Skip to content

The Isoblog. Posts

WSJ on Government Backdoors, intentional and unintentional

The episode underscores the folly of the U.S. law enforcement demand that tech companies install backdoors into their devices and services.

the WSJ comments. This time the leak is an unintentional backdoor the NSA used to get onto devices. The NSA used the Vulnerabilities Equities Process to determine that ETERNALBLUE is burnt and informed Microsoft, which then promptly generated an urgent critical patch, which did not make it out to systems in the field fast enough.

There is little difference according to the WSJ between flaws being used as government backdoors, and intentional government backdoors, which may be detected and abused, or leaked. So this whole Wannacry(pt) thing is a very good example of what will happen with Government mandated backdoors in systems.

Leave a Comment

Rittal sends USB sticks that act as keyboards – as advertisement

Holger Köpke got a USB stick (article in German) that supposedly is from data center equipment maker Rittal, unsolicited, in the mail. Of course he did not plug it into a device, it could be anything.

He then (from his first comment in the same article) set up a test VM on a scratch device, inserted the USB stick there and the stick identified not as USB memory, but as a USB HID, a keyboard. Seemed that he was right not to trust it. Sends a mail to Rittal explaining them why he thinks this is dangerous, and asks if this is indeed legit.

Gets a response (another article in German), a letter as a PDF sent by email.

1 Comment

Language Pitch

Erik Bern did a fun exercise and analyzed the pitch of speakers in various languages: Apparently Dutch is substantially deeper than German (it is also louder, but he did not analyze that).

There was a very definite point when I realized that I had to change my voice to get to the next level with my accent. Oddly enough it was actually while studying German (my third language). It felt awkward at first to alter my voice to the point where I didn’t feel like it was myself talking. But on the other hand I could hear myself sounding so much more German (if you know what I mean). Having been through this transformation I decided to change my “English voice” as well.

 

4 Comments

Handling Wannacrypt – a few words about technical debt

So Microsoft had a bug in their systems. Many of their sytems. For many years. That happens. People write code. These people write bugs

Microsoft over the years has become decently good with fixing bugs and rolling out upgrades, quickly. That’s apparently important, because we all are not good enough at not writing bugs. So if we cannot prevent them, we need to be able to fix them and then bring these fixes to the people. All of them.

The NSA found a bug. They called it ETERNALBLUE and they have been using it for many years to compromise systems.

In order to be able to continue doing that they kept the bug secret. That did not work. The bug is now MS17-010 or a whole list of CVE-entries.

The NSA told MS about the bug when they learned that it had leaked, but not before. Microsoft patched the bug in March 2017, even for systems as old as Windows XP (which lost all support in 2014), but many people did not install the patch.

The result is “the largest cyberattack in the world”.

7 Comments

Fietsbagger in Amsterdam

»Each year Waternet, Amsterdam’s Water Authority, fishes between 12,000 and 15,000 bicycles from the canals. The bikes were either discarded deliberately, or tossed in by hooligans.«

3 Comments

RTT-based vs. drop based congestion management

APNIC discusses different TCP congestion control algorithms, coming from Reno, going through CUBIC and Vegas, then introducing BBR (seems to be a variation on CoDel) and what they observed when running BBR in a network with other implementations.

TCP congestion control algorithms try to estimate the bandwidth limit of a multi-segment network path, where a stream crosses many routers. Each segment may have a different available capacity. Overloading the total path (that is, the thinnest subsegment of the path) will force packet drops by overloading the buffers of the router just in front of that thin segment. That in turn requires retransmits, which is inefficient and has nasty delays.

To make matters more complicated, the Internet is a dynamic environment and conditions can change during the lifetime of a connection.

3 Comments