Watch a Cat Video, Get Hacked: the Death of Clear-Text

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

https is useless

[bbn]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Re:https is useless

[gameboyhippo]

Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

Re:https is useless

[PopeRatzo]

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Re:https is useless

[Altrag]

What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

"Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Re:This is just evil.

[Noah+Haders]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

"I disagree" -- hackers.

Re:This is just evil.

[mysidia]

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

Re:This is just evil.

[LordLimecat]

Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

"Executing structured code" perhaps?