* Posts by A random security guy

52 posts • joined 20 Apr 2019


D-Link, Comba network gear leave passwords open for potentially whole world to see

A random security guy

DLink agreed to make security enhancements with the FTC


All our agreements, enforcements, and settlements are a joke.

The very fact that they were unreachable for security issues means that they have already flouted the FTC agreement:

Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.

GitHub upgrades two-factor authentication with WebAuthn support

A random security guy

Re: More or less secure

Hopefully there is a pin to protect the hardware and the hardware is built to protect keys and passwords and to destroy them after X number of tries.

Apple blinks on iPhone repairs, touts parts program for independent tech mechanics... sort of

A random security guy

Fixing phones

My observations

Some fixes are easy, some aren’t. For example,

Battery replacement: Easy

Changing lightning connector assembly: very difficult

Finding new original parts: extremely difficult

I had to settle for a used/refurbished lightning assembly.

Glad Apple is being forced to supply these parts.

It makes sense for Apple to require an Apple certified technician as these repairs are hard.

I have repaired countless phones for me and my friends and have always had problems finding parts.

I wonder if I’ll be able to buy these parts. Next step: upgrade the flash.

Google security crew sheds light on long-running super-stealthy iOS spyware operation

A random security guy

Re: So, can we know...

Website: It is far more effective to hack websites that are poorly administered rather than websites you control to prevent a direct trail to you. Hackers employ indirection to prevent casual administrators from determining who is running the CnC operations. A skilled forensics person will be able to do a better job. But that takes money. Better is to rebuild the website.

A random security guy

Entire populations: State sponsored?

Targeting ethnic groups? Implies state sponsored.

Targeting people BORN in certain geographical regions? => state sponsored.

Longevity of operation is years? State sponsored?

Only monitoring for years? State Sponsored?

Exploits worth more than $20M? State sponsored?

These exploits would have been worth a lot of money.

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data

A random security guy

At least 6 and at most 20 characters long

In this day and age of unstructured data, 20 characters seems like a stupid upper limit. All they have to do is google minimum password strength and out pops 8 characters. For 20 characters to be truly effective, they need to be chosen randomly. A highly unlikely scenario.

Are US border cops secretly secreting GPS trackers on vehicles without a warrant? EFF lawyers want to know

A random security guy

Maybe I could start a screening service?

Would it be legal to start a screening service that tells customers if their vehicles are being tracked or not?

Microsoft: Reckon our code is crap? Prove it and $30k could be yours

A random security guy

Not very profitable.

First you have to find the issues. Then you have to write the proof-of-concept that shows how you can do remote code execution. Then you have to convince MSFT that it is a real bug. Moreover, if it requires chained exploits you have to give up the other exploits.

Thanks MSFT. Will look at your stuff maybe later. When I can convince my engineers to actually use Windows.

Chrome add-on warns netizens when they use a leaked password. Sometimes, they even bother to change it

A random security guy

It is just password; wait for biometrics related credentials stuffing

When you have to chop off your fingers or get rid of eyes ...


Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds

A random security guy

Storing fingerprints in clear-text?

Whoever thought of storing biometrics in clear was smoking something. You have to process them and store only the processed information, not the whole image. Theft of fingerprints mean that anyone can masquerade as you; they can murder someone and leave fingerprints that look like yours.

You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

A random security guy

Physical security

There is a reason why all governments use special couriers to send specially secured documents. One time pads are still being used.

A random security guy

Re: Trust

Have they done anything in the last 1 year?

It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air

A random security guy

Secure code enforcement issues

Remember: if we don't fix these issues the government will step in. In this case I think this may not be a bad thing.

What I have seen while working with large organizations, especially SoC vendors:

1. Code is considered a money pit.

2. Getting the code out in time is more important than quality.

3. Huge sections of code are zealously guarded. Try getting access to BRC WiFi code for their WiFi chips.

4. A flawed view of Performance trumps integer overflow/underflow, null pointer checks, buffer size checks, return value checks. A good CPU can perform these checks with no measurable impact on performance but ...

5. Static code analysis is generally turned off, especially for kernel and driver level code because software engineers get too many warnings (go figure). In one cellular modem company they turned off Klockwork static code analysis as it was giving too many warnings. In another they would not use it as people were UPSET that their code was being flagged. So it was turned off.

What Google can do is easier said than done:

1. Require all drivers go to through third-party code inspection (Samsung and others may not trust Google).

2. Require all driver vendors to submit static code analysis and other code inspection summaries

3. Provide a timeline for delivering fixes to Google.

4. Go public with the issues if the code is not fixed according to schedule.

5. The cell-phone manufacturers deliver a plan to deliver the fixes on time

6. Stick to the plan.

Then do the same for other critical code.

Problems? Asking Samsung, Qualcomm, and others to do anything is difficult (as in the Japanese way of saying something is difficult). Samsung, after all is the biggest company in S. Korea.

It's a bird! It's a plane! No, it's two-dozen government surveillance balloons over America

A random security guy

Re: Hmm! Balloons at 65.000 ft?

Your options are limited: AA gun (120mm M1) and limited to the US government, SAM (limited access), and homing balloons.

Shotgun? In the good old South they would take pot-shots at the blink lights on smart meters because people thought they were aliens.

A random security guy

Re: Sierra Nevada Corporation

Why go after terrorists in Afghanistan if you can go after the ones in the US. Unfortunately, they are not. They are going after all of us.

A random security guy

It is for own safety and we should have nothing to hide </sarcasm>

I hate to say this but the Military Industrial Complex has actually some validity versus my field of computing where we have sold our soul to the government, FB, Google, Amazon, etc. for no benefit in the long run.

Another rewrite for 737 Max software as cosmic bit-flipping tests glitch out systems – report

A random security guy

This is strange an frightening.

Worked on critical infrastructure and fully redundant systems for years. The issue is that memory failure, cpu failures, io failures, storage failures, etc. are common.

These idiots didn’t have all this worked out and just slapped two systems to go into master/slave mode.

There will be more issues going forward. Doesn’t make me feel confident about their ability to design redundancy into their computing systems.

$9 engineers can’t do it.

Backdoors won't weaken your encryption, wails FBI boss. And he's right. They won't – they'll fscking torpedo it

A random security guy

Stalin would be so proud of him

What could go wrong. Cops show up and demand access. If you are honest you should have nothing to hide. </sarcasm>

Microsoft demos end-to-end voting verification system ElectionGuard, code will be on GitHub

A random security guy

All the source code open sourced?

Just wondering if ALL the source including the OS, drivers, communication protocols, etc. will be open sourced or just the voting application. This is not a trivial project. If MSFT decides to open source everything, good. Else democracy will be held hostage to a trillion dollar company.

Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

A random security guy

What part of UPnP did you not get? </Sarcasm>

The UNIVERSAL means everyone can plug it in any ANYONE can play with it. Woe be to anyone who prevents hackers from accessing it.

More seriously, I was at Sun during the Java wars and attended a UPnP conference in Redmond. Strangely enough, one of their main architects happened to sit next to me during lunch. So I point blank asked him if UPnP had any security. And he answered honestly that they had none and they were probably never going to even though it was a bad idea. That time MSFT was gong-ho about functionality and security be damned. It has changed since then but the detritus is still floating around.

D-Link must suffer indignity of security audits to settle with the Federal Trade Commission

A random security guy

D-Link should have been banned from doing business

A company that claims its routers are secure and does not take any of the generally accepted practices for ensuring security should be banned from doing business.

D-Link got off rather lightly. Maybe we have to depend on our estranged neighbors from across the pond to stuff GDPR down their throats. Our tools and our organizations are too weak.

Must watch: GE's smart light bulb reset process is a masterpiece... of modern techno-insanity

A random security guy

Re: It might make sense though..

I wish I could hack the switch.

Hacking these medical pumps is as easy as copying a booby-trapped file over the network

A random security guy

Most murders are committed by people who know the victim.

Hacking a pump would be the perfect crime.

Mad at your wife/husband? Mad at your boss? Got fired?

Ransomware to get some extra cash?

Are they on pacemakers?

Can you attack an entire population?

Questions that every security guy has to worry about.

A random security guy

Re: Pumps

Windows 2007 is going eol starting 2020. A huge number of systems use windows.

The reasons for using windows? It is called Microsoft business muscle.

A random security guy

Re: Honestly, at least in .us. .

That is way more advanced than the systems I have seen.

A random security guy

Re: isolated networks?

It is very hard to truly isolate systems. Information needs to be transferred between LIS and HIS systems; your lab results from some remote lab, your vitals, your EMR, your nurse’ notes, etc. need to be all looked at by your physician.

The pharmacist downstairs may need to verify the actual drug dosage.

Connected systems improve patient outcomes.

Unless they get hacked.

Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens

A random security guy

Re: Normal software standards

At least they could have set it to all zeros or something first. Maybe it was taking too long to fill up the buffer. I guess they could not have initialized the buffer to a random state because the RNG was not yet initialized and producing the proper random numbers.

Facebook's at it again: Internal emails show it knew about Cambridge Analytica abuse 'months' before news broke

A random security guy

Facebook’s New App Will Pay You To Give Up Some Of Your Privacy

They promise not to collect anything personal. But they want to do everything you do on the phone.

Target: India and the US currently.

Prior history: They had an app that slurped user information and were kicked out by Apple.

Have they asked the Indian government person to monitor its citizens? Would like to know what they think. Why didn't they start with the UK or Europe? They have more money. Or would GDPR cause them grief.

Not very bright: Apple geniuses spend two weeks, $10,000 of repairs on a MacBook Pro fault caused by one dumb bug

A random security guy

Cheap as far as bug fixing is concerned

$10K for finding and fixing a bug (or at least finding the root cause) is peanuts. The rule of thumb is around $80K.

You. Quest and LabCorp. Explain these medical database super-hacks, say US senators as 425,000 more people hit

A random security guy

Re: even worse

Wow!!! So they probably have records of people who failed drug or HIV tests.

A random security guy

They. Don't. Care.

Neither the execs nor the major stockholders nor the politicians really care. They look at bottom line numbers. Execs' bottom line is their bonus and options, the stock holders for revenue numbers, and the politicians for the PAC donations.

They give lip-service to security. Even Intel's now Ex-CEO (Brian K) doesn't go to prison. Equifax? The less said the better.

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

A random security guy

Re: confused

They could be leaving backdoors or maybe writing water-tight code is a different art form?

A random security guy

Good hackers aren't always good coders ...

The two types are diametrically opposite even though A secure coder has a healthy respect for hackers and vice versa. But in my years, I never found a good white hat hacker to actually produce beautiful and secure code. They are very good at breaking things. I like it that way since they don't have a stake in building something secure, they don't have a bias. Any opinions? Maybe my data set is too small.

You go that way, we'll go Huawei: China Computer Federation kicks back at IEEE in tit-for-tat spat

A random security guy

Re: Huawei phones

Tracking all the activities of 320M people at a microscopic level (apps, cameras, videos, motion, location, messages,, emails) would endanger the US. 320M is not a large number from a computational perspective. And remember, all the information is available to the Chinese govt. As Cambridge Analytica clearly showed, just Facebook profiles are sufficient to manipulate large populations. I can bet the Chinese govt. would spend a 100B to be able to manipulate the US. Which is why Huawei can undercut all the competition.

The Chinese have obliterated Tiananmen from the working memories of their people. They have been ruthless about brainwashing their Uighiar populations. They will have fun manipulating our MAGA supporters.

We ain't afraid of no 'ghost user': Infosec world tells GCHQ to GTFO over privacy-busting proposals

A random security guy

Re: "...for example to stop terrorists..."

Add the fact that this whole Brexit effort was engineered by Cambridge Analytica, Brexit fans are definitely on the gullible side. And they, like trump supporters, fell for similar messages.

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

A random security guy

Re: Can we get Web caching back, please?

I think I understand where you are coming from. HTTPS can do encryption and/or authentication of the traffic, not of a web page per se. HTTPS does guarantee the source and freshness of the page. HTTP can easily be hijacked with an MITM attack and older or wrong pages inserted in the stream.

That squid you so love: perfect MITM tool. And you do know how many of our routers are entirely hackable. So your DNS query can return an IP address for a server in some other country.

Even if a page is signed, it may be older than the latest version. What will end up happening is that you will have to reinvent something similar to HTTPS to make sure the pages arrive in order from the right server.

A random security guy

Re: Hmmm man in the middle?

Worse: if I know that an older page had a vulnerability but the new one didn't I'd ship you the old one. Since you are trying very hard not to hit the original server, You will get exploited.

Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works

A random security guy

Re: Mystified; how will they force it?

That is how it is in a few countries. They beat the crap out of you, state that you are disturbing the communal harmony, are an agent of the Westphalia (or Eastphalia) etc.

And if you had any "non-Native" blood (Native being the dominant race) you got sent to a concentration camp directly. Your family and friends disowned you.

I am glad Germany wants to join them. What could go wrong (Sarcasm).

A random security guy

Re: Industrial espionage

German cars are also porous to hackers. You should check out the VW cars which had wide open security holes. VW will not tell you if your car has security issues. And they will not update the systems over the air. And probably even if you ask for the updates.

A random security guy

Re: More madness

The weird thing is that it will make people use 'secure' chat apps that are really spyware. Much worse for us a a society.

A random security guy

Mystified; how will they force it?

They are trying to break up the romance between Alice and Bob by introducing Eve.

As anything can be solved using another set of indirections, can't we, for example, just have a secure chat on top of Germany's neutered chat? Should be a few lines of perl code if that much.

I don't think they can legislate end to end encryption away. There is nothing that prevents two or more people from exchanging public keys and using PFS.

It's all in the RISC: Arm legs it to Computex with a head full of Cortex-A77 CPU, Mali-G77 GPUs

A random security guy

Re: Optional

True RISC died a long time ago. And some of the basic tenets like speculative instruction execution, score-boarding, instruction retries, bulk instruction/data fetches have led to security issues.

RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub

A random security guy

Re: Does it have to be completely disabled?

Curious: it says that all ring protections can be bypassed. Does it mean that a user thread can reach into system address space and pull out any secrets?

Giga-hurts radio: Terrorists build Wi-Fi bombs to dodge cops' cellphone jammers

A random security guy

Re: WiFi Routers can be anywhere; cell towers are generally in fixed locations

Non-nuclear electromagnetic pulse (NNEMP)

A random security guy

WiFi Routers can be anywhere; cell towers are generally in fixed locations

General wide area jamming: difficult. Jamming in specific locations: easier. . There is nothing that prevents hackers from selling access to wifi routers. Most have default passwords, can be taken over from the wan side due to bad configuration or just vulnerable software. How on earth are you going to jam all wifi routers? The jamming signal has to be extremely strong and omnidirectional to cover large areas.

It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw

A random security guy

There are many vulnerabilities that allow privileged access to Cisco routers

Getting admin access: We see these vulnerabilities not just in Cisco but in other equipment too. So that is not a challenge.

Essentially Cisco did the "CHEAP" and easy thing: store supposedly "trusted code" on SPI flash. That is a no-no from so many different perspectives that I can't believe that it wasn't flagged. Probably overridden by management because they believed "no one will be able to do it as it is so hard".

This sort of mistake is so easy to overcome; I bet the basic patents have all expired if they want to save money. You can get a $1 ARM MCU that has TrustZone or an $1.50 ECC 608.

Hi! It looks like you're working on a marketing strategy for a product nowhere near release! Would you like help?

A random security guy

He got rid of the crap by flushing it. What was left was the essence of the problem ...

Another remote-code execution hole in top database engine SQLite: How it works, and why not to totally freak out

A random security guy

Well, most smart-phones and man embedded systems use SQLite.

SQLite is everywhere; in iPhones, Android, IoT systems, servers, etc.


Chinese dev jailed and fined for posting DJI's private keys on Github

A random security guy

Interesting that most companies don't use some simple form of HSM to protect their private keys.


Biting the hand that feeds IT © 1998–2019