Skip to content

Month: June 2017

Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery

In »Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery« (PDF) a bunch of researchers from TU Berlin, TU Braunschweig and Trend Micro are testing the hypothesis that people copy code from Stack Overflow even if it is bad code.
That is, one rotten tutorial can spoil the lot:

Based on our assertion, we hypothesize that vulnerability discovery can be seeded by code snippets such as those found in top-ranked tutorials. Viewed from an adversarial standpoint, we present a novel approach for bootstrapping vulnerability discovery at scale. Our main intuition is that recurring vulnerabilities can be found by recognizing, and subsequently looking for patterns in code that correspond to the original vulnerability. We refer to instances of these patterns as code analogues throughout the rest of the paper. Our expectation is that if such a pattern recurs, so will the corresponding vulnerability.

1 Comment

Project Zero

Fortune has a kind of home story on Project Zero, explaining what it is, how it came to be and who the people in there are.

If you do not know what Project Zero is and why it is important, it’s a good starting point.

If you know about Project Zero, it’s still a fun read because of all the parentheses that read »x declined to be interviewed for this story.«

1 Comment

Cost parity and conversion to electric

Sigmoid

This is the Sigmoid or Logistic Curve. It describes capped expontially growing things, like cancer or the takeup of new technologies.

So, yes, electric cars are in a way like Cancer. 🙂

The point being that right now a lot of people are waiting for electric cars to take really off. Right now, they are in the low single digit numbers of the total car population, but when a certain breaking point is being reached, that will change very extremely quickly.

Many people think this breaking point is cost parity, electric cars costing approximately as little or much as a comparable car with ICE. And some people are bullish and think that year might even be 2018.

The thing being that, in order to satisfy sudden demand, you need to have building capacity and enough experience to have the processes down and ready for mass manufacture.

Well, maybe it’s not 2018, but 2020. In any case, time is running out for makers of cars with ICE.

2 Comments

The bromfiets has no place in the Netherlands

One key element to traffic safety in the Netherlands is separation. So cycle pathways can run on the street only if the street is limited to 30 km/h or lower.

If car traffic is faster, the cycle path needs to be separated in some way. That can be as simple as a curb and red posts, or it can be a separate road running an entirely different route from the car road. Some newer cities such as Lelystad (built only in 1967) have completely different networks for pedestrians, cycles and cars.

In general, this works really well, but it drops one type of transportation into a void, the bromfiets and its friends – anything that can go faster than 25 km/h and is limited to 45 km/h

4 Comments

Rotterdam Containerterminal down due to Ransomware Attack on Maersk

Apparent Maersk has been cybered by some Ransomware and the Rotterdam Container Terminal as well as other things are offline right now.

Zeventien containerterminals van APM in Rotterdam en andere delen van de wereld zijn aangevallen door hackers. Het gaat om een ransomware-aanval.

Logistiek.nl

Volgens een bron bij APM Terminals, de container terminal tak van Maersk dat het hoofdkantoor in Rotterdam heeft, liggen waarschijnlijk wel 50 containerterminals er uit. ,,Ik was op het hoofdkantoor toen de aanval plaatsvond. Binnen een uur lag alles plat.”

  — AD
Leave a Comment

A modest solution to a simple problem: Filter on X-Trigger headers in Gmail

I have a very simple problem. My Gmail is receiving a mail with an X-Trigger header and I need to filter these messages (mark them as Archived, as Read an label them into the “filtered” category).

Here is a sample:

$ cat t
X-Trigger: test
Subject: a test
From: kris@koehntopp.de (Kristian Koehntopp)
To: kristian.koehntopp@booking.com

Testing
$ mutt -H t
...

Now, generating filters in Gmail is very easy for various capabilities, but for some reason filters on arbitray header lines are not possible.

4 Comments

The Cryptowars, twenty years ago

So there was this article in Motherboard, pointed out to me by a very young friend of mine. It’s an FBI memo written in 1995 during the Unabomber investigation, about a mysterious, close-knit group of gamers, playing D&D.

The article gives hardly any context at all, but that kind of memo during this time is not unusal or even remarkable, from a historical perspective.

So here is a bit of historic perspective, not quite in chronological order.

John Gilmore

A lot of this, from a US point of view, revolves around the person of John Gilmore. Gilmore was an early Sun Microsystems employee and hardware (VLSI chip) designer, and this part of his career made him financially independent. He’s also politically active, libertarian,  and coined the famous saying »The Net interprets censorship as damage and routes around it.«

1 Comment