Skip to content

Category: Hackerterrorcybercyber

Seizure of Cellphone content during US immigration checks

US Customs and Border Patrol have forced a NASA engineer to give up the passcode to his cellphone, and presumably copied and inspected the device, The Atlantic reports.

If you are traveling into the US, you are well advised to take blank dummy devices with you, which do not contain any work or personal data on them. Resetting a personal device prior to travel may not be enough in all cases, residual data may exist in the flash (Chromebook and Nexus “Powerwash” reset might be).

Not traveling into the US might be even smarter.

2 Comments

Post like it is 2015

Following a great idea from their friends at GitLab, Soup.io loses all postings since 2015 because of malfunctioning backups. They write:

We had a big database crash, and the backups we had were corrupted.
The only working backup was from 2015.

Also, TIL soup.io still exists. Meanwhile, Gitlab posted a blameless postmortem. You can read it online, and they write:

Improving Recovery Procedures

[…]
9. Automated testing of recovering PostgreSQL database backups (#1102)
[…]

Does your database backup successfully restore? Are you sure? Are you testing this?

Remember these words of wisdom:

Nobody wants backup.
Everybody wants restore.
— Martin Seeger

1 Comment

Pandamonium and other attacks

From the HHOS-Dept: The Verizon Data Breach Digest is a thing that exists. This issue (PDF) reports a Botnet built from drink dispensers and other Internet of Trash things at a University that have been badly protected, but were indispensable enough that they could not be simply disconnected and wiped.

Apparently the embedded trash united to run a DNS DDoS attack against some domains, but the Botnet was luckily written so badly that it could be taken over and disabled, regaining some semblance of control over the devices – mostly because the Botnets C&C did not use SSL and also did not encrypt passwords. So that was salvageable mostly due to incompetence on the side of the botnet operators.

1 Comment

Amnesty International: We have achieved surveillance society in Europe

The Amnesty Report “Dangerously Disproportionate: The Ever-Expanding National Security State in Europe” (PDF) goes through the states of Europes and their respective implementation of the surveillance state – emergency laws, principle of legality, privacy, freedom of expression, liberty, freedom of movement, and other categories are being investigated.

The summary states:

[B]y proposing, adopting and implementing wave after wave of counter-terrorism measures that have eroded the rule of law, enhanced executive powers, peeled away judicial controls, restricted freedom of expression and exposed everyone to government surveillance. Brick by brick, the edifice of rights protection that was so carefully constructed after the Second World War, is being dismantled.

This report aims to give a bird’s eye view of the national security landscape in Europe. It shows just how widespread and deep the “securitization” of Europe has become since 2014. The report reflects a world in which fear, alienation and prejudice are steadily chipping away at the cornerstones of the EU: fairness, equality and non-discrimination.

Leave a Comment

FBI Rap Back

Wikipedia knows:

The [Chinese] Social Credit System is a proposed Chinese government initiative for developing a national reputation system. It has been reported to be intended to assign a “social credit” rating to every citizen based on government data regarding their economic and social status.

Xinhuanet has reported that the plan for the system “focuses on credit in four areas, including administrative affairs, commercial activities, social behavior, and the judicial system.”

The system has been an inspiration for the Black Mirror episode Nosedive, and US newspapers such as The Economost have been condemning it as Digital Totalitarian State.

Meanwhile The Intercepts reports on the FBI Rap Back program (““Rap” is an acronym for Record of Arrest and Prosecution; “Back” is short for background.”), which will implement exactly this:

What the program counts as “triggering events” differs depending on how subscribers configure their systems. In Missouri, where public school teachers are entered into the program, a police captain told a local paper that scanning fingerprints triggers the release of closed records, including charges that are not prosecuted and judicial decisions that result in dismissals or not guilty findings. […]

Lynch said it’s possible that employees could be fired for an arrest where they were exercising their First Amendment rights: filming public officials, attending protests, blocking streets. “It’s unclear if an employer that takes action based on the arrest would know the arrest is tied to First Amendment protected activity.”

Leave a Comment

Bash 4.4 Bug: Tab completion can execute commands

Jens Heyens and Ben Stock of the Uni Saarland have found a code execution bug (PDF) in Bash 4.4 and higher.

$ touch ’”‘ touch HereBeDragons ‘’
$ rm \”\‘touch\ HereBeDragons\‘ ^C
$ ls -lt
insgesamt 0
−rw−r−−r−− 1 heyens heyens 0 17. Jan 16:03 HereBeDragons
−rw−r−−r−− 1 heyens heyens 0 17. Jan 16:03 ’” ‘ touch HereBeDragons ‘ ’

The bug has been introduced in commit 74b8cbb41398b4453d8ba04d0cdd1b25f9dcb9e3 on the devel branch of bash and made into 4.4-stable. It is present since May 2015.

Leave a Comment

On Sandboxing, and Linux distro differences

Dan Walsh, Redhat, SELinux Developer, weeps when you disable SELinux

On one end of the spectrum, LearntEmail points to Stop Disabling SELinux and asks us to instead set up proper sandboxes to contain software: SELinux – A Real-World Guide.

On the other hand, Kristaps Dz explains how differences in Linux Distros, Libraries and other environmental factors make it very hard to define sandboxes in a portable way (seccomp, in this case), so that they can be shipped with an application, such as the Let’s Encrypt ACME client he develops. The LWN Article pointing to this has interesting discussion.

There is a lot to be learnt between these two extremes, for example why we can’t have nice things.

2 Comments

Mandatory Widevine (Browser Video DRM) in Chrome

Changes are coming to Chrome. Not all of them are good.

For example the ability to actually view the details of a TLS certificate in Chrome has been moved far away into a hard to reach Developer menu.

Most Chrome plugins have been disabled and removed, and the chrome://plugins page will go away very soon (Chrome 57 and later). The remaining Plugins cannot any longer be disabled (Bug report). This will also silently re-enable disabled plugins.

One of them is the Widevine video DRM plugin, and that is widely seen as very problematic, for security and legal reasons.

Leave a Comment