Tag: Technology

Shell Shock Exploit

Can you guess what I was doing last night? If you guessed upgrading my servers you’re correct. The hits just keep on coming this year. Earlier there was a nasty exploit in the OpenSSL library, which a huge amount of software relies on, that allowed attackers to read arbitrary chunks of memory from a targeted server. Now a vulnerability in the Bourne Again Shell (Bash) has tossed a monkey wrench into the works as it allows the remote execute of commands:

Let me start with the CVE from NIST vulnerability database because it gives a good sense of the severity (highlight mine):

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

They go on to rate it a “10 out of 10” for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug.

In the industry that is what we call bad news. So who’s vulnerable? Anybody using a system with a vulnerable version of Bash installed. Since Bash is an extremely popular shell amongst UNIX systems, including being the default shell in many Linux distributions and Apple OS X, there’s a lot of exploitable systems out there. But Microsoft users get to sit this one out.

If you run Linux updates Bash immediately. Apple hasn’t released a fix for this exploit yet but if you have Xcode installed you can compile a patched version of Bash or you can use Homebrew or Macports to install a newer version of Bash. And if you run a UNIX server and haven’t upgraded your system yet you better get your ass in gear.

Another Problem Easily Avoided By Not Wearing Skinny Jeans

Apple made a major design oversight with its latest iPhone. It seems that the phone does not get along with skinny jeans:

It was only a matter of time before the monstrosity known as the iPhone 6 Plus started causing problems. Today, word is getting out that the 5.5-inch phone may be vulnerable to unplanned situational curvature.

In other words, the phones are bending, and they’re not supposed to bend. They bend because people are putting them in their pockets, then sitting down, which is a reasonable thing to do. Call it Apple’s #Bendghazi, if you will. Or #Bendgate

This entire fiasco is pretty funny to me because I wear tactical mall ninja pants. My pockets are literally large enough to stuff .308 magazines into. There’s so much extra room in most of my pockets that I can sit down comfortably with .308 magazines stuffed into them. Nothing presses tightly against my skin and therefore isn’t likely to bend. But the trend today seems to be tighter and tighter pants with vestigial pockets that, like the front limbs on a Tyrannosaurs Rex, are technically there but functionally useless.

OK, I’m half joking there. I’m sure many of the iPhone 6s that have been bent weren’t left half hanging out of a vestigial pocket on a pair of skinny jeans. The real problem here is that people got exactly what they wished for. That is to say people have been demanding thinner phones with larger displays. While this sounds like a great combination you run into the real structural limitations. Namely the materials that make up a phone; glass, plastic, and aluminum; aren’t flexible but if you make them too thin they also aren’t strong enough to resist much force. Combine that with a larger surface area to exert force against and you have the recipe for a pretty flimsy piece of shit.

Be careful what you wish for because you may just get it.

If You Hire Specialists You Should Probably Listen to Them

Since the breach at Target several other high profile cases of customer credit card data being stolen have arisen. Home Depot is one of the stores whose credit card data was obtained by unknown third parties. What’s interesting about the Home Depot case is that it’s beginning to appear as though the company’s internal security team issued a warning about the problem several years ago:

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

A heads up from an anonymous former employee isn’t solid evidence but it wouldn’t surprise me if this is true. Companies have a history of putting aside time and money to hire security specialists only to ignore their advice. This is something that I never understood. Why would any company invest resources to hire specialists only to ignore their advice? When you hire security specialists you should expect them to deliver bad and costly news, especially between the time you first hire them and have a chance to implement their recommended security practices. Yet so many companies seem dead set on ignoring any bad news delivered by their security specialists. It’s stupid, that’s the only word for it.

Number One Reason to Upgrade to iOS 8

iOS 8 was released yesterday. I have it installed on my iPhone 5 and can say that it’s a decent upgrade (LastPass can now fill in my user names and passwords in Safari, which is the highlight of the upgrade for me). But the best feature of iOS 8 is one that doesn’t seem to be getting a lot of coverage:

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Security changes to iOS 8 seem to have made it technically impossible for Apple to fulfill warrants demanding it extract data from a customer device. I’m glad to see Apple taking security against government agents seriously. It also goes to show just how untrusting companies have become towards the government after Snowden released the National Security Agency’s (NSA) dirty laundry. Before then I doubt Apple would have invested resources to ensuring it couldn’t comply with government data requests and it almost certainly wouldn’t have advertised the fact so prominently.

However it is important to keep in mind that the scope of this protection is only on the device itself. If you upload data to iCloud Apple can still comply with any warrants demanding it turn over customer data. So if you value your privacy it’s a good idea to upgrade to iOS 8 and not upload your data to online storage services.

Shortsighted Firearm Access Control Technology

A lot of electrons have been annoyed by people such as myself writing about access control technologies for firearm (often erroneously referred to as smart gun technology). Advocates of gun control want to mandate access control technologies in firearms because it will increase the costs and make guns less accessible they claim it will decrease gun related deaths. Gun rights advocates are worried that other states will pass laws like New Jersey’s that mandate all firearms include access control technologies after the first such equipped firearm is released to market. I’m primarily interested in the technology itself (since I have no problem ignoring laws I disagree with the threat of mandating the technology doesn’t carry much weight with me).

Understanding that politics is an ineffective vehicle for creating change some people got together and founded the Smart Tech for Firearms Challenge, which awards grants to individuals who show promising developments in access control technologies for firearms. One of those prize winners is Kai Kloepfer, a 17 year-old who designed an access control system for firearms. First let me congratulate Mr. Kloepfer on designing such a system at a young age. He shows the potential to go far as an engineer. Now let me point out a major flaw in the system he designed:

The gun works by creating a user ID and locking in the fingerprint of each user allowed to use the gun. The gun will only unlock with the unique fingerprint of those who have already permission to access the gun.

Access control technology for firearms that rely on the user’s fingerprint aren’t viable. While people living in California, Arizona, Florida, or other southern states may be inclined to ask why I, as a Minnesotan, can point out the glaring error quite quickly: gloves. Those of us who live in northern states spend many months with our hands inside of gloves. When it’s 20 below zero outside you can’t have your hands exposed to the elements for very long and those finger saving gloves render fingerprint readers useless (as well as capacitive touchscreens). How am I supposed to unlock my firearm in the winter? Some will probably say “By taking off your gloves, dumbass.” Those people don’t live in Minnesota because taking off your gloves isn’t always an option, especially when you plan to grab onto a freezing cold piece of metal. Furthermore one is seldom afforded the time to remove their gloves in a defensive situation.

Finger and hand print readers are Hollywood’s go-to solution for firearm access control. In the latest James Bond movie, Skyfall, Bond is given a Walther PPK/S equipped with a hand print reader. If anybody other than James Bond is holding the pistol it won’t fire. Hollywood sure makes the technology look effective but Bond is also never wearing gloves. Still many people seem to get their inspiration from Hollywood movies and that must be the reason why manufacturers of firearm access control technology have such a hard-on for finger and hand print readers. Because it certainly isn’t for practical reasons.

Removing that God Awful U2 Album from iTunes and iOS

Last week Apple unveiled its new phone, payment service, and smartwatch. In addition to those three products Apple also did something despicable. When I opened the Music app on my iPhone to listen to songs from my carefully curated list of awesome fucking music I noticed something. That something stunk up my music list like a dead bloated corpse floating down an otherwise pristine river. That thing was U2’s Songs of Innocence album. Fortunately I disabled automatic downloads on my devices so what was stinking up my music list was just a link to download the album, not the actual songs themselves. But the damage was done. My phone was violated. Even though I attempted to console my phone with a continuous stream of Iron Maiden and Manowar I could tell that it wasn’t helping.

I knew that the only way to help my phone overcome this traumatic experience was to completely remove Songs of Innocence from it. As it turned out removing that piece of shit wasn’t doable. The best I could do was go into my Music app settings and turn off the Show All Songs option. But sweeping something under the rug isn’t the same as getting rid of it. The corpse may have been under the floorboards but the stench still crept into the room.

I wasn’t the only one made unhappy by Apple foisting shitty music from a shitty band onto my device (U2 is shitty, if you disagree then you’re wrong). A lot of people, many of my friends included, were upset to see that their devices had been violated. They too sought a way to purge the memory of U2 from their devices only to find out that no such way existed. Thankfully, not even a week after the announcement, Apple has finally created a way for its customers to completely purge Songs of Innocence from their iCloud account:

The US tech firm is now providing a one-click removal button.

“Some customers asked for the ability to delete ‘Songs of Innocence’ from their library, so we set up itunes.com/soi-remove to let them easily do so. Any customer that needs additional help should contact AppleCare,” spokesman Adam Howorth told the BBC.

Users who remove the album and do not download it again before 13 October will be charged for the 11 tracks if they subsequently try to add them again.

So if you have iTunes or an iOS device and hate shitty music feel free to click the link, log into your iTunes account, and have Songs of Innocence sent to the sewer where it belongs.

In the off chance that somebody from Apple is reading this I have a message for you: don’t ever let this happen again. If you want to give your customers’ something just give them credit to download whatever album they desire.

“Smart” Guns Would Turn a Physical Fight into a Technological Fight

The Verge has a story about designers of “smart” guns being afraid to come forward with their designs because they believe us evil gun nuts will get them. While the story does attempt to make it appear as though their fear is well founded I’m betting their actual fear has nothing to do with gun rights activists and everything to do with criticism. Gun control advocates seem to think guns with built-in access control are the Holy Grail of restricting gun ownership. What they fail to understand is that baking access control into firearms turns a physical confrontation into a technological confrontation.

There isn’t an access control system on the planet that cannot be bypassed by unauthorized users. Access control systems are about raising the cost of gaining unauthorized access. If I put a shitty lock on my door the cost of bypassing it is pretty low but a quality lock raises that cost. But even the most effective of access control technologies, once unveiled to the public, falls under the onslaught of hackers. Access control technology for firearms is no different. Once it hits the market security experts will put it under a microscope and discover every way to bypass it. Some of the bypasses will allow unauthorized users to fire the gun and other bypasses will prevent authorized users from firing the gun.

Consider the Armatix iP1. It’s a .22 pistol that uses a wristwatch containing a radio-frequency identification (RFID) chip to authenticate the user. Gun control advocates have touted the iP1 as the answer to the “smart” gun question. But there is a critical flaw in the pistol’s design: it relies on a wireless signal for authentication. Wireless signals are convenient but they suffer from a notably critical flaw when looking at self-defense tool, they’re susceptible to jamming. If you have a powerful enough transmitter you can flood specific radio frequencies with enough noise that it severely degrades or completely prevents the communication capabilities of devices using those frequencies. Imagine being a police officer tasked with instigating violence against currently peaceful protesters. You plan to fire a couple of rounds into the crowd in the hopes chaos ensues so you and your friends can justify wholesale slaughter. But the protesters are smart and have been flooding the radio frequency your gun uses to authenticate and thus renders your firearm inoperable. The previously physical conflict became a technological conflict.

One of the reasons I’ve been skeptical of current access control proposals for firearms it that the names working on the technology aren’t well known in the security community. Security is hard and failing to implement proper security for a firearm access control system would render it useless. Does the iP1 RFID setup utilizes strong encryption for communications between the watch and pistol? Many RFID access control systems, especially earlier ones, didn’t utilize any encryption so it was trivial to intercept the authentication code and load it onto your own RFID chip. If cloning the authentication code stored in the watch is easy then the entire access control system is useless. And even if the system uses encryption the question becomes if the encryption is properly implemented. Many systems can be manipulated in such a way as they give up credentials (just think of every database breach that resulted in user names and passwords getting stolen).

Police departments and the military understand this issues, which is why they haven’t been on the bandwagon to adopt access control technologies for their weapons. If they did adopt such technology it would sudden turn the physical fight, which they’re very good at, into a technological fight, which they’re not very good at. In all likelihood the current crop of people developing access control technology for firearms know that their designs won’t hold up under scrutiny and therefore don’t their names attached to the designs. It’s much easier to claim that the evil gun nuts will come after them then to admit their designs have not underwent a security audit from a recognized auditor.

Yesterday’s Apple Announcement

There isn’t much else worth writing about so I’ll fill some space by giving a quick summary of yesterday’s Apple announcements.

First Apple introduced us to the new iPhone 6. It’s thinner and faster, just like every other iPhone. But here’s the twist, there are two screen sizes. The first, dubbed the iPhone 6, is slightly larger than the current iPhone. But Apple saved the best for last because the company has finally released a phone that is big enough to be impractical to carry around and it’s calling it the iPhone 6 Plus. Now Apple users can experience the joy of a phone that’s too big to fit in most pockets but too small to be a useful tablet.

Next Apple announced Apple Pay. I think the name explains it quite well, it’s Apple’s new payment system. This looks interesting simply because current credit and debit card security in this country is a joke. When it can be used everywhere credit cards are accepted I will probably take a bigger interest.

Finally Apple’s big announcement, the Apple Watch, made everybody at the event euphoric. Basically it’s the ugliest device Apple has released since I started using the company’s products. Seriously. It’s really fucking ugly. On the upside it does pack a lot of features into its hideous shell. The watchband is easily removed and replaced with other Apple Watch compatible bands because using standard watchbands would be too much to ask for. As expected it uses inductive charging, contains a heartbeat monitor, and a gyroscope. You interface with the watch via the crown, which scrolls shit when you turn it and dumps you back to the home screen when you press it in. There’s also another button on the side that brings up your contacts. Oh, I almost forgot, it also has a touchscreen, which renders all of the hardware controls pretty pointless. One of the big questions with any smartwatch is how long the battery lasts. Well Apple totally didn’t mention that so we have no idea. But come 2015 you will be able to get your hands on one for the low price of $349.00. Or for just a little bit more you could buy a Hamilton Khaki Field watch, which nets you a nice looking piece with a mechanical movement. Your choice.

After the Apple Watch announcement I began to suspect that Apple was trolling everybody at the event. My suspicions were confirmed when Apple subjected every poor son of a bitch at the event to U2. Talk about adding insult to injury. Oh, and U2 announced another shitty album. But it seems that the band finally realizes that its music is shitty because you can get it free on iTunes, which is too high of a price if you ask me.

I Understand that Words are Hard But Dictionaries are a Thing

As somebody who uses words everyday I understand that they can be difficult. Sometimes you think of the perfect word to make your smartass zinger shine but are uncertain if you’d be using it in the correct context. For those situations there are these things called dictionaries. In fact if you go to Google and type “define:word” you will be greeted with the definition of “word”. Because this wonderful technology known as a dictionary exists I’m not terribly forgiving when people totally fuck up their word usage in a professional piece of writing. So when I saw this petition claiming to oppose a federal takeover of the Internet I realized that the author doesn’t know how some very basic works work:

Dear Mr. Wheeler,

Americans have been getting faster and faster Internet speeds because of competition in the free economy, not because of anything the government has done.

To which I ask, what competition? What free economy? This is one of the biggest problems with the net neutrality debate. One side wants to use the state to mandate net neutrality and the other side has no fucking clue how Internet provision works in this country. There is very little competition in the Internet provision market specifically due to government regulations. In the current environment a handful of companies such as Comcast, Century Link, AT&T, and Verizon have near monopolies, if not outright monopolies, in many areas. People who are really lucky may have two Internet Service Providers (ISP) to choose from but that’s not always the case. Thanks to lobbying efforts by large ISPs the option for communities to build their own ISP isn’t even legal in many areas.

If you think the net neutrality debate is currently between a government regulated market or a free market then you have no clue what’s going on. The debate is between a government regulated market or a government regulated market with the only question being what set of regulations should be used to fuck the American people. Don’t fall for ploys like this petition that claim to support a free market in Internet provision. A free market isn’t even an option on the table at this point and the only people who claim it is are shills for large cable providers that are trying to sucker free market advocates into supporting their own subjugation.

Comcast Continues Its Quest to be The Most Dickish Company Ever

Comcast has a mission. That mission is to be the single most dickish company in the world. Between it’s horrible customer service, attempts to convince people it supports net neutrality through shady marketing, and continued attempts to regulate competition out of existence Comcast gotten far in realizing its goal. But all of this still isn’t enough to win the crown of dickishness so Comcast is now injecting advertisements into webpages served by its publicly accessible Wi-Fi access points:

Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.

Now that’s some dickish behavior! Injecting code into a page without the permission of the page owner is something mostly attributed to malicious software. Granted Comcast is pretty malicious so I believe calling its injected ads malware isn’t dishonest. But this story also makes another very important point:

One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.

There’s no reason this day and age for a website to have an unsecured connection available. Companies like StartSSL will provide free Transport Layer Security (TLS) certificates for personal use and change a very reasonable fee for commercial use. Almost every (I’m not actually aware of any exceptions) personal computer, tablet, and smartphone made in the last decade is capable of communicating via secured connections. If you’re running a website get a TLS certificate, load it on your server, and force the unsecured connection to redirect to the secured connection (that’s what I do on this site). For those of you who are using a hosting service that doesn’t give you the option of enabling TLS demand that they offer that capability or provide the certificates and enable TLS for you. Allowing only TLS connections not only prevents third parties from eavesdropping but it also prevents third parties from altering pages in transit. We’re at a point (and have been for a long time) where the benefits of TLS far outweigh the negatives.