Slashdot Mirror

← Back to Stories (view on slashdot.org)

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Posted by Soulskill on from the internet-doomed dept.

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

5 of 166 comments (clear)

  1. https is useless by bbn · · Score: 5, Insightful

    What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

    1. Re:https is useless by gameboyhippo · · Score: 5, Insightful

      Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

    2. Re:https is useless by PopeRatzo · · Score: 4, Insightful

      If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

      Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

      I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

      No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

      --
      You are welcome on my lawn.
  2. Re:This is just evil. by mysidia · · Score: 5, Insightful

    Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

    No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

    It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

  3. Re:This is just evil. by LordLimecat · · Score: 4, Insightful

    Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

    "Executing structured code" perhaps?