Category Archives: code

The PWNIE Awards

The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas.

That’s not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.

The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically. This year it was nation states that got a significant proportion of the prizes. The gongs are divided into categories, and nominations in each section are voted on by the hacker community. The ponies are then dished out every year at the Black Hat USA security conference in Sin City.

The award for best server-side bug went to the NSA’s Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers. The tools attack three stunning vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used by malware including WannaCrypt to wreck systems across the globe, forcing Microsoft to issue patches for out-of-date operating systems to fight the outbreak

While Uncle Sam’s snoops didn’t pick up their award, neither did other governments. The epic 0wnage award was split between North Korea and Russia for launching the WannaCry ransomware contagion and masterminding the Shadow Brokers, respectively.

Meanwhile, Australian prime minister Malcom Turnbull earned an award for the most epic fail for insisting the laws of Australia trump the laws of mathematics. The Aussie leader was told it’s not possible to backdoor encryption for counterterrorism snoops without ruining the crypto for everyone else, and was having none of it.

…All of this year’s nominations are here, and the results will be published on the awards website a little later.

The PWNIE Awards

This Soil Breeds Monsters

You can no longer expect forty years of drudgery and then a spluttering death from good old-fashioned blue-collar pneumoconiosis. You can’t make it through life hating your boss instead of yourself, not when new forms of labour discipline demand that you be your own boss. Your flesh is already obsolete. But there’s an answer: to survive in the coming era of automation, you have to bring it in faster; announce its apocalypse, learn to code, add yourself to the army of programmers building an appier tomorrow…

Desperation is everywhere; exhibitors make lunging grabs for any passers-by wearing an “INVESTOR” lanyard, proffer stickers and goodies, scream for attention on their convention-standard signs. These do not, to put it kindly, make a lot of sense. “Giving you all the tools you need to activate and manage your influencer marketing relationships,” promises one. “Leverage what is known to find, manage, and understand your data,” entices another. The gleaming technological future looks a lot like a new golden age of hucksterism. It’s networking; the sordid, stupid business of business; pressing palms with arrogant pricks, genuflecting to idiots, entirely unchanged by the fact that this time it’s about apps and code rather than dog food or dishwashers.

None of these start-ups are doing anything new or interesting. Which shouldn’t be surprising: how often does anyone have a really good idea? What you actually get is just code, sloshing around, congealing into apps and firms that exist simply to exist. Uber for dogs, GrubHub for clothes, Patreon for sex, Slack for death, PayPal for God, WhatsApp for the spaceless non-void into which a blind universe expands…

Capitalism doesn’t know what to do with its surpluses any more; it ruthlessly drains them from the immiserated low-tech manufacturing bases of the Global South, snatches them away from a first-world population tapping at computer code on the edge of redundancy, but then has nowhere better to put them than in some executive’s gold-plated toilet. This soil breeds monsters; new, parasitic products scurry like the first worms over the world-order’s dying body.

The War on Drugs

StackOverflow Cthulu

StackOverflow Cthulu

You can’t parse [X]HTML with regex. Because HTML can’t be parsed by regex. Regex is not a tool that can be used to correctly parse HTML. As I have answered in HTML-and-regex questions here so many times before, the use of regex will not allow you to consume HTML. Regular expressions are a tool that is insufficiently sophisticated to understand the constructs employed by HTML. HTML is not a regular language and hence cannot be parsed by regular expressions. Regex queries are not equipped to break down HTML into its meaningful parts. so many times but it is not getting to me. Even enhanced irregular regular expressions as used by Perl are not up to the task of parsing HTML. You will never make me crack. HTML is a language of sufficient complexity that it cannot be parsed by regular expressions. Even Jon Skeet cannot parse HTML using regular expressions. Every time you attempt to parse HTML with regular expressions, the unholy child weeps the blood of virgins, and Russian hackers pwn your webapp. Parsing HTML with regex summons tainted souls into the realm of the living. HTML and regex go together like love, marriage, and ritual infanticide. The center cannot hold it is too late. The force of regex and HTML together in the same conceptual space will destroy your mind like so much watery putty. If you parse HTML with regex you are giving in to Them and their blasphemous ways which doom us all to inhuman toil for the One whose Name cannot be expressed…

StackOverflow Cthulu

Hello! I’m Barbie – Hack Me!

Hello! I'm Barbie!Bluebox Labs released a report detailing how easy it is to get into Barbie’s bits:

We discovered several issues with the Hello Barbie app including:

•It utilizes an authentication credential that can be re-used by attackers
•It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
•It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

•Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
•The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

And they didn’t even have to buy her a wee drink…
Hello! I'm Barbie - Hack Me!

Believe

From: John Gilmore <gnu@toad.com>
Date: Saturday, September 20, 2014
Subject: Re: [Cryptography] new wiretap resistance in iOS 8?
To: cryptography@metzdowd.com

And why do we believe them?

  • Because we can read the source code and the protocol descriptions ourselves, and determine just how secure they are?
  • Because they’re a big company and big companies never lie?
  • Because they’ve implemented it in proprietary binary software, and proprietary crypto is always stronger than the company claims it to be?
  • Because they can’t covertly send your device updated software that would change all these promises, for a targeted individual, or on a mass basis?
  • Because you will never agree to upgrade the software on your device, ever, no matter how often they send you updates?
  • Because this first release of their encryption software has no security bugs, so you will never need to upgrade it to retain your privacy?
  • Because if a future update INSERTS privacy or security bugs, we will surely be able to distinguish these updates from future updates that FIX privacy or security bugs?
  • Because if they change their mind and decide to lessen our privacy for their convenience, or by secret government edict, they will be sure to let us know?
  • Because they have worked hard for years to prevent you from upgrading the software that runs on their devices so that YOU can choose it and control it instead of them?
  • Because the US export control bureacracy would never try to stop Apple from selling secure mass market proprietary encryption products across the border?
  • Because the countries that wouldn’t let Blackberry sell phones that communicate securely with your own corporate servers, will of course let Apple sell whatever high security non-tappable devices it wants to?
  • Because we’re apple fanboys and the company can do no wrong?
  • Because they want to help the terrorists win?
  • Because NSA made them mad once, therefore they are on the side of the public against NSA?
  • Because it’s always better to wiretap people after you convince them that they are perfectly secure, so they’ll spill all their best secrets?

There must be some other reason, I’m just having trouble thinking of it.
John

1

(via)

Believe

Show 1 footnote

  1. John forgot to mention the warrant canary incident. That’s a big one for us.

Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users…

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

WNBTv - Good TV!

Now it can be told! The origins of the BSOD!

It’s the late ‘90s and something’s wrong. You can’t put your finger on it, but you know, deep down, it’s just not working anymore. Instant Messenger isn’t loading or Napster just crashed. Your computer hangs there, motionless. There might be a guttural ‘thunk’ from your hard drive or, even more terrifying, nothing at all. Then, with no sense of decorum, it arrives: the single horseman of the PC apocalypse, the Blue Screen of Death. Press CTRL+ALT+DEL again to restart your computer. You will lose any unsaved information in all applications. Press any key to continue.

The Blue Screen of Death first appeared in the very early 1990s as a feature of the Windows 3.0 operating system. This error message, which locks users out of the system, is typically summoned by driver glitches or when the software and hardware have trouble communicating. It’s your PC’s way of saying, “Look, I know you can’t see it, but I’m really having a bad time here”—just before a shutdown. If you’ve ever met Blue, you probably hate it. You lost that big paper in college, your music collection went out the window, or maybe something even worse. You sat there, by the dim light of your rebooting system, cursing your luck and the color blue all in one breath. 1

(via)

WNBTv - Good TV!

Show 1 footnote

  1. I don not care how swell the writing in The Atlantic is, I don’t feel sorry for either Microsoft or the Blue Screen of Death. Fuck ’em, fuck ’em bith, that’s what I say.

PirateBrowser

The Pirate Bay is taking a stand against the increased censorship efforts it faces in several European countries. On its 10th anniversary the infamous BitTorrent site is releasing its “Pirate Browser,” a fully functional web browser that allows people to access The Pirate Bay and other blocked sites just fine. The current release is Windows only but TorrentFreak is informed that Mac and Linux versions will follow soon.

The Pirate Bay is arguably the most censored website on the Internet.

Courts in the UK, the Netherlands, Italy and elsewhere have ordered Internet providers to block subscriber access to the torrent site, and more are expected to follow.

Up until now The Pirate Bay has encouraged users affected by the blackout to use proxy sites. However, on its 10th anniversary they are now releasing a special “PirateBrowser” which effectively bypasses any ISP blockade.

WNBTv - Good TV!

Girls – Learn To Code!

Back when dirt was fresh I learned the rudiments of cryptography via the good graces of Uncle Sam’s Studies and Observation Group. As one might expect (given the times) there was not a single female attendee.

After I had DEROS’d and been ‘acclimated’ back to The World, I parlayed that miniscule knowledge into a entry level coding slot with IBM 1, which eventually led to more entertaining work  writing video arcade games, and then computer animation for both  film and the small screen.

All this took us into the mid 80s — a foreign land of disco, platform shoes and more cocaine than we’re ever likely to see again — and still there were no women in IT. At least, I had yet to see a single one outside of places like JPL or UCSD: serious scientists or mathematicians had an easier time of it, but for the most part the up and coming World Wide Web was primarily a boy’s sandbox.

And that’s pretty much still true today.

From the excellent Women in Science tumblr come the below self-study links (which we updated) for girls/women who might want to pursue said education, but sans the testosterone:

Code Academy  Online tutorials that are definitely worth checking out alongside Coursera 2Udacity, and Edx.

Girl Develop It A growing program in several cities that focuses on women!

Flatiron School, Dev Bootcamp, General Assembly: Boot camp style designed to take you from zero to web dev in no time.

Hacker School: Expects you to have some programming experience, but not necessarily all that much. They strive for each batch to be 50% female and to have an encouraging atmosphere.

Local Python and Ruby meetups often have workshops for beginners, so those are worth checking out, too. Hopefully you have as much fun learning to code as I did!

There are some great resources listed here. And we’ll add M.I.T.’s Scratch, which allows even 6 and 7 year olds to work with the basics of animation. 3
WNBTv - Good TV!

Show 3 footnotes

  1. This was, sadly, back in the day when everyone at that org wore a suit and tie, even the most junior of us. I have of course tracked down and eliminated all photographic evidence of those times: the suits were hideous.
  2. Which we have mentioned in the past and still highly recommend.
  3. Both the Astas have mastered Scratch and have moved on to both PowToon and Muvizu. We’ve even been talking to the Asta’s girl scout troop about creating a meaningful merit badge course for this stuff. So far no one’s laughed off the idea.