Skip to content

Category: Hackerterrorcybercyber

Turning off the Intel Management Engine (ME)

Over at Positive Technologies, we learn:

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

Yup, the NSA is running Intel machines with the ME off, and so should you, most likely.

1 Comment

Why I can’t transfer money with my Monitor upright

Berliner Sparkasse Onlinebanking FAQ: »Why do I get the message ‘mobile device, can’t perform smsTAN money transfer when using my Desktop computer.« »A possible cause is the display resolution. Your computer is being detected as a mobile device by our online banking system. smsTAN is not working from a mobile device. Solution: Change the display resolution.«

So 1920×1080 work, but 1080×1920 doesn’t.

9 Comments

Not even reading…

Why do companies think about Chatbots and other abominations for customer support? Because already their Fleshbots are not even reading what the customer writes.

Here for example is my password strength for the KLM website:

»But Kris, that’s terrible. Why don’t you set a proper password?«

5 Comments

The road to hell is paved with outdated passwords…

So I am using Chrome in a corporate context. Outdated password regulations force me to increment my password every three months. The reason for that is well understood (PCI compliance), but can’t be changed from inside the corporation.

Previously, Chrome stored my passwords in the Apple Keychain. So I could script this, using /usr/bin/security and push my password change into all saved passwords, or, alternatively, bulk delete all those old passwords.

Recent Chrome does not do that any more.

9 Comments

PHP: Understanding unserialize()

The history of serialize() and unserialize() in PHP begins with Boris Erdmann and me, and we have to go 20 years back in time. This is the day of the prerelease versions of PHP 3, some time in 1998.

Boris and I were working on Code for a management system for employee education for German Telekom. The front side is a web shop that sells classes and courses, the back end is a complex structure that manages attendance, keeps track of a line manager approval hierarchy and provides alternative dates for overfull classes.

In order to manage authentication, shopping carts and other internal state, we needed something that allowed us to go from a stateless system to a stateful thing, securely. The result was PHPLIB, and especially the code in session.inc.

That code contained a function serialize(), which created a stringified representation of a PHP variable and appended it to a string. There was no unserialize() necessary, because serialize() generated PHP code. eval() would unserialize().

8 Comments

Illegal and undocumented instructions

Illegal and undocumented instructions are not a new thing. The Commodore 64 CPU, a 6502 with a few additional I/O lines, was known to have them, and since on current CPUs we can completely VLSI simulate a 6502 in Javascript we also understand where they come from. Pagetable.com has a wonderful article on this.

So how about current CPUs? Modern CPUs are vastly bigger and more complicated than a 6502, and they are also set up very differently. So simulation is not taking us anywhere, but we can fuzz.

Sandsifter is such a CPU fuzzer:

4 Comments

Zero Factor Authentication

Dear Internet, Today I Learned that oath-toolkit exists in Homebrew.

So, this is a thing:

$ brew install oath-toolkit
$ alias totp='oathtool --totp -b YOURSECRET32BLA | pbcopy'

And so is this:

#! /usr/bin/env expect -f
 
set totp [ exec oathtool --totp -b MYSECRET7W22 ]
 
spawn ssh verysecure.doma.in
expect "Password:"
sleep 1
send "thisIsN0t1GoodPaszwort@\r"
expect "Two Factor Token:"
sleep 1
send "$totp\n"
interact

Yup, it’s totally possible to laugh and cry at the same time.

4 Comments