back to article This week, we give thanks to Fortinet for reminding us what awful crypto with hardcoded keys looks like

Here's a summary of recent infosec news beyond what we've already covered – earlier than usual because some of us have Thanksgiving to get through in the US. By the way, watch out for hackers taking advantage of IT teams suffering turkey comas. Fortinet fsck up: Some Fortinet networking equipment was caught sending customers' …

  1. tfewster Silver badge
    Facepalm

    Thanks Splunk. A whole month* to patch something that should have been foreseen a long time ago**. No, wait, make that 2 weeks, since we're into the holiday period. Assuming we can get it approved during the change freeze.

    * OK, it's an easy fix. But see**

    ** It's like these guys never heard of Y2K

    1. Joe W Silver badge

      The coders are probably all too young to remember that...

      1. NoneSuch Silver badge
        Mushroom

        "The coders are probably all too young to remember that..."

        During WW2 Enigma, an eighty-eight bit system of German encryption, was broken with mechanical means.

        Today, eighty years later in the age of supercomputers, 256 bit is the US standard (created by NSA mathematicians) and we're supposed to believe it's completely secure.

        1. Loyal Commenter Silver badge
          Facepalm

          Re: "The coders are probably all too young to remember that..."

          Quite apart form the fact that ciphers are completely different now to those used in the 1940s*, You are aware that all things being equal, 256 bit is not 2.9 times harder to crack than 88 bit (256/88), but is in fact 3.7 x 1050 times harder (2256-88), since every bit added to a key doubles the number of permutations.

          *One of the main things that made the enigma ciphers crackable was the propensity of certain Nazi commanders to always start and end their messages with the same phrases. Knowing a part of the ciphertext made cracking the encyrpted messages (just) possible on a timescale that meant that they were still meaningful.

          1. Loyal Commenter Silver badge
            Boffin

            Re: "The coders are probably all too young to remember that..."

            Also, taking into consideration Moore's Law (yes I know it's a rule of thumb, and probably can't be projected back to the '40s). With a doubling of processor power every 18 months, computers in 2019, would be 2^52 times faster than they were in 1940.

            Using the same encyrption techniques, but using 256-bit, rather than 88-bit encryption, the decryption time of, for argument's sake, 12 hours in 1940, using the same hardware would become 5 x 1047 years (that's 6 x 1037 times the age of the universe).

            Applying Moore's law, and assuming faster hardware, that still comes out at 1.4 x 1022 times the age of the universe.

            And algorithms are better now.

            Even if my back-of-an-envelope caluclations are out by 30 orders of magnitude you're still talking about hundreds of years.

            1. stiine Silver badge
              Coat

              Re: "The coders are probably all too young to remember that..."

              Well you folks can always have another Hundred Years' War.

    2. pmelon

      I agree. I upgraded a search head to Splunk 8 yesterday, which I assume does nothing to fix this issue (it's early - I'll re-read once I am in work).

      On the plus side - at least they found it rather than all their customers.

  2. john.jones.name

    fortinet did nothing for 6 months !

    take a look at the timeline... they had to hassle them on twitter and even then it took a conf call to convince them they should do something...

    NOT good fortinet... you have lowered your reputation considerably by not responding promptly...

    1. Jamie Jones Silver badge

      Re: fortinet did nothing for 6 months !

      Also, El Reg is being too kind calling it: "The security blunder' -

    2. A Non e-mouse Silver badge

      Re: fortinet did nothing for 6 months !

      I'm not overly convinced by Fortinet's support: We were on a supported version of their product's O/S and they refused to issue an update for a vulnerability. It tooks months for them to finally release the update.

  3. H.Winter

    "On September 13, they will also fail to deal with timestamps that are based on Unix time."

    How? I really don't understand how they can be having that issue before 2038? Do they use 31bit numbers instead of 32bit or wtf is going?

    1. Jamie Jones Silver badge
      Thumb Up

      I'm puzzled too. I found this interesting page https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs, but no mention there of the 2020 date..

    2. Dan 55 Silver badge

      Perhaps the January 1st 2020 date is the start of a trend where those half-arsed Y2K fixes which accepted a two-digit year from somewhere and magicked up the century will start to bite.

      E.g. if YY < 20 then use 20YY else use 19YY.

      The September 13 2020 date is puzzling, but it's a nice round 1600000000 as the timestamp value.

      1. Khaptain Silver badge

        If YY < 80 then 20YY

        Else 19YY

        Would be a bit safer

        1. MJB7 Silver badge

          Not if you are storing (for example) "date customer account was set up"

          1. monty75

            Or dates of birth

            1. Loyal Commenter Silver badge

              ...or dates of WW2 sea battles...

          2. Anonymous Coward
            Anonymous Coward

            "Not if you are storing (for example) "date customer account was set up""

            Splunk was founded in 2003. Close enough to 2000 to know better, far enough away as to not have a clue?

        2. KSM-AZ

          We converted the stores to 8 digits YYYYMMDD, but two digit year inputs were generally changed to test the interval from the current years YY value, 70 goes backwards, and 30 goes forward type of thing. I have the code laying around in BBx, and RPG_II, and COBOL somewhere :). Everything I wrote from about 1985 used 4 digit years. (8 Digit iso dates).

      2. mj.jam

        Regex for the win.

        Yes, it is exactly that.

        They use a whole bunch of regular expressions for this. Just look down the linked article for this beauty.

        <text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[0123456]|9)\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text>

        The first '6' is what they have added. Clearly not confident to allow timestamps starting 17 yet...

        1. Dan 55 Silver badge
          Alert

          Re: Regex for the win.

          My god, it's horrible.

        2. Loyal Commenter Silver badge
          Stop

          Re: Regex for the win.

          W.

          T.

          A.

          F?

          There should be a circle of hell reserved for programmers who are guilty of this sort of thing.

    3. Mike 137 Bronze badge

      Do they use 31bit numbers

      Probably using the default signed integers without thinking. This may have been the case on the Dreamliner too, where it could have been fatal. It's a very old and very common mistake.

    4. Saruman the White Bronze badge

      Older Unix (and Linux) systems used a 32-bit signed integer to store system time (expressed as seconds since 01/01/1970 00:00 for those who don't know). Modern Linux systems, and at least some Unix systems, have long ago changed this to a 64-bit signed integer that will overflow at about the same time as the heat-death of the universe.

      1. The First Dave Silver badge

        Well, that's going to be a rather awkward time to be having to fix it.

        1. stiine Silver badge
          Happy

          Yeah, but there won't be anyone around to hassle you to get it done.

  4. Pascal Monett Silver badge
    Thumb Down

    "Departments will have 270 days to get systems in place"

    Why delegate that to individual departments ? Bug reporting could very well be centralized, there's no need to duplicate that a dozen times or more, with a dozen times the bugs and mishaps to go with it.

    The cybersecurity department should handle that, and could oversee that the departments get on with correcting the bugs at the same time.

    Waste of money, time and resources.

  5. iron Silver badge

    > to report holes safely and without fear of being dragged into court. Those submitting vulnerabilities must be able to do so anonymously from anywhere in the world.

    Hahaha. Yeah right. Just make sure you never visit DefCon.

  6. Mike 137 Bronze badge

    Top 10 research

    It seems a pity that Mitre took eight years to get round both to making the CWE research objective and releasing the results (last CWE report 2011). We are thus prevented from identifying any significant trends.

  7. Mike 137 Bronze badge

    NYPD blue over ransomware

    Yet another unsecured flat network (like DigiNotar, Equifax and a gazillion others). Why on earth was a "display" able to initiate communication with a police intelligence data system? Network segmentation seems to be a forgotten art.

    1. Anonymous Coward
      Anonymous Coward

      @Mike 137 - Re: NYPD blue over ransomware

      Especially true for programmers who are now driving the IT show.

      1. stiine Silver badge
        Thumb Up

        Re: @Mike 137 - NYPD blue over ransomware

        I'll take "devops" for the win, Alex.

  8. Anonymous Coward
    Anonymous Coward

    goog rats out its competition

    so it can trick people into feeling good while they slurp data and manipulate elections to "their" desire. I don't' see much difference.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019