The problem is that scanners support multiple communications protocols so they can be sold to a wide variety of clients, and the scanners' configurations can be changed via barcode without first asking for permission.
Your attacker can see that you're using a DS-6878 scanner with a USB cable, so he opens his phone's browser to this page of the manual, http://www.manualslib.com/manu... and displays the barcode to configure a North American keyboard. Once scanned, as far as Windows knows someone just plugged in a new USB HID Keyboard device. None of the old configuration settings matter any more, and your bulletproof application may not even be notified that its scanner has been hijacked.
He then scans a few more configuration codes so that he knows his codes will be properly effective, perhaps something like Send Barcodes with Unknown Characters (page 67), and finally a control sequence to open a URL to downloadevilvirus.com/infect.htm. Pwnage ensues.
One problem with this solution is there are still some Windows native apps that are pixel-based instead of percent or resolution based. We have a 15.6" laptop with a 3840x2160 screen, and have encountered a couple of apps that now display in impossible-to-use resolutions.
For example, QuickBooks displays a page of instructions in a tiny window that I can literally cover with my thumbnail. The minimize/restore/close icons at the upper right corner of each window are less than 1mm high, and very difficult for my wife to click on with the trackpad. Their official "fix"? Crank the resolution of the screen down to 1024x768, and learn Ctrl-F4 and Alt-F4! So because they don't know how to code, its their users' fault for buying a nice screen. If this was the only dumb-ass arrogant thing Intuit ever did, I could forgive them for not catching up to 2003 usability standards, but it's far from their first episode of "all you damn customers suck." I need a new bookkeeping package from someone who is not Intuit.
"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?
If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.
Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.
On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.
Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.
None of my plugins are dead, and my old add-ons appear to all be working, too. That's really important to me, because the only reason I use Firefox is for the value added by the add-ons, especially NoScript, Ghostery, PrivacyBadger, AdBlock, and FlashBlock. It seems like Mozilla has finally figured out how to stop changing the add-on API with every damn release, for which I am very grateful. I used to have to wait a long time to find out which of my old extensions would need upgrading before updating Firefox. Or I'd spend a day editing a handful of XPI files to change the supported version numbers, because the changes were never actually dependent on the app version. But it's all fixed now, so that makes me happy.
There's only one toolbar button you'll really want to get rid of, some stupid "share" button shaped like a paper airplane.
One piece of shit they've left in is the broken UI idea that tabs should be above the toolbars and bookmarks. Tabs represent windows and should be associated to the display window itself, not to the container. It's one of those usability factors that makes Chrome suck so bad, yet here comes Mozilla to copy someone else's stupidity. Sigh.
It was also kind of weird typing "kitten stomping day" into google (fearing there might already be one) and guessing at which kinds of watch lists I've no doubt been added to as a result.
This certainly isn't their only cool act of public service, either. I saw one of the Dutch guys presenting an interesting topic at Black Hat: How to preserve a powered on system during a raid using mouse jigglers and UPSes, and collecting forensic evidence while preserving chain of custody, good practical advice. The BH crowd eats that stuff for breakfast, but he was providing info that is useful to help train non-technical officers executing a warrant.
I would be surprised if they wipe the keys as fast as the countdown timers claim. Once they wipe a key, they can make 0 money from it. It would be smarter to threaten to jack the rates: "pay us by Tuesday or we double the ransom."
These guys provided 14,000 keys to Dutch law enforcement. It sure sounds like they didn't wipe them.
Use of Tor in America is already practically proof of guilt, they just have to figure out whether to hang drug charges or child pr0n charges on your guilty ass. They have pre-determined the only people who really need the anonymity it provides live in officially recognized repressive regimes, either Myanmar, Iran, or Afghanistan.
This is a large part of the problem. More often than not these issues stem from people trying to roll their own time handling code / int'l address code / i18n / etc rather than using one of the standard (and well-tested) libraries available in their language.
Time is hard to get right, addresses are hard to get right, i18n is hard to get right. Don't roll your own. There's a thousand edge cases you haven't accounted for.
That may be fine advice for time formatting and time stamp storage routines, but how a system should behave when it's reference time is altered is a business logic decision. I might be working on a response time routine for approving credit, while you might be working on lag time between players in a FPS game; neither of which is a problem that's solved in a library. And if you think that Kerberos and LDAP systems handle this stuff properly today, you're also in for disappointment.
Some of this stuff still needs answers. Trying to ignore reality by chopping out leap seconds isn't the right one.
We need to change how we keep track of time, in a way that isn't linear.
Asynchronous clocks! I love this idea! Instead of every system implementing its own real time clock, every computer on the planet will instead constantly poll a universal clock service, and supply that digitally signed millisecond to all of its processes.
The truly sad part is that I know there's some SaaS weenie out there who fervently believes this is a good idea.
You're confusing automotive engineering, software engineering, and security engineering. With automotive engineering, you can produce V1.0 of a car, and as long as it gets the occupants from A to B most of the time, it's good enough. Later, you realize it's not very fuel efficient, so you iterate upon it and release v2.0. You then discover some component doesn't wear well, and redesign it for v3.0, perhaps add some safety equipment, improve crash survivability, etc.
With software engineering, you similarly release v1.0 because it's good enough to get the job done. However, there is now an entire industry built upon crime that exploits these applications, and your v1.0 is on the front line facing an army of professional opponents (literally including a division of the actual Chinese Army.) And these opponents are all untouchable with respect to the law. Your opportunity to iterate slowly, like the automotive engineers enjoy, doesn't exist in this environment.
And the advice for app developers regarding security is loudly "don't roll your own!" So they incorporate other libraries which have their own flaws. They rely on documentation tools and installers that have flaws. They're installed on OSes that have flaws, and hosted on flawed web servers written in flawed languages. Every one of those flaws is available to the army of attackers.
And security engineering looks at the whole mess and tries to keep the whole collection of flaws pointed in the direction of least vulnerable.
Imagine how different automotive engineering would be if the ability to exploit a fender-bender or a flat tire would allow the risk-free theft of thousands or millions of dollars from a bank. If cars started out that way, we'd still be walking.
And yet the jobs these apps do is so valuable they're used and relied upon by billions of people, despite their flaws. So they will keep getting shipped, flaws and all, while the rest of us iterate upon them, trying to fix them. Is it insane? Doesn't matter, nobody is clamoring to return to the pre-Internet days.
Fair enough, but candidly, I just assume any searches I perform without cloaking are accessible to any number of interested parties.
And you might want to take extra care there, too. How effective is your "cloaking"? Are you randomizing your wireless MAC when you fire up Tor at the coffee shop that is 0.34 km from your house? Are you sure your machine isn't leaking all kinds of traceable info when it connects? Is the Tor session at the coffee shop usually accompanied by a connection attempt from an iPhone reporting its name as "rmdingler's iPhone"? Does the coffee shop have a camera?
So people write crappy code and rely on it without adequate fault tolerance strategies and that's somehow the problem of people who measure time? I think not.
IDEs like Eclipse and Visual Studio are not rubber safety bumpers for beginners. They're productivity enhancers for professional developers. But because they have 'icons' and 'wizards', people often equate them with "no training required" programming tools like Lego brick language.
Of course, many of these people can't tell the difference between "scripting if statements 'til it works" and software engineering, either.
I remember learning a bit about state toggles on Dr. NIM, a marble game in the 1960s, but didn't yet have the basic skills to come up with a state table for the full game. (Hey, I was 4 years old.) Unfortunately, Dr. NIM passed away like so many other toys from the era -- tossed by parents in one of those terrible cleanings.
About 25 years ago, when my son was 3, I gave him a binary based marble color sorting game, and we played with that for a long time. It had no internal toggles or states other than the sliders the player would set, but he learned 4-bit binary at a tender age. We both held a special place for that toy, though, so he always made sure to hang onto it through the cleanings all parents must do. Somewhere in one of his storage totes it awaits the rite of passage to his offspring, and a fourth gen computer hacker will no doubt emerge.
I've found a good place to practice simplification skills is to spend some time editing articles on SimpleWiki http://simple.wikipedia.org/
By limiting your vocabulary to simple words, you really have to capture the essence of the thing you're describing. Other resources for details still exist outside of the simple wiki if the reader needs them. And there is a never-ending supply of badly written articles that can use your help.
I think the most dangerous aspect is that this protocol has no way to revoke keys. That means "break once, profit everywhere."
If one terminal is successfully compromised and its private key is lost, every card with a lost key is subject to the compromise of all traffic, past, present, and future. That means if you are using it to guard an access door to a venereal disease clinic in some small town in the outback, it may contain the private key granting access to a central building guarding all national health data. Now you have to protect each and every reader as if it's made out of pure gold, even if it is only guarding Crocodile Dundee's urine samples.
Cryptographic protocol development needs to be an iterative process, because flaws are so difficult to find, yet can have devastating impact. The ISO is stuck in the old world of civil engineering, where "if it works today, it's good enough for tomorrow." That fails utterly for security engineering.
Slashdot Mirror
The problem is that scanners support multiple communications protocols so they can be sold to a wide variety of clients, and the scanners' configurations can be changed via barcode without first asking for permission.
Your attacker can see that you're using a DS-6878 scanner with a USB cable, so he opens his phone's browser to this page of the manual, http://www.manualslib.com/manu... and displays the barcode to configure a North American keyboard. Once scanned, as far as Windows knows someone just plugged in a new USB HID Keyboard device. None of the old configuration settings matter any more, and your bulletproof application may not even be notified that its scanner has been hijacked.
He then scans a few more configuration codes so that he knows his codes will be properly effective, perhaps something like Send Barcodes with Unknown Characters (page 67), and finally a control sequence to open a URL to downloadevilvirus.com/infect.htm. Pwnage ensues.
One problem with this solution is there are still some Windows native apps that are pixel-based instead of percent or resolution based. We have a 15.6" laptop with a 3840x2160 screen, and have encountered a couple of apps that now display in impossible-to-use resolutions.
For example, QuickBooks displays a page of instructions in a tiny window that I can literally cover with my thumbnail. The minimize/restore/close icons at the upper right corner of each window are less than 1mm high, and very difficult for my wife to click on with the trackpad. Their official "fix"? Crank the resolution of the screen down to 1024x768, and learn Ctrl-F4 and Alt-F4! So because they don't know how to code, its their users' fault for buying a nice screen. If this was the only dumb-ass arrogant thing Intuit ever did, I could forgive them for not catching up to 2003 usability standards, but it's far from their first episode of "all you damn customers suck." I need a new bookkeeping package from someone who is not Intuit.
"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?
If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.
Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.
The circumstances all seem pretty similar to me.
On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.
Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.
None of my plugins are dead, and my old add-ons appear to all be working, too. That's really important to me, because the only reason I use Firefox is for the value added by the add-ons, especially NoScript, Ghostery, PrivacyBadger, AdBlock, and FlashBlock. It seems like Mozilla has finally figured out how to stop changing the add-on API with every damn release, for which I am very grateful. I used to have to wait a long time to find out which of my old extensions would need upgrading before updating Firefox. Or I'd spend a day editing a handful of XPI files to change the supported version numbers, because the changes were never actually dependent on the app version. But it's all fixed now, so that makes me happy.
There's only one toolbar button you'll really want to get rid of, some stupid "share" button shaped like a paper airplane.
One piece of shit they've left in is the broken UI idea that tabs should be above the toolbars and bookmarks. Tabs represent windows and should be associated to the display window itself, not to the container. It's one of those usability factors that makes Chrome suck so bad, yet here comes Mozilla to copy someone else's stupidity. Sigh.
I'm especially looking forward to the TARDIS ride back to 1989 when this CON might have mattered. I hear it's bigger on the inside.
TL;DR version: s/BSD/Firefox/*
I just used Help/About to update Firefox on this 64-bit Windows 10 machine, and can verify it works.
OFF TOPIC: I was thinking weasels, too!
It was also kind of weird typing "kitten stomping day" into google (fearing there might already be one) and guessing at which kinds of watch lists I've no doubt been added to as a result.
Linus could stomp kittens flat and I wouldn't care, as long as that kitten-stomping was in the pursuit of making the Linux kernel better.
To be fair, next Thursday is Finland's national Kitten Stomping Day, so it might not be purely in pursuit of improving the kernel.
This certainly isn't their only cool act of public service, either. I saw one of the Dutch guys presenting an interesting topic at Black Hat: How to preserve a powered on system during a raid using mouse jigglers and UPSes, and collecting forensic evidence while preserving chain of custody, good practical advice. The BH crowd eats that stuff for breakfast, but he was providing info that is useful to help train non-technical officers executing a warrant.
I would be surprised if they wipe the keys as fast as the countdown timers claim. Once they wipe a key, they can make 0 money from it. It would be smarter to threaten to jack the rates: "pay us by Tuesday or we double the ransom."
These guys provided 14,000 keys to Dutch law enforcement. It sure sounds like they didn't wipe them.
Use of Tor in America is already practically proof of guilt, they just have to figure out whether to hang drug charges or child pr0n charges on your guilty ass. They have pre-determined the only people who really need the anonymity it provides live in officially recognized repressive regimes, either Myanmar, Iran, or Afghanistan.
This is a large part of the problem. More often than not these issues stem from people trying to roll their own time handling code / int'l address code / i18n / etc rather than using one of the standard (and well-tested) libraries available in their language.
Time is hard to get right, addresses are hard to get right, i18n is hard to get right. Don't roll your own. There's a thousand edge cases you haven't accounted for.
That may be fine advice for time formatting and time stamp storage routines, but how a system should behave when it's reference time is altered is a business logic decision. I might be working on a response time routine for approving credit, while you might be working on lag time between players in a FPS game; neither of which is a problem that's solved in a library. And if you think that Kerberos and LDAP systems handle this stuff properly today, you're also in for disappointment.
Some of this stuff still needs answers. Trying to ignore reality by chopping out leap seconds isn't the right one.
We need to change how we keep track of time, in a way that isn't linear.
Asynchronous clocks! I love this idea! Instead of every system implementing its own real time clock, every computer on the planet will instead constantly poll a universal clock service, and supply that digitally signed millisecond to all of its processes.
The truly sad part is that I know there's some SaaS weenie out there who fervently believes this is a good idea.
You're confusing automotive engineering, software engineering, and security engineering. With automotive engineering, you can produce V1.0 of a car, and as long as it gets the occupants from A to B most of the time, it's good enough. Later, you realize it's not very fuel efficient, so you iterate upon it and release v2.0. You then discover some component doesn't wear well, and redesign it for v3.0, perhaps add some safety equipment, improve crash survivability, etc.
With software engineering, you similarly release v1.0 because it's good enough to get the job done. However, there is now an entire industry built upon crime that exploits these applications, and your v1.0 is on the front line facing an army of professional opponents (literally including a division of the actual Chinese Army.) And these opponents are all untouchable with respect to the law. Your opportunity to iterate slowly, like the automotive engineers enjoy, doesn't exist in this environment.
And the advice for app developers regarding security is loudly "don't roll your own!" So they incorporate other libraries which have their own flaws. They rely on documentation tools and installers that have flaws. They're installed on OSes that have flaws, and hosted on flawed web servers written in flawed languages. Every one of those flaws is available to the army of attackers.
And security engineering looks at the whole mess and tries to keep the whole collection of flaws pointed in the direction of least vulnerable.
Imagine how different automotive engineering would be if the ability to exploit a fender-bender or a flat tire would allow the risk-free theft of thousands or millions of dollars from a bank. If cars started out that way, we'd still be walking.
And yet the jobs these apps do is so valuable they're used and relied upon by billions of people, despite their flaws. So they will keep getting shipped, flaws and all, while the rest of us iterate upon them, trying to fix them. Is it insane? Doesn't matter, nobody is clamoring to return to the pre-Internet days.
Fair enough, but candidly, I just assume any searches I perform without cloaking are accessible to any number of interested parties.
And you might want to take extra care there, too. How effective is your "cloaking"? Are you randomizing your wireless MAC when you fire up Tor at the coffee shop that is 0.34 km from your house? Are you sure your machine isn't leaking all kinds of traceable info when it connects? Is the Tor session at the coffee shop usually accompanied by a connection attempt from an iPhone reporting its name as "rmdingler's iPhone"? Does the coffee shop have a camera?
There's paranoid, and not paranoid enough.
So people write crappy code and rely on it without adequate fault tolerance strategies and that's somehow the problem of people who measure time? I think not.
And I wouldn't want to battle the corruption in NYC to do business there, either.
Oh, sorry I missed your category.
And brothels.
IDEs like Eclipse and Visual Studio are not rubber safety bumpers for beginners. They're productivity enhancers for professional developers. But because they have 'icons' and 'wizards', people often equate them with "no training required" programming tools like Lego brick language.
Of course, many of these people can't tell the difference between "scripting if statements 'til it works" and software engineering, either.
I remember learning a bit about state toggles on Dr. NIM, a marble game in the 1960s, but didn't yet have the basic skills to come up with a state table for the full game. (Hey, I was 4 years old.) Unfortunately, Dr. NIM passed away like so many other toys from the era -- tossed by parents in one of those terrible cleanings.
About 25 years ago, when my son was 3, I gave him a binary based marble color sorting game, and we played with that for a long time. It had no internal toggles or states other than the sliders the player would set, but he learned 4-bit binary at a tender age. We both held a special place for that toy, though, so he always made sure to hang onto it through the cleanings all parents must do. Somewhere in one of his storage totes it awaits the rite of passage to his offspring, and a fourth gen computer hacker will no doubt emerge.
They run around and talk too fast, but the effects soon wear off.
I've found a good place to practice simplification skills is to spend some time editing articles on SimpleWiki http://simple.wikipedia.org/
By limiting your vocabulary to simple words, you really have to capture the essence of the thing you're describing. Other resources for details still exist outside of the simple wiki if the reader needs them. And there is a never-ending supply of badly written articles that can use your help.
I think the most dangerous aspect is that this protocol has no way to revoke keys. That means "break once, profit everywhere."
If one terminal is successfully compromised and its private key is lost, every card with a lost key is subject to the compromise of all traffic, past, present, and future. That means if you are using it to guard an access door to a venereal disease clinic in some small town in the outback, it may contain the private key granting access to a central building guarding all national health data. Now you have to protect each and every reader as if it's made out of pure gold, even if it is only guarding Crocodile Dundee's urine samples.
Cryptographic protocol development needs to be an iterative process, because flaws are so difficult to find, yet can have devastating impact. The ISO is stuck in the old world of civil engineering, where "if it works today, it's good enough for tomorrow." That fails utterly for security engineering.