Posts by patrickstar

Re: @patrickstar

I was referring to what it takes to write a runtime, not to write code that runs in it.

And first of all, just because you can write fast number crunching (relatively easy to optimize the runtime for) doesn't mean a lot of other stuff isn't painfully slow.

Second, imagine if equal effort went into designing runtimes for more suitable languages. You'd achieve a lot more and at the very least have much fewer bugs (many of them potential security issues).

Third of all, even discounting performance etc. and just looking at pain of development, it's not even a particularly good language for anything more complex (as you seem to partly agree).

Re: Bah!

Actually, to stretch the mechanical key metaphor much too far, there are some interesting vulnerabilities that arise when a mechanical lock is master keyed, i.e. able to be opened by two different keys (sound familiar?). See http://crypto.com/masterkey.html

Re: Should be part of their threat model

It could very well be interesting for third parties to study the sort of malware sent to these organisations. So flat out removing it wouldn't be a good idea.

Re: At least it's an easy fix

There is no benefit from these settings unless you are on a multihomed host - and chances are your home network isn't. *

And they break lots of multihomed setups.

So no, not good to have by default. I think Debian actually used to enable them by default but wisened up. At least I have lots of memories of doing routy stuff with Debian and repeatedly scratching my head as to why it wasn't working until I remembered to disable them.

* Actually, there is one use case on a single homed host: Efficiently blocking traffic from a long list of addresses/networks. Add routes for them via loopback and enable rp_filter. What rp_filter does is look up the sources of all incoming packets in the routing table and dropping the packets if the incoming interface doesn't match the route. And routing table lookups are a lot more efficient than stepping through firewall rules.

Re: Two questions

Kernel/driver coding is HARD, and there is a lot of potential for unforeseen interactions.

MS has actually stopped, beginning with 64 bit Windows, AV vendors (and certain other usual suspects) from poking around in the kernel arbitrarily. See PatchGuard / Kernel Patch Protection.

Instead they have provided documented APIs for things like filtering syscalls.

This however sounds like a driver for the Avast virtualization sandbox thingie. Not very familiar with it, but you can't really stop that without breaking VMware, VirtualBox, et al. as well.

Re: Another extended whine

There's a crucial difference between "ad-financed software" and "adware".

Hell, the latter is (or was, before ransomware etc) frequently distributed via drive-by-downloads as well as being bundled with installers.

Re: "Nipravsky reverse-engineered Microsoft's undocumented portable executable loading process"

The format is documented. There is no reliance on obscurity, and there was no reverse engineering involved in "discovering" this. See http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx and the actual paper instead of the crappy Reg reporting of it.

The paper isn't even an attack on Authenticode per se - it's just a way to store stuff in PE executables without altering their signatures. This does not mean whatever you added actually gets executed. There still has to be code that actually loads and runs it - you could achieve the same thing by just having the PE executable load an external file from disk or over the network. This is what the "reflective PE loading" hype is about - a technique that's well used for ages for both malicious and non-malicious purposes.

At most it's an attack on stupid AVs that blindly assume a signed PE should never be checked for signatures etc. A well-known attack, even. And you still have traceability as to who signed a PE that does crazy stuff like loading code from its signature.

I don't know if storing the code to be loaded in this particular place has been done before, but similar and more advanced certainly has. One example would be bypassing kernel driver signing by loading a driver with a known vulnerability and exploiting it.

Stopping this completely is well recognized as impossible - even if you outright ban introducing new code at runtime (which certain smartphones do if I'm not mistaken), you can still introduce code into an interpreter or virtual machine.

Re: "suddenly become vapor..."

260mg of MDMA HCl is definitely a tad on the high side, but still an order of magnitude or so off the dose where it actually starts killing people on its own. Unless you have some underlying condition, get severely dehydrated, etc, i.e. a linear progression of the usual dangers. There are even quite a few instances of people literally taking grams of the stuff on purpose (attempted suicide or just being idiots) and lived to tell the tale without even ending up in a hospital.

200mg is, by the way, perfectly enjoyable (or so I've heard...).

As a sidenote, Sasha was never actually a big fan of MDMA himself - he didn't get the typical effects but rather some giddy intoxicated state. Referred to it as his "low-calorie martini".

PS. Without knowing this case in particular, I'd suspect poor pill making practices giving a wildly variable dose rather than intentionally ending up with 1/3 the pills they would have with a lower, but still very good, amount.

Or it could even be intentionally putting out identical pills, some containing a high dose of MDMA and some containing a random chemistry accident. Agree on the legalization point regardless.

Re: everyone [..] wants [..] a better chance of it not happening again

For good reasons (Think about it...), pilots often don't prioritize radio communication when desperately trying to save the aircraft in a sudden emergency. Look at the recent Egypt Air crash. Probable on-board fire - no radio comms.

The ACs are not powered by the UPS in a datacenter, only by the generator.

DC UPSes are meant for computer/network gear only and will become very unhappy if you try to power ACs from them - chances are the ACs would get pissed off as well. No need to try in the first place since you can do perfectly fine without cooling during the few minutes it takes for the generators to start.

Re: Credit card fraud tentacles ..

Most stolen card info comes from either skimming, compromised merchants or card processors.

MSE, or whatever it's called today...?

Re: After a few seconds of thinking:

Noone has ever succeeded in eliminating exploitable bugs in complex software written in memory-unsafe languages, using valgrind or anything else.

In fact, one of the Firefox JS developers is also one of the guys behind Valgrind. Still, a steady stream of exploitable vulnerabilities are discovered (nowadays frequently as they are being exploited in the wild) in Firefox.

The proper, and well-established, way to fix this is to use Proxy ARP and either port protection or one VLAN per customer. Then all traffic will pass through the network gateway even though the IP addresses are in the same subnet.

Re: Would also bork legitimate code

This comes with a very big performance penalty on modern x86 CPUs, so noone should be doing it in new code anyways. The CPU actually keeps a stack of return addresses around so it can predict where the RET goes. Anything except CALL/RET that fiddles with return addresses will cause it to become unbalanced with a pretty hefty performance penalty.

Re: 4096-bits in audio bandwidth

The actual entropy of a 4096 bit RSA key is a lot less than 4096 bit... that's why they are so big to begin with.

As for balanced branches, you're much better off not having key dependent branches in the first place. Very doable atleast for ECC crypto.

Re: Net history

You could easily imagine a network where things like authentication and confidentiality are built right into the network itself.

At least this could be applied to the distribution of routing information to prevent things like, say, all traffic to Youtube suddenly going to Pakistan, or any more recent BGP hijacking incident.

Re: VMWare flash future

VMware already has its own OS. It's called VMkernel, and it's what ESXi runs on. Hell, it's even binary compatible with Linux (and judging from current GPL lawsuit includes a chunk of code from it as well). And ESXi can supposedly virtualize itself, so nothing except the minor issues of usefulness and sanity stops you from running your services in a VMware OS inside a VMware VM inside a ...

("Bare metal hypervisor" is, by the way, a stupid marketing term that doesn't make sense on anything remotely resembling this kind of virtualization. No matter what you do, you are still gonna need memory management, scheduler, drivers, etc. - the makings of an OS. And in VMware's case you literally have a general-purpose OS with a standard kernel architecture etc. - just one that's optimized for running specific applications)

Back in the XP days (before Patchguard), Symantec/Norton antivirus hooked some of the same shadow SSDT entries (syscalls) as you'd expect a keylogger to do. I actually showed the hooks to a guy at MS security and he was totally convinced the computer had a keylogger...

Really makes you wonder.

Re: IoT developers and security

While I've seen my share of atrocious XP Embedded systems and the like, some really bad cases don't even run much if anything of an operating system (often just some libs supplied by the uC/SoC manufacturer) and/or doesn't have a MMU (good luck running Windows - or remotely normal Linux - on that).

Re: Why has Flash been so bad?

I'm sure that if Photoshop automatically loaded media off web sites and was deployed on a large chunk of Internet connected PCs, we would be having this discussion about it instead...

Flash at its heyday was, and to some extent still is, a really good tool/environment from the content author/software developer viewpoint. Covers everything from simple interactive 2D vector stuff to high-performance bitmapped 2D graphics as well as 3D (with or without acceleration) and everything in between. Either as part of a web site interacting with the rest of it, loaded from a web site, or a standalone application. And works really well while doing so, provided that the developer actually knows what he/she is doing (admittedly, your average Flash developer should be dragged out and shot, but that applies even more so to web developers in general). With a nice API and a rich ecosystem including very good third-party toolchains and libraries. Etc.

Too much focus on making it nice, pretty and nifty and too little focus on security.

Not to mention Intel's implementation isn't even particularly good. It's mostly microcoded, so a simple VM exit takes literally hundreds of clock cycles before the VMM even gains control. Compare that with SPARC (sun4v) - one (1) cycle.

Re: Ad Blocker

The advertisers brought this whole ad-blocking thing on themselves. If they had stuck to, say, banner and text ads, instead of todays resource-eating ever-tracking annoying (now even frequently with sound!) javascript-dependent disasters, noone would be annoyed or get infected by them.

Re: Random jottings...

Did you have absurd humidity or something? Computer gear is normally rated down to -20C or -40C when not in operation.

The air hole (pressure equalization?) in HDs is covered by a micron filter, by the way.

Re: It will have the same limitations

Troll, but I'll bite in case just in case someone believes him!

Perfmon. I have a graph right here showing interface stats for a web server. Plus graphs for various aspects of CPU and memory usage including context switches and # of threads. Plus CLR JIT stats. And some other stuff too.