Comments

Clive Robinson April 16, 2021 11:54 AM

@ ALL,

With respect to,

“… there are four in Microsoft Exchange that were disclosed by the NSA.”

The question arises,

“Found by the NSA how?”

That is did they find them by their own internal research and release them to Microsoft?

Or did the NSA observe them in use by another nation and then release them to Microsoft?

Whilst the NSA have released the vulnerabilities to Microsoft who in tern we assume have closed the vulnarabilities hopefully without creating
others. The question is an important one as it would inform us of a number of things, not least if there has been a change from offensive behaviour to defensive behaviour.

But if these four vulnerabilities released to by the NSA to Microsoft have already been in use by say an alledged Chinese attack and the NSA knew about them in advance then it kicks away one of the arguments for stock pilling vulnerabilities by the NSA and other IC community entities, and importantly we hope before LEA’s get into the game for their own nefarious reasons.

Fed.up April 16, 2021 1:51 PM

@Clive

Could it be that the US Gov has been busy fixing all of this MSFT havoc and noticed these exploits?

I’m not looking to argue. We are all entitled to our likes and dislikes. But I don’t see know how you can infer that MSFT trauma is NSA’s fault. I’m personally going through hell due to it.

Jeff Bezos said this today:

“If you want to be successful in business (in life, actually), you have to create more than you consume. Your goal should be to create value for everyone you interact with. Any business that doesn’t create value for those it touches, even if it appears successful on the surface, isn’t long for this world. It’s on the way out.”

While I wonder what prompted him to say this to Amazon Shareholders, I think it is brilliant commentary nonetheless.

I have faith in General Nakasone, the head of the NSA and thank him for keeping us safe. 20 years ago we promised to “Never Forget”. I’ve not. I say this as a Privacy Advocate. I think Privacy starts with corporations understanding the need for it. So far, they’ve not gotten that these attacks are solely due to lack of Privacy laws.

JonKnowsNothing April 16, 2021 4:25 PM

@Fed.up

re: Mr Bezos said a lot of things …

“If you want to be successful in business (in life, actually), you have to create more than you consume. Your goal should be to create value for everyone you interact with….”

Nice intention not backed by anything concrete…

I cannot think of anything that Amazon has created that “created more than they consumed” or “created anything value [for me]”…

Create more == increase demand by any means possible
Create value == a set of artificial measures that transfers wealth to Bezos+Co

The time test:

  • What did you buy 10 years ago from Amazon that still has value?
  • What did you buy 5 years ago from Amazon that still has value?
  • What did you buy 1 years ago from Amazon that still has value?

Repeat for any company or entity claiming to “create more than consumed” or claim they create anything more than ephemeral value. (1) (2)

1, Not really possible in most physical objects, because the Full Life Cycle is not included. We go only part way in determination of outcomes. End Cycle, Full End Cycle beyond the trash dump is not included. You might pay a disposal fee but it never includes atom-to-atom conversion.

In my middle part of California we, the consumer, pay an electronic disposal fee. No company that mines, smelts, assembles or sells a product, takes full ownership of the end-to-end process.

2, The economic future is in doubt because one thing COVID-19 lock downs has shown us, is how little we need from companies like Amazon. Yes, they have provided an important service (which is labor) but do the provide more than a source of cheaper and cheaper labor? Many governments are literally banking on consumers Marching thru to High Street, to spend what money they have on TBDs.

===

ht tps://mainlynorfolk.info/lloyd/songs/theeclipse.html

[ Roud 5650 ; G/D 1:14 ; Ballad Index GrD1014 ; trad.]

In the year of Queen Victoria’s jubilee, [1897], the steamer Eclipse of Stonehaven went fishing in the Arctic with her sister ships the Eric and the Hope. Her captain, David Gray, was on one of the greatest of nineteenth century whaling skippers.


[due to over whaling the ships caught only a few whales]

a bonus of only one-and-threepence a ton for oil. Her crew felt the trip had hardly been worth the hardship, and they marched through the streets of Peterhead to tell the owners so.


We’ll march up to the Custom House where we do all sign clear,
And when we face old Bless-My-Soul we’ll tell him without fear.

We’ll tell him that we’ll never sign again for one and three,
And we’ll march through Commercial Street and sing the jubilee.

(url fractured to prevent autorun)

xcv April 16, 2021 4:46 PM

@ JonKnowsNothing

be successful in business (in life, actually), you have to create more than you consume

So in other words I’d be more successful if I worked harder and allowed other people to consume the fruits of my labor.

There’s nothing wrong with being hardworking and thrifty and all that — but you need to be honest about it — slavery is not the way to success.

Clive Robinson April 16, 2021 6:08 PM

@ Fed.up,

But I don’t see know how you can infer that MSFT trauma is NSA’s fault. I’m personally going through hell due to it.

You are looking at it the wrong way.

Microsoft made the mistakes I assume without anybodies help[1] they appear to be quite good at that sort of thing, even though Bill Gates has on a couple of occasions tried to sort it out.

What I’m questioning is how long had the NSA known about these vulnerabilities?

That is,

1, Did the NSA find them and immediatly pass them on.
2, Did the NSA find the vulnerabilities because they saw others using them and then passed them on.
3, Did the NSA just sit on them waiting to use them themselves.

If it’s 1, then they have certainly changed their behaviours if so good on them. However if it’s 2, then they behaved responsibly. But if as no doubt many suspect it was actually 3, stopped by 2 then that is not good, not good at all but is in keeping with NSA earlier behaviours puting attack over defence.

As for you “going through hell due to it” well that is down to Microsoft, unless of course what some suspect about bug-doors[1] is true.

Personally unlike you and many many others, I’ve no real skin in this part of the game. Thus I have a degree of freedom others do not as my nose has not been forced up against the grindstone. Part of that freedom is to sit it out, and fairly dispassionately watch it out, analysing[2] “Means, Motives & Opportunities” of the respective players, and observing for changes in their MO’s.

Look on it like you would a form of “traffic analysis” for years it’s a skill that has enabled me to stay well clear of foul winds. Yes people thought and still do think I’m paranoid, but given time the lonely trail I’ve broken becomes a busy highway of people trying to get away from surveillance and the like[3]. Which only goes to prove there is a germ of truth in the two sayings by Joseph Heller and the more modern one from the writers of “Person of Interest”,

“Just because you’re paranoid doesn’t mean they aren’t after you.”

“It’s not paranoia if they’re really out to get you.”

With regards “Jeff Bezos said this today” I raise you,

“If you’re wrong, you will die. But most companies don’t die because they are wrong; most die because they don’t commit themselves. They fritter away their valuable resources while attempting to make a decision. The greatest danger is in Standing still”

From Andrew S. Grove, in “Only the Paranoid Survive” Lessons from the CEO of INTEL Corporation”.

[1] Though increasing numbers suspect that the NSA might have moved “finessing” from puting backdoors in standards (which they were definitely caught red handed at) into US Corporates either with or without those runing the corporates knowing to create bug-doors. My view is we know the FBI and various prosecutors have SWATED company owners of small businesses to try and put back doors into products destined for outside the US, because one developer was so incensed he went public.

[2] For my sins I’ve been taught by various people to analyse information including myself… I started quit young before my teens doing things like teaching myself how to pick locks, as an extention to making Halloween scars and the like, I worked out how to make reliable fake finger prints (though I was beaten to it by Arthur Conan Doyle see “The Adventure of the Norwood Builder” by about seven decades). Whilst at school it was clear I had analytical interests in physics and in how I managed to find such inventive ways to get into trouble I was not punished. I develooed a life long interest in testing techniques because my father wanted to be an engineer but instead went about as far as you could proffessionaly in accountancy, thus his delight and funding in my hobby gave rise to a small repair business that payed my rather more than pocket money. That led on to Pirate Radio and thence on to collage, radio amature and many other qualifications that are hobby related. On going into “Her Maj’s Service” my “oddness” got recognised and my analytical skills were developed. Then there was the research side of accademic work which continuously got subsumed by “work interests”. Thus once you have the “Thinking Hinky” bug it’s something that just will not stop. Gift or curse I’ll let others decide, but it has stopped me being as successfull as I might otherwise have been, as I kept crashing into others “NIH” and “Golden Goose” issues and like a terrier worrying a shoe, I would not let things go (but at least I feel honest).

[3] Having worked proffessionaly in the sureillance game both as a “contractor” and systems designer, it has given me quite a “weather eye”. Which is why my measure of what is being done, is not that of what is a form of cognative bias, but a good solid “Is it within the laws of physics as we currentlty understand them”.

Fed.up April 16, 2021 8:26 PM

@Clive

Did you see this video of terriers chasing a bear? I think the first one is a Yorkie https://www.youtube.com/watch?v=xSTzUZZEDTk

I relate to that dog. Bears never frighten me. Snakes are another story. With a bear you can see what you are dealing with. They don’t sneak up on you. We all like to know what we are dealing with. But in this situation I don’t think anyone knows what is truly going on until they tell us the truth.

I’m having flashbacks to the late 90’s when I was happily working for one of the biggest phone companies in the world. Lots of cutting edge technology and very pleasant place to work. But I was in tech. The retail and service side of the business was a different story. Consumers hated the phone company so much in those days it was physically dangerous for me to admit where I worked. If someone asked at a party I made something else up.

If you don’t serve your customers at some point they rebel. No one imagined in 98 that the phone company I was working for would cease to exist within 3 years. Very few had a cell phone then. We were in 17 states and within a few months 30,000 laid off and 50,000 followed in another 2. But that’s why antitrust is so important. Hopefully these incidents spur new entrants and new technology. I love Microsoft products but the spying they do (on Corp customers too) puts the NSA to shame. Their failure to exercise restraint will now lead to regulation. New laws and new competitors. And it won’t just be breach laws. I think we are about a month away for this shoe to drop.

Maybe email shouldn’t be transmitted. Maybe we should instead send links to where that message can be viewed. It may be easier to protect and govern that way. Viewers can request permission to retain the view if necessary. But if they do it isn’t OCR readable text. Senders can set for self destruct if sensitive. We need more control over our data. Right now no one – corporate or consumers – has any. We’ve been putting the rights of surveillance spam over humans and national security. I think Hey email by Basecamp is going in the right direction. Only whitelisted gets through. Email is a privilege, not a right.

Fed.up April 16, 2021 9:51 PM

@JonKnowsNothing

I did a lot more business with Amazon a decade ago. It doesn’t deliver to my home because I have no mail delivery. I almost never pick up my mail at the post office, so it wouldn’t be practical for me to order anything.

But in the time of Covid what do I need or want? Basically nothing but food.

What do I want? Funny TV shows. Amazon should make funny series. I have no desire to watch anything that’s not humorous. I think a funny show would be about people’s relationship to Alexa and Google. Especially now in Covid for those living alone, it might be their only source of companionship. My Aunt has fights with them. I envy her a little bit. That she can live with such abandon and doesn’t care about privacy.

Rob T April 16, 2021 10:03 PM

@Clive Robinson

That is did they find them by their own internal research and release them to Microsoft?

Or did the NSA observe them in use by another nation and then release them to Microsoft?

Probably NSA got some new means to get the same data as previously and decided to give these “holes” back to Microsoft. Probably they had gained a too wide world-wide popularity.

JonKnowsNothing April 16, 2021 11:24 PM

@Fed.up

Much the same here. Silicon Valley seems so long ago, fading from the rear view mirror.

There was a time, I spent hours at Fry’s Electronics (1), in the early days when they sold electronic parts. If you needed a transistor or resistor they were the place to go. Hand soldered motherboards made magic happen.

In the early days of Amazon, they brought goods from other parts of the world and made them available to everyone. It was a time when starched white shirts and pocket protectors gave way to pups in cubes, shorts, sandals and bicycles stacked against the movable walls.

Now, there isn’t much left to wonder at, only a wonder about “what happened”?

1, Fry’s Electronics is no longer in business. During their business years the company morphed many times. It’s last gasp was as a department store selling Nothing Special.

Weather April 17, 2021 12:26 AM

@all
I’ve posted this before, but with winxp you could alloc a malloc heap with 0x7be8000-7eff0000 and if the code wasn’t watching, a if )0 was checked it would pass but not be allowed, quests what happens next…

@mod
Test >

I still haven’t worked out why they would do that?

SpaceLifeForm April 17, 2021 3:51 PM

@ Rob T, Clive, Weather

The answers are ‘yes’.

They have the source and built Ghidra.

How many compiler toolchain MSVC bugs do you think they have found but you never heard about?

Thus, the importance of having diverse toolchains. It is the best, and probably only way to really find compiler and/or linker problems.

Because you can compare binaries.

You build with a MSVC toolchain, a GCC toolchain, and a Clang toolchain.

Then, you compare notes. Binary notes. Using Ghidra.

SpaceLifeForm April 17, 2021 5:25 PM

@ Rob T, Clive, Weather, JonKnowsNothing, ALL

My bad.

Left out ‘Reflections on Trusting Trust’.

On first review, tbat is where the Silicon Turtles lie.

If you have the privledge to poke undocmented secret instructions into the code (toolchain attack).

But better yet, poke undocumented microcode into the fireware.

This is where the second layer of turtles lie.

Then third layer, UEFI, TPM crap.

Then forth layer, attacking the silicon thru manipulating the software (ex: Verilog) that is used to design the silicon.

Do you see the loopback?

Software is being used to develop hardware (the silicon).

If the software (compiled witb a toolchain) is used to design the hardware, and the toolchain has a backdoor, how can you really trust the hardware?

Silicon Turtles.

JonKnowsNothing April 17, 2021 5:56 PM

@SpaceLifeForm, Rob T, Clive, Weather, All

re: How many toolchain bugs do you think they have found but you never heard about?

RL anecdote tl;dr

In the misty and obscure past, in the realm of raging software competition….

An important 3d Party tool was used by “everyone + dog”. It was an item nearly every company in the field needed to use and no one wanted to write it themselves cause The Spec was a PITA to deal with in the raw.

It wasn’t much easier to deal with in the 3d Party tool.

The little known to the masses but known to the cognoscenti was:

  There was a critical flaw in the tool

The flaw was soooo bad the entire output was just GO, it didn’t even need the GI part.

A few hardy souls had fixed the flaws and knew where the errors lay hidden. They also informed the 3d Party many times of the flaw.

The 3d Party reply was:

  a Big Shrug. Pay us our $$$$. We don’t care about any flaws.

As engineers rotated one-to-the-right every 12-18 months, no matter where you landed, you always ended up working with Old Chums.

Whenever the topic of the PITA Spec and 3d Party Tool came up, everyone pointed “Get THAT person, they know how to fix it, it doesn’t matter how much you have to pay them, it is worth it.”

And that’s exactly what folks did.

afaik That 3d party tool never worked, was never fixed by the vendor. Hopefully it’s dead code now.

A note to robust bug hunters:

To fix the flaw you needed detailed knowledge of the PITA Spec. Without knowing the finer aspects of how bad a Spec can be, and how the 3d Party tool dealt with implementing the Spec, the flaw remained elusive.

Even so, the cognoscenti took months to repair and test the fix to work for the new company’s implementation.

That was in the day when fixes were intended to stay fixed.

Clive Robinson April 17, 2021 6:36 PM

@ SpaceLifeForm,

But better yet, poke undocumented microcode into the fireware.

The accidental made me smile

Because in my distant past I wrote microcode and designed the RTL that went under it. Get either wrong and it’s potentially a very real “poke to burn”[1] scenario and a lot of expensive chips could become toast.

[1] the “poke to…” stories arise as far as I can tell from two sources, the original was to do with the Commador Pet 8bit computer that came with a built in casset recorder to store programs and data. It is said –I’ve never checked– that if you used the poke command in BASIC to write to a given address in memory that you could blow the whole computer up in a ball of flames. Whilst I doubt the ball of flames it is possible that somebody tried to use a “bridge control” circuit on the DC motor on the output of a TTL or similar buffer, that if not designed correctly –ie with protection– could “crowbar” the power supply. The second story come from the days of PC video cards and early “multi-sync” monitors. It was possible to agsin via poke in BASIC try to change the screen resolution on popular graphics cards. Back then it was not possible for the software to determin the monitor type or sync frequency ranges it could work with, and yes you could, and people did damage their monitors and atleast one manufacturer of monitors had electrolytic capacitors blow up and produce lots of smoke and foul –toxic– smell[2].

[2] In electronics you will hear about “Magic Smoke escaping and ascending”. Basically it’s all about not just electrolytic capacitors but resistors and semiconductors going “high order” and rapidly on their way to the great “bit bucket in the sky” the attendent smoke being a joke about the components soul / ghost[3].

[3] Under the right –or wrong– faults early PCB materials would not just char but actually burn with real flames, it’s why sensible test / development / repair technicians / engineers would and still do keep an aerosol style “car fire CO2 extinguisher” on or within hands reach of their work bench. You basicallt “hit” the bench emergency off button, or just “yank the power cord” and give the “kit a quick squirt”, then a few “choice words” to ease the tension. Usually stops the drama before it gets started. The advantage of the aerosol CO2 extinguishers unlike all the others,

1, They were not messy.
2, You only use what you need so one aerosol is good for quite a few pop and bangs.
3, You can also use them like “caned air” to cool componets when looking for thermal fault issues.

All unlike the single discharge traditional fire extinguishers, which frankly are more of a danger to the user than a small electronic pop and bang on the work bench (and yes for my sins I’m a qualified fire safety officer). Save the traditional extinguishers for actuall fires and have the three types approved for electrical equipment handy. Oh a fire blanket and bucket of sand may be “old school” but are still handy if you know how to use them properly, and are cheap and don’t need all the palava of extinguishers.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.