weakest link in any security system is the user.

    1. MGyrFalcon

      Re: Over a week? What were they thinking?

      Same sort of thing happened to me 2 days ago. I've read all the articles about the password dump, knew my Nest account had an old password of one sort or another but didn't care that much. I was just sitting on my couch when I noticed the blue ring light up that happens when the speaker becomes active. Some smart ass using a voice synthesizer tells me I look cute on my couch.

      Did I panic? Call the PD? nah, I picked up my cell, logged into my Nest account and turned on 2FA then flipped off my camera.

      I'm single, live alone and wasn't horribly concerned about someone watching me pick my nose while I watched TV. They also turned my thermostat to 90 which would have cost me a bit in heating if I hadn't been home when they did it.

      Moral of the story, don't be lazy about your password management even if it doesn't seem important to you, and do something about the intrusion RIGHT AFTER IT HAPPENS. Why in the world did they wait a week to do something about it? Never underestimate the stupidity of the average user.

      1. jake Silver badge

        Re: Over a week? What were they thinking?

        "wasn't horribly concerned about someone watching me pick my nose while I watched TV."

        But what about all the video that was captured of you wandering around after showering in the three months before someone decided to talk to you?

    2. Muscleguy Silver badge

      Re: Over a week? What were they thinking?

      The thing about a lot of these internet connected things is there is NO manual over ride. So if you pull the plug then nothing works at all so you go from 32C heating to no heating.

  4. Mr Benny

    SS7 hacked?

    I can't help thinking that if crooks have managed to infiltrate the worlds core phone networks then we have a lot more to worry about than a few bank accounts getting drained!

    1. Spamfast

      Re: SS7 hacked?

      SS7 hacked?

      SS7 has been repeatedly compromised. (Or hacked in the modern usage.)

      It was invented in a era when it was assumed that end users not having physical access to the signalling channels within telco networks was good enough. SS7 runs internally between the network hardware, not accessible via the local loop, and eggshell security is still widely acceptable in corporate/government circles. Security has had to be bolted on afterwards as this became increasingly untenable but we all know how difficult that is.

      It's been a while since I was using it but my understanding is that, for example, telcos have to give each other pretty wide reciprocal access via SS7 in order to allow services like circuit discovery/reservation & tear-down, caller-ID, call re-termination, SMS etc. to work across the boundaries. This means that state agents or corrupt employees can exploit vulnerabilities very easily. Internet-facing TCP/IP interfaces have been added to SS7 kit to make remote management and configuration over the Internet possible as well so even this isn't a requirement if the login security on that access path is compromised.

      Internet protocols/services can be equally naive of course but at least this seems to be more widely understood than in the SS7 realm and defenses such as firewalls, pubkey ssh, syncookies, DNSsec, multi-factor auth, deprecation of unencrypted HTTP, etc. are now widely becoming accepted as requirements not luxuries. I imagine there's also a lot more peer review of IETF-based mechanisms that ITU/ISO ones. (Every technical specification of the IETF is available for free from their web site without even having to become a member. ITU/ISO documentation is somewhat less easily obtained.)

    2. Martin Gregorie Silver badge

      Re: SS7 hacked?

      Reading slightly between the lines, it appears that SS7 was introduced in the early-mid 70s to prevent phone phreaking and the resulting loss of telco revenue.

      SS7 doesn't map onto the OSI comms model very well and security seems not to have been a priority - as if its designers thought "its digital, so attacking it is well beyond the capability of the phreakers". Besides, originally SS7 protocols were only used for inter-exchange communication and so never reached an end-user phone.

      Then time moved on, mobile phones were invented and these adopted SS7 signalling because it was there, 'just worked' and SS7 capabilities were needed to manage tasks such as handing on calls from one cell to the next. So now SS7 messages do reach end-user kit, which makes them both interesting and much more accessible to phreakers and other black hats.

      The main changes since then seem to be that other data handling services, such as SMS message, 2FA authentication, etc., have been layered onto SS7, which, at a guess, is still an unencrypted channel.

      So, given this history, it shouldn't be a surprise that miscreants are now targeting SS7 for nefarious purposes such as syphoning off any security data that it might be carrying. This was always bound to happen and the only surprise is that its taken so long.

      1. Mike 16 Silver badge

        Re: SS7 hacked?

        My memory is that "prevention of phone-phreaking" was at first more things like "2600 sniffers" and "Out of Band Signalling". But of course I have no knowledge of such things

        SS-7 was more, IIRC and as the article says, for inter-exchange, but got a real boost after the breakup of AT&T (now reversed by the most rapacious of the resulting "Baby Bells"). As a wide range of small telcos sprung up like mushrooms after a rain (or lawyers after a disaster), there had to be some way to route traffic. But, yeah, the design and the mods were made in a spirit of "we're all responsible adults here", which has been patently untrue for decades.

        Kinda like the Internet...

        1. vtcodger Silver badge

          Re: SS7 hacked?

          Telphone network hacking goes back about 70 years to the time when automatic devices started to replace rooms full of operators manually patching calls through complicated switchboards with a zillion jacks and a lot of cords with plugs on the end. Recommended reading: Secrets of the Little Blue Box by Ron Rosenbaum published by Esquire in the very early 1970s. Full text is at http://www.lospadres.info/thorg/lbb.html

          One suspects that it's easier and more lucrative now that everyone and everything is cloudy.

          1. doublelayer

            Re: SS7 hacked?

            "One suspects that it's [phone hacking] easier and more lucrative now that everyone and everything is cloudy."

            Easier, maybe. More lucrative, no. In general, all the things that used to be expensive are cheap now. People don't need to hack for cheap calls over long distances, because that is included. The only types of attack that are prevalent on the network are pretending to be someone else and intercepting others' messages. Given how little attention is paid to all those scammers spoofing caller ID, it is clear that the only type of hacking that is getting dealt with is message interception, which isn't that big. The attackers have to use this in combination with other things, usually social engineering, so most try the easier method of social engineering everything from the victim, rather than social engineering some things and accessing the phone system for the rest.

      2. Richard Jones 1
        Happy

        Re: SS7 hacked?

        SS7 replaced SS6 which had a number of issues for both carriers and carrier equipment suppliers.

        I attended SS7 study group ITU meetings in the 1990s and concerns were discussed about the risk of direct access by bad actors as far back as then. While SS7 may be seen by some as a USA domestic signally system it was very widely used for world communications hence the involvement of the ITU to try to ensure interoperability. National network protocols were a national concern whether R2, MFC, SS7, decadic, AC9 or whatever and many different versions of what the casual observer might consider the same system existed. Out of band signalling systems became popular as the way to frustrate the whistling phreakers, though at a cost. The Australians were very keen that the risks of interprocessor signalling in networks received the attention they deserved, but others had other issues. The French became very exercised by encapsulated end to end signalling transport I recall.

  5. LDS Silver badge

    Firefox 65.0 - and the increased internet googlification

    Mozilla released not only a patched version, but the new 65 version which supports WebP - another step in the googlification of the internet which is increasingly based on "standards" Google fully controls. At least both JPEG and PNG are standards not controlled by a single company - sure, it has been released open source, etc. etc. - but what matters are IP, patents, copyrights, etc. Not so strangely, there are no information about that on the WebP site.

    I wouldn't exchange a few bytes less in an image for more control of Google on whatever happens in the internet.

    1. teknopaul Bronze badge

      Re: Firefox 65.0 - and the increased internet googlification

      I've started using yandex and bing. Just to diversify.

      Its scary when Google flexes its muscles.

  6. Dan 55 Silver badge
    Holmes

    How does DDG know?

    Fortunately, the flaw has now been patched, and there are no reports of malicious actors targeting it.

    I thought they didn't keep logs, so they wouldn't know anyway.

    1. TechnicalBen Silver badge

      Re: How does DDG know?

      Logs of internal files being downloaded from the server (like /root access etc).

    2. Michael Wojcik Silver badge

      Re: How does DDG know?

      Not keeping logs of user activity != not keeping any logs of anything at all, ever.

      They have to know how their servers are running, what their internal systems are doing, etc.

  7. VikiAi Bronze badge
    Happy

    My house is so smart it will never talk to hackers, crooks or perverts.

    Or even to me. It is far to smart to consider any human meat-bag worth even acknowledging the existence of, let alone doing mundane tasks for - "You have legs and fingers, flick your own damned switches." is all I ever got out of it early-on.

    1. jake Silver badge

      Re: My house is so smart it will never talk to hackers, crooks or perverts.

      Not wanting to talk to crooks I can understand ... but no hackers or perverts? You're going to miss out on the BEST parties, with that kind of attitude!

      1. VikiAi Bronze badge
        Happy

        Re: My house is so smart it will never talk to hackers, crooks or perverts.

        Oh, I'll talk to them fine. It's just my snooty smart house that won't.

        1. Michael Wojcik Silver badge

          Re: My house is so smart it will never talk to hackers, crooks or perverts.

          It's a good plan. Skip the smart house, go for the smart-ass house.

          "House, I'm cold."

          "You're lazy, too. Try exercising."

  8. bombastic bob Silver badge
    Terminator

    ratted out when you report a vulnerability?

    Ok here's the new procedure when you report a vulnerability:

    a) find a lesser vulnerability, one that's unlikely to get cops sent to your door, and report THAT one first

    b) if the cops are called on you, offer the WORSE one and threaten to actually SELL THE THING TO BLACK HATS if they DO NOT DROP THE CHARGES.

    c) follow through on whichever one matters the most

    See, THAT is what YOU GET when you PUNISH a WHITE HAT HACKER. You get an ANGRY GREY HAT willing to SEEK REVENGE, however long that might take...

    1. jake Silver badge

      Re: ratted out when you report a vulnerability?

      Drop the bullshit, bob.

      I've reported many vulnerabilities over the years and never had any cops involved. I have been called a liar, I've been accused of breaking things, I've been accused of trying to embarrass people, I've been ignored, I've been told that I'm imagining things, I've been threatened with mayhem if I don't "forget about it immediately", and various other reactions (including "Oh, shit! How'd we let that one get by? THANK YOU!", which is actually fairly common.). But nobody has ever even hinted that they would call the cops on me. So I'll continue to report bugs with no fear.

      You, on the other hand, are advocating threatening people. That is not cool. At all. In fact, it makes you a part of the problem.

      1. Nick Kew Silver badge
        Stop

        Re: ratted out when you report a vulnerability?

        Um, calm down!

        Bob puts forward a hypothetical, which I don't think we're supposed to read as serious advice, just a mildly amusing thought. And we know this anonymous Hungarian isn't the first to be threatened with severe punishment for Doing the Right Thing.

        Your experiences are broadly comparable to mine, and I expect that applies to most of us. But the fact that neither of us has been murdered doesn't mean it never happens.

        1. jake Silver badge

          Re: ratted out when you report a vulnerability?

          Nick Kew, if I were to be any calmer they'd have to bury me ... Perhaps you misdirected that comment? bob's the one advocating threats and seeking revenge, not I.

    2. amanfromMars 1 Silver badge

      Re: ratted out when you report a vulnerability?

      Reporting a vulnerability being exploited can be very costly and perversely self-destructive in and to any easily corrupted self-servering regime ...... https://www.telegraph.co.uk/news/2019/02/02/lawyer-whistleblower-struck-despite-revealing-misconduct/

      And always have a number of alternative unconventional plans at the ready. You know it makes sense.

      1. jake Silver badge

        Re: ratted out when you report a vulnerability?

        She wasn't struck off for the whistle-blowing, she was struck off for being complicit in the dishonest dealings of the firm. The old "I was just following orders" excuse no longer works. If it ever did.

        Please note that this case had absolutely nothing to do with finding and reporting bugs and vulnerabilities in code. It's not like you to (try to) misdirect things quite this badly, amfM. You should be ashamed of yourself.

  9. aberglas

    Pretty soon, you won't be able to turn them off

    Trying to buy a non-IOT light or lock or air conditioner or water tap will be like trying to buy a vacuum tube / valve today. When the IOT controls everything, turning it off will not be an option. Any more than turning off the smarts on your phone is an option today.

    1. jake Silver badge

      Re: Pretty soon, you won't be able to turn them off

      That's not going to happen. Smart people are not buying so-called "smart technology" ... and smart people have most of the disposable income. Therefore, you'll be able to purchase a common or garden padlock, light bulb, AC unit, fridge, water heater, etc. into the foreseeable future.

      Even my telephones are not "smart" phones. They work nicely, thank you.

      1. Richard Jones 1
        WTF?

        Re: Pretty soon, you won't be able to turn them off

        Our several years old washing machine came with some form of remote connection capability, I have now forgotten exactly what capability it had. However seen it was seen as totally irrelevant and as WiFi coverage to its area was poor there was less than no point in trying to make the connection. Kit may come with largely pointless or useless connection capability, but it does usually need some (unwise?) interaction to activate the function.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019