Tag Archives: code

The PWNIE Awards

The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas.

That’s not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.

The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically. This year it was nation states that got a significant proportion of the prizes. The gongs are divided into categories, and nominations in each section are voted on by the hacker community. The ponies are then dished out every year at the Black Hat USA security conference in Sin City.

The award for best server-side bug went to the NSA’s Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers. The tools attack three stunning vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used by malware including WannaCrypt to wreck systems across the globe, forcing Microsoft to issue patches for out-of-date operating systems to fight the outbreak

While Uncle Sam’s snoops didn’t pick up their award, neither did other governments. The epic 0wnage award was split between North Korea and Russia for launching the WannaCry ransomware contagion and masterminding the Shadow Brokers, respectively.

Meanwhile, Australian prime minister Malcom Turnbull earned an award for the most epic fail for insisting the laws of Australia trump the laws of mathematics. The Aussie leader was told it’s not possible to backdoor encryption for counterterrorism snoops without ruining the crypto for everyone else, and was having none of it.

…All of this year’s nominations are here, and the results will be published on the awards website a little later.

The PWNIE Awards

This Soil Breeds Monsters

You can no longer expect forty years of drudgery and then a spluttering death from good old-fashioned blue-collar pneumoconiosis. You can’t make it through life hating your boss instead of yourself, not when new forms of labour discipline demand that you be your own boss. Your flesh is already obsolete. But there’s an answer: to survive in the coming era of automation, you have to bring it in faster; announce its apocalypse, learn to code, add yourself to the army of programmers building an appier tomorrow…

Desperation is everywhere; exhibitors make lunging grabs for any passers-by wearing an “INVESTOR” lanyard, proffer stickers and goodies, scream for attention on their convention-standard signs. These do not, to put it kindly, make a lot of sense. “Giving you all the tools you need to activate and manage your influencer marketing relationships,” promises one. “Leverage what is known to find, manage, and understand your data,” entices another. The gleaming technological future looks a lot like a new golden age of hucksterism. It’s networking; the sordid, stupid business of business; pressing palms with arrogant pricks, genuflecting to idiots, entirely unchanged by the fact that this time it’s about apps and code rather than dog food or dishwashers.

None of these start-ups are doing anything new or interesting. Which shouldn’t be surprising: how often does anyone have a really good idea? What you actually get is just code, sloshing around, congealing into apps and firms that exist simply to exist. Uber for dogs, GrubHub for clothes, Patreon for sex, Slack for death, PayPal for God, WhatsApp for the spaceless non-void into which a blind universe expands…

Capitalism doesn’t know what to do with its surpluses any more; it ruthlessly drains them from the immiserated low-tech manufacturing bases of the Global South, snatches them away from a first-world population tapping at computer code on the edge of redundancy, but then has nowhere better to put them than in some executive’s gold-plated toilet. This soil breeds monsters; new, parasitic products scurry like the first worms over the world-order’s dying body.

The War on Drugs

StackOverflow Cthulu

StackOverflow Cthulu

You can’t parse [X]HTML with regex. Because HTML can’t be parsed by regex. Regex is not a tool that can be used to correctly parse HTML. As I have answered in HTML-and-regex questions here so many times before, the use of regex will not allow you to consume HTML. Regular expressions are a tool that is insufficiently sophisticated to understand the constructs employed by HTML. HTML is not a regular language and hence cannot be parsed by regular expressions. Regex queries are not equipped to break down HTML into its meaningful parts. so many times but it is not getting to me. Even enhanced irregular regular expressions as used by Perl are not up to the task of parsing HTML. You will never make me crack. HTML is a language of sufficient complexity that it cannot be parsed by regular expressions. Even Jon Skeet cannot parse HTML using regular expressions. Every time you attempt to parse HTML with regular expressions, the unholy child weeps the blood of virgins, and Russian hackers pwn your webapp. Parsing HTML with regex summons tainted souls into the realm of the living. HTML and regex go together like love, marriage, and ritual infanticide. The center cannot hold it is too late. The force of regex and HTML together in the same conceptual space will destroy your mind like so much watery putty. If you parse HTML with regex you are giving in to Them and their blasphemous ways which doom us all to inhuman toil for the One whose Name cannot be expressed…

StackOverflow Cthulu

Hello! I’m Barbie – Hack Me!

Hello! I'm Barbie!Bluebox Labs released a report detailing how easy it is to get into Barbie’s bits:

We discovered several issues with the Hello Barbie app including:

•It utilizes an authentication credential that can be re-used by attackers
•It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
•It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

•Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
•The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

And they didn’t even have to buy her a wee drink…
Hello! I'm Barbie - Hack Me!