Skip to content

Category: Hackerterrorcybercyber

Jumping Airgaps…

So this paper operates on the premise that there is a high security installation. Because of that it has an isolated network, and also physical protection, in the form of common cameras with the ubiquitous IR lighting.

Turns out, so the developers of “aIR-Jumper“, you can code data into flashes of IR camera lights, and you can read input using the security cameras. So after the initial infection (which would have to take an different route) you can talk to your implant using the security features of the isolated network.

1 Comment

The Chaos breaks german elections, again

Actually, the election was broken before, and the Chaos Computer Club just happened to be the only one looking closely enough, again. (German PDF)

Ten years ago, they broke the digital elections in Hamburg, which were to be based on the Digitaler Wahlstift. Because of that, and Wij vertrouwen stemcomputers niet there is actually a completely offline paper record that can be used to rebuild election results from hand.

So this time CCC looked at the electrion result collection and tabulation software, PC-Wahl 10. And found something uses default passwords of the calibre test/test, using FTP based unsigned software updates, and using no secure way whatsoever to transmit and validate election results.

„Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

If there is ever a valid use case for the Blockchain
Merkel Merkle Trees, it’s probably this.

1 Comment

Turning off the Intel Management Engine (ME)

Over at Positive Technologies, we learn:

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

Yup, the NSA is running Intel machines with the ME off, and so should you, most likely.

1 Comment

Why I can’t transfer money with my Monitor upright

Berliner Sparkasse Onlinebanking FAQ: »Why do I get the message ‘mobile device, can’t perform smsTAN money transfer when using my Desktop computer.« »A possible cause is the display resolution. Your computer is being detected as a mobile device by our online banking system. smsTAN is not working from a mobile device. Solution: Change the display resolution.«

So 1920×1080 work, but 1080×1920 doesn’t.


Not even reading…

Why do companies think about Chatbots and other abominations for customer support? Because already their Fleshbots are not even reading what the customer writes.

Here for example is my password strength for the KLM website:

»But Kris, that’s terrible. Why don’t you set a proper password?«


The road to hell is paved with outdated passwords…

So I am using Chrome in a corporate context. Outdated password regulations force me to increment my password every three months. The reason for that is well understood (PCI compliance), but can’t be changed from inside the corporation.

Previously, Chrome stored my passwords in the Apple Keychain. So I could script this, using /usr/bin/security and push my password change into all saved passwords, or, alternatively, bulk delete all those old passwords.

Recent Chrome does not do that any more.


PHP: Understanding unserialize()

The history of serialize() and unserialize() in PHP begins with Boris Erdmann and me, and we have to go 20 years back in time. This is the day of the prerelease versions of PHP 3, some time in 1998.

Boris and I were working on Code for a management system for employee education for German Telekom. The front side is a web shop that sells classes and courses, the back end is a complex structure that manages attendance, keeps track of a line manager approval hierarchy and provides alternative dates for overfull classes.

In order to manage authentication, shopping carts and other internal state, we needed something that allowed us to go from a stateless system to a stateful thing, securely. The result was PHPLIB, and especially the code in

That code contained a function serialize(), which created a stringified representation of a PHP variable and appended it to a string. There was no unserialize() necessary, because serialize() generated PHP code. eval() would unserialize().


Illegal and undocumented instructions

Illegal and undocumented instructions are not a new thing. The Commodore 64 CPU, a 6502 with a few additional I/O lines, was known to have them, and since on current CPUs we can completely VLSI simulate a 6502 in Javascript we also understand where they come from. has a wonderful article on this.

So how about current CPUs? Modern CPUs are vastly bigger and more complicated than a 6502, and they are also set up very differently. So simulation is not taking us anywhere, but we can fuzz.

Sandsifter is such a CPU fuzzer: