Original Image via Michael Stuhr
Over at Positive Technologies, we learn:
Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.
Yup, the NSA is running Intel machines with the ME off, and so should you, most likely.
Berliner Sparkasse Onlinebanking FAQ: »Why do I get the message ‘mobile device, can’t perform smsTAN money transfer when using my Desktop computer.« »A possible cause is the display resolution. Your computer is being detected as a mobile device by our online banking system. smsTAN is not working from a mobile device. Solution: Change the display resolution.«
So 1920×1080 work, but 1080×1920 doesn’t.
Why do companies think about Chatbots and other abominations for customer support? Because already their Fleshbots are not even reading what the customer writes.
Here for example is my password strength for the KLM website:
»But Kris, that’s terrible. Why don’t you set a proper password?«
So I am using Chrome in a corporate context. Outdated password regulations force me to increment my password every three months. The reason for that is well understood (PCI compliance), but can’t be changed from inside the corporation.
Previously, Chrome stored my passwords in the Apple Keychain. So I could script this, using /usr/bin/security and push my password change into all saved passwords, or, alternatively, bulk delete all those old passwords.
Recent Chrome does not do that any more.
The history of serialize() and unserialize() in PHP begins with Boris Erdmann and me, and we have to go 20 years back in time. This is the day of the prerelease versions of PHP 3, some time in 1998.
Boris and I were working on Code for a management system for employee education for German Telekom. The front side is a web shop that sells classes and courses, the back end is a complex structure that manages attendance, keeps track of a line manager approval hierarchy and provides alternative dates for overfull classes.
In order to manage authentication, shopping carts and other internal state, we needed something that allowed us to go from a stateless system to a stateful thing, securely. The result was PHPLIB, and especially the code in session.inc.
That code contained a function serialize(), which created a stringified representation of a PHP variable and appended it to a string. There was no unserialize() necessary, because serialize() generated PHP code. eval() would unserialize().
So how about current CPUs? Modern CPUs are vastly bigger and more complicated than a 6502, and they are also set up very differently. So simulation is not taking us anywhere, but we can fuzz.
Sandsifter is such a CPU fuzzer:
Dear Internet, Today I Learned that oath-toolkit exists in Homebrew.
So, this is a thing:
$ brew install oath-toolkit $ alias totp='oathtool --totp -b YOURSECRET32BLA | pbcopy'
And so is this:
#! /usr/bin/env expect -f set totp [ exec oathtool --totp -b MYSECRET7W22 ] spawn ssh verysecure.doma.in expect "Password:" sleep 1 send "thisIsN0t1GoodPaszwort@\r" expect "Two Factor Token:" sleep 1 send "$totp\n" interact
Yup, it’s totally possible to laugh and cry at the same time.