Interesting report of stolen Bitcoins, a phishing scam involving a Google ad. I just confirmed that the phishing ad is still running on Google on a search for blockchain.

The ad says the URL goes to blockchain.info. The URL displayed on mouseover on the link is to a Google redirector, goo.gl/vL2zmr. But when you click the link you go through a few redirectors and end up at blockchain-info.consulpisos.com, which is allegedly a phishing site. It sure looks suspicious; that page goes straight to a “type in your password” page, which the real site hides behind several clicks.

I don’t much care about the Bitcoin part of this, but Google should really not be selling ads with fake URLs on display.

techbad
  2014-06-07 15:45 Z

There are two terrible web properties out there that everyone hates, Scribd and Quora. Please don’t use them. Instead of Scribd just host a PDF anywhere, or upload text to pastebin or make a nice blog on WordPress or Medium or something. And instead of Quora use Ask MetaFilter or StackExchange.

Scribd’s business model is to host documents in formats that are unusable. For instance, here’s a copy of the Declaration of Independence. Or rather, the free preview; you have to download it to read the rest and a one-day guest pass costs $9. Here’s a copy of Elliot Rodger’s insane manifesto. It starts “This is the story of how I, Elliot Rodger, came to be.” Only I had to retype that phrase; if I copy-and-paste I get “]fjs js tfh stgry gl fgw J, Hccjgt Tgmahr, eknh tg dh” because Scribd uses some stupid DRM font. Easy enough for a pirate to reverse engineer but impossible for normal use. They also broke “Find”; there’s some Javascript thing overriding the browser that doesn’t seem to work.

Quora’s business model is to trick people into sharing information for free, then put it behind a login. It’s like Experts Exchange 2.0! For instance, on Quora you can read Who owns the copyright on content contributed to Quora? Only you can’t just read the text. Depending on your history with the site and the way you got there you may see a giant popup demanding you log in obscuring the page, or the first answer clear and then the rest blurred, or if you're lucky just the page. It appears nondeterministic.

Both businesses are deliberately trying to lock up text content to make it harder to access, to force users to pay or share advertising data or some such bullshit. The part that kills me is some engineer actually wrote code to deliberately break document sharing on the web. It’s terrible.

Update: the Quora CEO responded on Hacker News to correct me that Quora neither runs ads nor charges users. At the moment, they apparently have no revenue.
techbad
  2014-06-02 20:23 Z

Seven years ago I wrote about XML security problems, the XXE vulnerability. This flaw is the gift that keeps on giving: someone exploited Google with it this month.

XML is a ridiculously complicated data format. And XML parsers implement all the features, including the obviously dangerous and useless ones. And engineers keep forgetting to turn those features off. It’s just terrible.

techbad
  2014-04-11 18:29 Z

League of Legends has a serious security problem: denial of service attacks. Some of these attacks are against the game as a whole and bring down the whole system. Presumably Riot can eventually protect their servers from that. Worse are targeted DDoS attacks against single players; it’s not clear they can defend themselves

The motivation for attacking individual players is ugly. The game is very competitive at the highest levels of play, with prize money and pro careers on the line. Knocking an opponent offline or just lagging them is enough to get a win. Even if the game is thrown out as invalid a DDoS is still way for a losing game to be converted into a tie.

There are guides on how to avoid being a DDoS victim. They boil down to “don’t reveal your IP address”, which in practice means “don’t use Skype from your real IP”. VPNs, playing only from Internet cafes, etc are other options. But these are minimal solutions at best; hiding your location from the world is really difficult. There’s new rumors the whole IP identification part is entirely automated and foolproof.

I don’t really know how a normal Internet consumer can protect his ISP from being knocked offline with a DDoS. It’s an ugly situation.

techbad
  2014-03-11 21:35 Z

Apple totally screwed up SSL with a fundamental bug in their certificate checking implementation in both MacOS 10.9 and iOS 7. Every consumer iPhone, iPad, and Macintosh running recent versions of their OS is vulnerable. My understanding is SSL certificate checking basically does not work and any secure site can be spoofed with a man-in-the-middle attack. It’s about as deep a flaw as it goes. There’s a patch for iOS out but not yet for MacOS. You can test if a browser is vulnerable here.

The bug boils down to a simple typo in the code, the good ol’ C gotcha that indentation doesn’t match control flow. Bugs like that happen in C. What’s alarming is Apple didn’t catch the bug; not with a lint tool, not in code review, not in unit testing, not in integration testing. No aspect of Apple’s software development process caught this bug before releasing it to millions of users. That’s terrible engineering practice; in a critical security library it’s outright negligence.

At the moment MacOS users are entirely vulnerable and there’s no fix. In the past Apple has taken many weeks to fix critical bugs in things like Java, hopefully they’ll be faster here. Using Chrome instead of Safari will insulate you from malicious web servers, Chrome wisely has its own SSL implementation. But a whole lot of other Mac software is relying on the broken certificate library, presumably including Apple’s own software update system.

Nice of Apple to publish the exploit before the fix.

techbad
  2014-02-22 17:09 Z

RSA Security (part of EMC) was one of America’s most respected security companies. Thanks to Edward Snowden, we now know the price of their reputation: $10 million. For that tiny sum RSA sold out their customers, deliberately installing a compromised random number generator in their core security library BSafe at NSA’s request. For $10M, a company’s reputation destroyed.

The nature of NSA’s sabotage is worth looking at in detail. We knew back in 2006 that Dual_EC_DRBG, a NIST standard crypto random number generator, was fishy. That algorithm has baked into it an arbitrary constant; two Microsoft researchers figured out that if an adversary had chosen that constant, then the numbers were predictable and any system built on it was insecure. Snowden’s leaks confirmed in Sep 2013 that this backdoor had been placed. And now in Dec 2013 we know the price: $10M. (Interestingly, one old-school cypherpunk knew the price back in September).

It’s worth noting that RSA’s complicity with NSA is not their only enormous security black eye. Back in 2010 their flagship SecurID two factor login system was also widely compromised, it’s assumed by the Chinese government trying to get military and commercial access to US and European interests.

Open source ends up looking good in all this mess. NSA has probably attacked other random number implementations. There was a weird push from Intel to get Linux to completely trust their undocumented hardware generator, something resisted by the Linux team (thankfully). And OpenSSL, the open alternative to RSA’s library, doesn’t use the compromised algorithm (although their code has had its problems).

I remain indignant that NSA is willfully going around deliberately sabotaging the security of core Internet components. Even if you believe it’s good for NSA themselves to be able to break all encryption, it is so dangerous to have back doors like this hiding in systems. NSA is actively undermining everyone’s security.

techbad
  2013-12-26 11:25 Z

Here’s something ugly, the whois response for pirate book site readanybooks.net. Below is an extract of the interesting parts that both MacOS and Debian’s whois display.

$ whois readanybooks.net

   Domain Name: READANYBOOKS.NET
   Registrar: XIN NET TECHNOLOGY CORPORATION
   Whois Server: whois.paycenter.com.cn
   Name Server: RICK.NS.CLOUDFLARE.COM

Billing Contact:
  Name           : li xiaoing
  Email          : jr361005@126.com
<script src=
  "http://img2.xinnet.com/d/js/acmsd/thea178.js">
  </script>&nbsp;

Huh? What’s an HTML tag doing in this whois response? And under what circumstances might that script tag be executed? I can imagine a naïve Web interface just injecting that script wholesale into my browser. Every way I load the referenced script it seems benign (right now), but that’s an attack vector waiting to happen.

techbad
  2013-11-15 16:44 Z

Another reason to end passwords as a method of authentication is the poor usability of strong passwords on mobile devices.

  1. Typing a strong password like xry7s6Dx26Pz is nearly impossible on a mobile keyboard, particularly since for some dumb reason I can’t even see it when I type.
  2. I can’t use a password agent like LastPass effectively on iOS because there’s no way for it to plug in to Mobile Safari. I’m stuck awkwardly copy and pasting passwords between the LastPass app and Safari, having to type my master password every time. LastPass does have its own baked-in browser but that’s far too limited on iOS.
  3. Trying to log in to other apps pretty much requires copy-and-paste of the password, since there’s nothing like a pluggable authentication framework.

Sorry if this is stating the obvious, but the lack of usability of strong passwords on my iPhone and iPad is a big part of why I don’t log into sites on mobile devices.

techbad
  2013-09-10 15:24 Z

Google has reduced itself to outright spamming users to promote its products. Here’s a screenshot of an email I got today about Google’s failing payments product, Google Wallet. Note the footer, the email is marked “You have received this mandatory email service announcement to update you about important changes to your Google Wallet account”. What are those important changes?

  1. A call for me to use Google Wallet more
  2. An ad for the Android version of Google Wallet
  3. The Google Play logo
  4. Logos for stores that accept Google Wallet
  5. A request that I subscribe to more Google Wallet ads

In summary: four ads for Google products, one ad for random other companies that happen to use Google Wallet, and zero important changes. I guess I should block noreply@wallet.google.com?

It’s cliché now to point out how disappointing Google, Inc. has become. But this seems bad even for the trend. All that’s missing is the “+1 on Google+” button.

techbad
  2013-09-04 15:25 Z

One of the great failures of the Internet era has been giving up on end-to-end encryption. PGP dates back to 1991, 22 years ago. It gave us the technical means to have truly secure email between two people. But it was very difficult to use. And in 22 years no one has ever meaningfully made email encryption really usable.

A big part of the problem is the architecture of Internet services. Most of us host our email on a third party server like Gmail or Lavabit or whatever. That makes true end-to-end encryption very difficult. Instead we have to trust our hosting service with access to our email, and as we find the government can compel them to rat you out (or simply break in).

We do have SSL/HTTPS, the only real end-to-end encryption most of us use daily. But the key distribution is hopelessly centralized, authority rooted in 40+ certificates. At least 4 of those certs have been compromised by blackhat hackers in the past few years. How many more have been subverted by government agencies? I believe the SSL Observatory is the only way we’d know.

The cypherpunks movement foresaw all of this surveillance risk. It outlined principles and technologies to protect individuals from both evil hackers and overreaching governments. It failed to actually implement it.

originally a Metafilter comment
techbad
  2013-08-20 15:59 Z