Friday Squid Blogging: USB Squirming Tentacle

Just the thing. (Note that this is different than the squid USB drive I blogged about.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 25, 2013 at 4:15 PM • 53 Comments

Comments

doctorhookJanuary 25, 2013 4:33 PM

"Note: The USB Squirming Tentacle does not store any data, however, it may summon the Elder Gods from the depths. Use at your own risk."

Clive RobinsonJanuary 25, 2013 4:43 PM

On topic for once :-)

@ Bruce,

Just the thing.

But for what? it does not store data just wiggles.

So I guess it's a case of "tickle your fancy", whatever your fancy may be.

(Oh and for those that know we've also done the Japanese Tentacle XXX thing befor so don't ask, and for those that don't, again don't ask just go read, http://en.wikipedia.org/wiki/Tentacle_erotica ).

fhtagnJanuary 25, 2013 4:47 PM

Well, if it doesn't store any data then obviously it is secure.

So, how about this: hack some storage into one with active malware, then drop it outside your target company. "Oh look, it's one of those tentacle thingies. Watch what happens when I plug it in..."

MarcJanuary 25, 2013 5:29 PM

It occurs to me that Squid Blogging Friday is now a Thing, and therefore one might reasonably greet one's fellow Brucians with a cheerful greeting such as: "Happy Squid Friday!"

Naturally, the correct response would be: "Bah! Humboldt!"

FigureitoutJanuary 25, 2013 6:10 PM

@Bruce
--Maybe it could start flailing if it senses just known malware, or a receiver in it; then it would have more of a purpose than making your computer look physically infected. :)

Sam JJanuary 25, 2013 6:12 PM

@bcs

As long as these backdoors are simply designed as a tool to allow easier collection by governmental agencies of data they've been given legal right to collect, and as long as access remains solely with the company in question itself at all times when a legal wiretap isn't being setup, it doesn't seem like that big a deal to me.

Calvin LiJanuary 25, 2013 9:40 PM

While we're on SSH logins....

Recently it broke that many people had inadvertently included their SSH private keys (id_rsa, etc.) in their GitHub repositories. The situation is so serious that GitHub has disabled the search function entirely. Just goes to show the importance of securing private keys... (and of using non-null passphrases!)


In unrelated news, apparently many publicly-available internet-connected HP printers can be found using Google. The ramifications could theoretically go far beyond printing to random people's printers.

Blog Reader OneJanuary 25, 2013 9:41 PM

Various security-related stories of possible interest...

The Ongoing War On Computing; Legacy Players Trying To Control The Uncontrollable
https://www.techdirt.com/articles/20111231/01431617249/ongoing-war-computing-legacy-players-trying-to-control-uncontrollable.shtml

How the feds put a bullet in a "bulletproof" Web host
http://arstechnica.com/security/2013/01/...

Junk Mail Gets Personal
https://www.eff.org/mention/junk-mail-gets-personal
http://online.wsj.com/article/...

10 Things You Didn't Know Could Be Hacked
http://www.technewsdaily.com/...

(On the other hand, see the "Code Grabbers and Remote Keyless Entry" article at http://www.snopes.com/autos/techno/lockcode.asp )

Calvin LiJanuary 25, 2013 9:43 PM

Also, I note that nowhere on the USB Squirming Tentacle page does it claim (even facetiously) that it is a USB drive. It appears rather to be in the same category of novelties as the USB Pet Rock.

Clive RobinsonJanuary 26, 2013 2:24 AM

@ BCS,

The FBI wants this to stay quite.

I'm not surprised.

If you look at it another way they are asking these companies to willingly commit economic sabotage of the US National economy, which is regarded as Treason / Terrorism.

That is if a non US entity "legal or natural" are aware that "FBI Backdoors come built in" then in all good sense as a "natural" individual or "legal" corporate it would be considered reckless to use such products directtly or indirectly.

This in turn takes business away from the US and has a negative impact on the US economy at best as well as significantly damaging foreign relations.

If you think this sounds propostorous that a US LEA would use such tactics to spy without warrant on anybody they chose including US citizens think again.

A few fridays back I posted a link to the case of a US software developer who was selling software to companies outside of the US to legaly (in their jurisdiction) set up Web based Gambling sites.

He and his family were at home one day when 30+ fully armed SWAT persons crashed into his home and draged him away. After further psychological (if not physical) roughing up they basicaly laid a deal on the table.

He would put a backdoor into his software so that the details of all gamblers could be downloaded by him and he would then send them to the US authorities. If he failed to do this they would charge him with what amounts to assisting other US citizens to break US law and he was looking at many years in jail.

I indicated that I thought it was something that Bruce should think about blogging about.

I suspect that this is not the first time this sort of less than "Friendly Persuasion" has been tried by reckless US Attorneys etc and that it's not working out so well for the FEDS so they are trying a different tack to ensure they get the results they want. And sadly on current behaviour I suspect Obama will wave it through.

The reason we are aware of this is the software developer has decided to not just fight this, but go public as well, lets hope he does not become another Aaron...

Clive RobinsonJanuary 26, 2013 2:53 AM

@ Garth,

Hidden SSH logins found in Barracuda appliances

They should have known better this is an elementary security mistake that is probably as old as computer networking in that respect, but weak passwords even older as they have been known about as a significant security risk for over half a century (yup back in the early 1960's the ACM journal had articles on them).

The excuse that they are "difficult to exploit because it's only certain IP address ranges" is a real joke. All you need to do is control an upstream bridging host or router and fake the source address. Again this is a well known and very old attack vector and was known about before "Network Firewalls" were called Firewalls (see history of Bastion hosts/bridges and service wrappers).

The real us for IP address range blocking these days is pretty much what it has always been which is "traffic managment" not "Intrusion Prevention" such security benifits are an easily bypassable side effect.

So I'm not impressed, it appears security lessons of old are being forgoton by product developers. I'm 100% sure that modern attackers won't have forgoton, or re-discovered them themselves either by studying recorded history or by studying the actual kit.

GarthJanuary 26, 2013 6:50 AM

@Clive

The whole IP address part is even worse since in the advisory it is noted that the /24 blocks aren't even fully controlled by Barracuda, a few of the websites and organisations that control IP's in that block are noted in the Advisory


mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.

Most likely plenty of low hanging fruit in the allowed IP' even without compromising an upstream router.

By the way Bruce I just noticed that the Preview page still shows the byline at the bottom.

dbCooperJanuary 26, 2013 12:39 PM

For those unfamiliar, economically Nebr is heavily agricultural, both crops and livestock. There has always been opposition in the state to the use of aircraft to monitor for violation of environmental laws., particularly by livestock feedlot operators.

The article does not mention this as a point of opposition to the drones, but I suspect it is playing a part.


Police drone use targeted by Nebraska bill:
http://journalstar.com/legislature/...

Clive RobinsonJanuary 26, 2013 12:56 PM

OFF Topic:

I occasionaly comment,

Paper Paper Never data!

On this blog (and say it to most people I deal with professionaly). Usually when talking about "Meta-Data" and "Electronic Discovery" risks and mitigations.

Well it appears the legal fraternity on the defense side are getting more than just jittery about the "Lakes of Data" companies keep that represent a significant risk factor, because the other lot are rubing their hands with glee and large dollar signs can be seen flashing in their eyes like the neon signs in the less salubrious Vegas slot ranches.

Well others are now putting voice to these commercial deffence lawyers concerns and talking about Data Deletion within the safe harbour the law allows within "company policy",

http://www.csoonline.com/article/727190/...

Speaking of the legal fraternaty as some of you may have heard Sony have been fined (for good and proper reasons) by the UK's ICO over a very severe data breach on it's games network. Although the fine is paltry compared to the potential and actuall harm done by Sony's incompetance and slipshod behaviour, Sony are whining "Snot Fair" etc and indicating they are going to appeal,

http://www.bbc.co.uk/news/technology-21160818

I realy don't think Sony are doing themselves any favours, they were caught red handed with using very poor practice and the industry and many of their customers know this only too well. Thus Sony should just shut up and pay, it realy is quite a small fine and the bad press about their attitude has probably cost them more already.

But what did Sony do that was so bad? well a lot of it is known but not all. Over at the UK's Camb Comp Labs is an article on one of the missing bits,

http://www.lightbluetouchpaper.org/2013/01/24/...

Another thing I and others on this blog go on about from time to time is "Under the CPU" and other "Supply Chain Poisoning" attacks / issues.

Well for another view point (or overview) have a look at,

http://www.darkreading.com/advanced-threats/...

One thing about the piece that caught my eye was,

It is likewise difficult to track the number of developers who had a hand in creating a particular program, which often includes open-source components.

I'm not sure if that is a side swipe at Open Source it's self or those developers of proprietory closed source software that take Open Source and hide it in their own closed source products (often without acknowledgment) Sony and Microsoft being just two major offenders in the past (though MS did include acknowledgments hidden away nearly out of sight).

We know this in MS's case because most of the lower level TCP/IP Network code in MSDOS+Windows and NT was an almost direct steal of what was in effect Open Source at the time and is why some attack vectors worked across their entire OS range of products. What made it embarisingly clear to all that the MS code was almost direct steal, was the "teardrop" DoS attack, which also effected some *nix OS's that had also used the same network code (though in the case of Linux and other Open Source *nix the acknowledgment was rather more obvious and easy to find).

Speaking of articles on Dark Reading and the US prediliction for blaiming China with all things Cyber-NotNice... Well as is well known by one or two readers here most of the nasties that we get to "see" in the wild come out of Russia not China (though we don't know for those we cann't or have not yet seen). This article,

http://www.darkreading.com/threat-intelligence/...

Gives ome highligts out of a report that 70% of exploit kits it examined originate from Russia which is around nine times that out of China. But more importantly 60% of the vectors these exploits are using have been known for atleast two years. Worse still the figures for anti-virus and Anti-malware with a miss rate of 67% of these types of nasties that come across the wire.

Which might account for why in just about every "Top Ten" list "Patching" is at or close to the top along with other updating and checking and such advice as "watch the packets" especialy the outbound ones, often above anti-virus and anti-malware recomendations...

Speaking of Russia and exploit kits many are to do with Cyber-Crime for money as opossed to intel. But what drives these exploits how do these Cyber-Crooks select their targets and tactics well Dark Reading has another report ;-) on this,

http://www.darkreading.com/advanced-threats/...

And another (lengthy) artical this time from the Info Sec Institute on how the cyber-criminals orgnise themselves and how their "product" gets moneterized which is not just the more obvious exploits getting marketed and money mules etc,

http://resources.infosecinstitute.com/...

And as a final bit of reading is one from Slate Mag, with one viewpoint on the thorny issue of what to do with the unregulated grey markets for selling Zero-Day exploits to both the (supposed) good guys as well as the (supposed) bad guys and all places in between,

http://www.slate.com/articles/technology/...

The reason for the "supposed" well most times good/bad is a viewpoint in the same way as Freedom fighter / terrorist. You can fairly safely assume that currently the US Gov regards the Iranian Gov as bad and the Iranian Gov things the same of the US Gov, where as other people and Gov's will have their own oppinion (and I suspect the US Gov would not come out smelling of roses from that poll).

Enjoy :-)

nobodySpecialJanuary 26, 2013 2:33 PM

Just to add to Clive's list
One of the main victims of malware are medical devices. The FDA rules mean it takes 90days to approve the installation of a patch for a zero day exploit - hence a lot of machines that are unpatched

Nick PJanuary 26, 2013 10:52 PM

@ NobodySpecial

That's actually misleading on two fronts. The first is well-said by a commenter (kreedh20) on the site you linked to.

"I do not believe this is correct, the FDA only requires that the manufacturer test the patches through their standard processes and guidelines for good manufacturing process. This would apply to Class 1 & 2 devices that are approved through the 510K process. The only time the FDA has to re-approve a device is if a change was made that significantly alters the functionality or intended use.

From the FDA:
"Ordinarily, FDA will not need to review software patches before a device manufacturer puts them in place. FDA views most software patches as design changes that manufacturers can make without prior discussion with FDA. FDA has already advised manufacturers on when they should involve FDA. (See FDA's guidances on General Principles of Software Validation and Deciding When to Submit a 510(k) for a Change to an Existing Device and regulations on notification and premarket approval application supplements and reports.)"

http://www.fda.gov/MedicalDevices/...

Look for the rules from the FDA that address OTS (off the shelf software) in medical device systems."

The other issue is whether FDA regulations are the real problem with medical devices. I actually read the FDA software guidance for a discussion on this blog. I liked it because it required something akin to software engineering rather than half-arsed development. The manufacturers often want to cut costs by using things like Windows, leading to security issues.

Usage according to manufacturer instructions is another issue. Your link actually mentions it

"The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable."

So, this was a device that was unsafe to connect to the internet. People's safety might depend on its correct operation. And what do they do? Hook the thing up to the Internet.

I'd add that there are network level measures one can take if he or she *really* needs the internet access. Putting a security-enhancing gateway between the critical device and an Internet service can greatly reduce risk if done right. This was true with the SCADA issue, for example, where simple link encrypter might have stopped plenty of issues.

So, the blame isn't just on FDA, if at all. There are plenty of FDA regs that need rework. I'd even believe there's issues with their software certification that I'd see if I look more thoroughly. However, most of these problems are from dangerous manufacturer or user choices. We have solutions for dealing with both types of problems. Perhaps the next regulation should be to implement them? ;)

Clive RobinsonJanuary 26, 2013 11:35 PM

OFF Topic:

@ Bruce,

You may want to add this one to your list of TSA abuses and where sometimes the individual gets some justice.

http://www.wired.com/threatlevel/2013/01/...

It's worth reading the three judges comments, the first by the two assenting judges reads as a thoughtfull response you would expect from an open societies justice system.

The second from the sole dissenting judge reads well, lets just say from a direction of distinct over caution to the point of having swallowed the FUD from the DHS et al "hook line and sinker".

Clive RobinsonJanuary 26, 2013 11:56 PM

OFF Topic:

It appears that the "hacktevists" are kicking back against the US Federal justice system,

http://www.bbc.co.uk/news/...

Over the untimely demise of Aaron Swartz when subject to the disproportionate attentions of a Federal Attorney and her juniors.

FingerhutJanuary 27, 2013 12:00 AM

Iran unveils machine for amputating thieves’ fingers

http://observers.france24.com/content/...

"One of Iran’s official press agencies published photos showing the public amputation of a thief's fingers on Wednesday. These show a man getting his finger chopped off with a machine resembling a rotary saw."

Clive RobinsonJanuary 27, 2013 12:49 AM

OFF Topic:

A couple of things that caught my eye on C!net.

The first is about MIT Media Lab director Joichi Ito giving a talk at Davos (at the world economic forum) about why he is not in favour of imortality through technology, and that we should be aiming for resiliance not efficiency by amongst other things re assessing how we educate and test our children.

http://news.cnet.com/8301-11386_3-57565860-76/...

With regards Resilience-v-Efficiency I'm all for it from a security perspective, because nearly all our security ills have as an underlying cause the "Efficiency is good" mentality. Admittedly this is primarly due to the fact it's an easy thing to measure in a field of endeavor that lacks proper metrics and thus in most cases reliable scientific method.

As for education and testing Bruce has bloged about how an why people "game" academic success and I've made complaint here in the past about the failings of our educational systems to produce creative engineers backed by the necessary fundementals which give them the flexibility to be able to confidently think outside of the normal constraints of the systems they are given as the current "flavour of the month".

The second article is about Aaron Swartz, it appears that as suspected prior to the involvment of the FEDs he was facing the legal equivalent of a slap on the wrist not having his life destroyed by a Federal Conviction and potentialy 50years and fines of 4millionUSD.

http://news.cnet.com/8301-13578_3-57565927-38/...

nobodyspecialJanuary 27, 2013 2:19 PM

@nick P - of course it doesn't matter if the FDA does require a resubmission to apply a patch.
The fact that people think it does, or are uncertain, or the layers of lawyers, QA managers and ISO auditors aren't sure - means that patches don't get applied.

Although it's not clear how class III deices on Windows ever get approved given that MSFT's EULA prohibits its use for life threatening roles

Clive RobinsonJanuary 27, 2013 5:25 PM

@ NobodySpecial, Nick P,

With regards the FDA rules and the consequences you are both right and also consiquently both wrong.

It's actually a question of who's viewpoint counts in any given situation.

And the most dangerous view point and the one that is most unpredictable is that of a judge and jury in a civil action.

There it does not matter if your company has done everything by the FDA rule book, the court looks at "reasonable" knowledge/behaviour and "industry best practice" as presented by legal protagonists with a very large financial incentive (say 30% on a successful action).

Where these legal persons will stand and argue that nothing is black or white, it's all grey and your shade of grey is more black than the lilly white example they have found else where. Which by their definition is a shining example of reasonable industry best practice, and therefore you must be completely unreasonable and deliberatly failing to follow best practice. Which is akin to wilful negligence and therefore you should be made to pay disproportionately large sums of money as punitive damages. Which as you legaly have to have product liability means that it's your insurers that are to pay, and as everybody knows "insurance companies have got bottomless pockets, so nobody is realy going to be hurt by such an enormous payout"...

Which obviously makes the legal advisors at insurance companies understandably extreamly conservative in nature. Which is reflected in the premiums for product liability.

Thus as with houshold insurance where you get a discount for having a five lever mortice locking bolt over and above the seven pin cyclinder sprung latch, companies get discounts on product liability if they likewise take a conservative attitude in their behaviour.

Thus the net effect is the law of unintended consequences comes into play...

Clive RobinsonJanuary 27, 2013 5:46 PM

@ Calvin Li,

A town in Missouri is having problems with the devices... but only in one particular parking lot. The cause of the issue is as yet unknown, but an illegal or malfunctioning transmitter is suspected.


I would not put money on the transmitter being either "illegal or malfunctioning".

The reason for this is most of these lock devices use one of the ISM bands as do verious other bits of equipment.

A few years ago it was discovered that similar problems were happening in a hospital carpark, that was overlooked by the department responsible for cleaning and sterilizing surgical equipment. It just so happened that the R.F. sterilizer in use used the sam ISM band as the lock fobs. The sterilizer used about 100,000 times the power of the fobs, and as the emmission mask for such "non radiating industrial equipment" was considerably different to the mask used for "radiating domestic equipment" it was radiating ten or so times the power but through the building wire that made a quite efficient antenna unlike the antenna in the fobs so the Effective Radiated Power (ERP) was about a thousand times that of the fobs thus giving the sterilizer about thirty times the range of the fobs.

A similar effect is seen when domestic microwave ovens are used in staff rooms in office blocks and put on window sills that overlook WiFi AP's.

Likewise WiFi AP's that overlook desks where a mobile phone and Bluetooth headset are trying to be used.

Such are the joys of "License Exempt" ISM band shared usage...

Nick PJanuary 27, 2013 7:05 PM

@ vespas

Thanks for the link. The attack strategy itself is pretty old (2010). I posted the same link below on hackaday.

http://thomascannon.net/projects/dlp-bypass/

There might have been earlier examples. I just remember mentioning this one to somebody. Joanna Rutowska at Invisible Things lab also did a nice piece on USB security. My recommendation is to do what we did in the old days: put some glue in it and find a better way to move files.

WooJanuary 28, 2013 1:28 AM

So now ThinkGeek just needs to go the final step and add a few gigs of storage to that tentacle.. then my wallet'll be in real trouble.

999999999January 28, 2013 2:04 PM

@Clive

I was wondering how long it would take someone to post the 4th amendment chest writer. I wonder what the TSA lawsuit will come to.

I was hoping it would be more of a meme and that T-shirts would start popping up.

In somewhat related news:
The US and Canada are now officialy sharing information for imigration purposes.

http://www.state.gov/r/pa/prs/ps/2012/12/...

Clive RobinsonJanuary 28, 2013 5:06 PM

@ Nick P,

Yes moving backwards to Me$$Dross&Windoze as we used to call them back then may seem very odd...

But then I know people are still using it as I'm still supporting code I wrote on it (one of which is a French Telco that I also support some Apple ][ code for as well)...

And yes I still have "Small C" and "Borland 3" sitting up on the shelf and it's sometimes a bit of a wrench getting my head backwards to Pre-ANSI K&R C... And yes I still use WordStar 3 and 4 which under Win 3.11 still talks to a PostScript network printer (those using Linux can get the feel of that via "Joe's Own Editor" running as Jstar, it was the DOS standard for programers that got built into so many IDE's like Boarland's in one way or another). And I still have a copy of Mirror from the Amstrad PPC640 that I still use for talking to serial ports etc with quite complex dial up scripts using 8088 based computers of which a few are still around. All of which runs from just one 1.44MByte floppy disk with no hard drives hidding nasties or other stuff you would not want to leak out.

So mad as it might seem yeh I can see many advantages to using it not least of which is that "Retro feel, from when Men were Jocks and nerds looked nervous".

But here's a cracker for you, I was asked back at the end of last year about the early days of *nix on Intel. by some "young'uns" (some of who's parents were probably in nappies in the 80's) and I actually re-installed a copy of zenix onto a 386 mother board I have in my personal museum to show them all the Microsoft copyright messages. Likewise in a copy of SCO's Sys5r3 onto a 486DX which I last used as a NetWare box. And I've got to be honest it was actually way more responsive with 4 terminals on it than I remembered (sadly though some of my MicroVax's HD's have crossed the great divide so that was not working :(

Speaking of NetWare any one else remember their CEO buying up AT&T's Unix Labs and the rights to UNIX as well as DR-DOS and then getting kicked out to form Caldera where they Open Sourced DR-Dos? Any one know what happened to NetWare the last I remember hearing about them in the press was the SCO-v-Linux war?

KaitheJanuary 29, 2013 5:02 AM

@Clive, re: Novell

(disclaimer: I've had a long history with Novell and its user groups and have had a real soft spot for the company - my first install was v2.01a and I've seen v1.5x (before it was called Advanced NetWare). I also installed the first v3.0 in Australia)

Around 18 months ago (I think) the company was bought by Attachmate and checking the senior management page, Attachmate have pushed a lot of their team into the organisation.

I was at Brainshare in the early noughties when the announcement was first made that NetWare would move to a SUSE underpinning. It was generally met with hushed tones rather than the jubilation Chris Stone expected.

And I still think eDirectory is the bees knees!

Glancing around the web site, it seems they're still focussing on NetWare, GroupWise (the real reason they bought WordPerfect) and security solutions.

And everything I see tells me they're on a slow downward spiral.

Shame, really. They must be one of the few companies that defeated two attacks by Microsoft, succumbing only on the third.

VlesJanuary 29, 2013 6:27 AM

Completely off-squid (maybe not so off for a friday).

@Clive et al
How did you meet your wife?

Nowadays I'm thankful women are more in to computers/gaming..but boy those early days must ha'been pretty tough.. :P

Clive RobinsonJanuary 29, 2013 1:40 PM

@ Vles,

How did you meet your wife?

How very pre-sixties ;-)

As far as I am aware most people still get to meet their love interest in the same old ways,

No.1 : Through work.
No.2 : Through friends and relatives.
No.3 : From School/college/Uni or clubs.
No.4 : By "bumping into them" localy.
No.5 : Putting a lonely hearts add in a paper.

Irespective of what dating agencies and online matchmakers say, few people get together longterm through them.

In fact the likes of Gumtree have realised that the modern idea of dating agencies etc is not to find a partner, except for a night or possibly two...

The main idea behind most dating agencies and web sites is to seperate the vulnerable from their money. The same sum of money would probably give them a better chance of finding a partner if they spent it on a decent "sight seeing" or "cruise" holiday where people are kept in a largish group for a week or two and get to know each other better than they would in six months of dating.

But to answer your question in my specific case it was No.2, I went away with a group of people for a weekend to an adult education conference (UK's OUSA) Whilst traveling down from London by train drinking the champaign we had brought with us for the smoked salmon lunch strawberries and cream etc, a lady friend who I'd know for many years asked me to get something out of her bag for her which was in the rack above my head. Whilst I was doing so another lady who I knew only by name, decided she liked the look of my bottom (or so she told me some time later). Any way on arival at our hotel I anounced I was off to do some shopping as I'd not brought toothpaste with me and said I was off to Boots to get some. She then said she had forgoton her hair brush and accompanied me on the shopping trip. The rest they say is history...

TJanuary 29, 2013 7:25 PM

2 months ago I read that Adobe Flash was under attack, so disabled it so thoroughly that even I am going to have fun un-disabling it at the sys level.

Then, frustration set in: No Daily Show videos would play. Youtubes wouldn't play.
So I reached for the howto to disable the disabling security fix, and voila, Oracle Java hack is now headline news, so I left my limping system as it is. Pathetic.

Obviously, you don't need to feel sorry for me, I'm a victim of my own security fears.

But here's what you might find interesting and what surprised me: EVERYTHING uses Adobe Flash. EVERYTHING of any interest whatsoever, almost. EVERYTHING.

Ted talks. Youtube videos on how to remove wallpaper, or to hear The Pointer Sisters songs, (Yes we can, can, can), The Daily Show, where I get my news, :), educational videos....on and on and on. Seriously, on and on and on. Almost any site I go to I get an error that Adobe Flash isn't installed. Even rotten CNN, even Washington Post, it's EVERYWHERE.

I feel like I'm alone on Mars and afraid to open the hatch.

I had no idea how ubiquitous Adobe Flash is in our world. It's stunning--the whole reality of many of us can evaporate, collapse, without Adobe Flash.

I'm not sure which makes me more paranoid--the potential virus in java/Flash, or the fact that everything in my world seems to depend on Adobe Flash.

So guys, if consumers are supposed to be self regulating, cautious, self disciplined, er, what do you say to someone who turned off Flash so good she can't see the world anymore?

Dilema,
T

Clive RobinsonJanuary 30, 2013 2:42 AM

@ T,

what do you say to someone who turned off Flash so good she can't see the world anymore?

You make it sound so biblical...

However I need to say that in the world of Flash in your picturesque terms I am a person blind from birth. I did not like Flash from the start for various technical and security reasons, which is very much the same for nearly all Adobe products as far as I'm concerned (to much style over substance, which is never good).

And thus have as far as I'm aware never knowingly allowed it on machines I do work on. Is it a handicap, possibly but then I've not realy known what I might be missing. Except, that is, when I read about all those attack vectors and subsiquent fixes Adobe have issued and think "yup, as expected".

Adobe and Microsoft are the two main easily identifiable (to non computing types) reasons why I always wince when I hear fanboy types wittering on about ubiquitous all in one computing devices and how great they will be for users...

My thought is almost immediatly "soft target" and how much more great these devices will be for those unknown criminal users of your device who will turn the fanboys pleasent but narcisistic utopian daydream into a hellish living nightmare, that makes Dante's ideas look like a fun day out to the beach...

Whilst I've known this netherhell exists since the very early days of the Psion devices back in the 80's that much later became "Personal Digital Assistant's" it is only now some 30years later that the reality is comming home on mass as BYOD sinks in to corporates from the narcisistic types in walnut corridor.

Now having done my sooth sayer, "Beware the Ides of March" bit, it's time to grab the first brew of the day and smile cheerfully at all those blessed by not having sufficient imagination to realise what potential threat awaits them :-)

FigureitoutJanuary 30, 2013 3:40 AM

@T, Clive Robinson
--He (T) takes on a 600 lb. gorilla so I commend him, it is kind of biblical. Disable Flash or Java script and many modern websites give you a bunch of blank space. How can there be such a monopoly? I remember in grade school getting taught to make simple Flash movies, and getting hooked on the MS GUI; they get you hooked at a young age, meaning like a language you want to just speak it and expand on it and not learn a whole new one. They should instead be showing children the old old punch card computers, and let them grow up with these modern freak machines with too much input & components the size of dust and smaller. I actually "have" to still use Adobe Connect (buggy POS) for a class and give the software uncomfortable permissions for my embedded microphone and webcam (that I never really cared for)or I get an F for a chemistry class component. I could of course raise my voice and oppose, but that's where things start to get awkward; so I embrace awkwardness b/c you get past people's filter of what they want you to see and into their sincere side.

Clive RobinsonJanuary 30, 2013 4:25 AM

@ Nick P,

Yes the Bloomberg article is nice...

In that it white washes the tip of the icebergs.

I have good reason to suspect that there is going to be an awful lot more dirty laundry come out over the next ten years. The reason being that LIBOR as bad as it is was, is just small potatoes (income wise) compared to other things going on in the finance sector since Maggie Thatcher and Ronny "Rayguns" "the market knows best" mantra that overnight became the Gordon Gekko world of "Greed is good" and the British equivalent of the chavy barrow boy snear of "Lots of wonga".

Without needing to go into actuall detail you can easily see why more bad news is on the way...

Look at the casual carelessness of the communications these "Masters of the Universe" carried out, they knew full well every key stroke and dialed digit and spoken word on the phone was recorded for posterity. Yet they took no precautions and you have to ask why?

The simple answer is an endemic culture in the organisations. Those barrow boy "spive traders" of the 80's are now in their sixties, which means everyone that followed them became part of their culture or was weeded out. There is a sense of "herd invincability" where all that threatens them in their minds is not being in the game, which is the attitude of "gang culture".

As I said LIBOR for all it's world wide effects was actually a small earner of a few million hear and there as such it was the gloss on the top of the icing on top of the cake. Those actually manipulating the figures were at best lowly bit part plays on the fringe of the herd with dreams of stepping up to the bottom table. Look at the size of the bribe 50,000-100,000USD that's less than 0.5% of the salary of close to top table earners, the equivalent of between a half and one day of pay prior to bonuses.

The real top table earners are to be found amongst hedge fund managers, some of them are earning money that is greater than the gross domestic product of many countries. 100,000USD is but the money earnt whilst drinking a skinny latte for them (ie about 5 to 10 minutes).

You have to ask yourself what it is that makes such incomes possible and can it be done honestly?

Well the answer would appear to be not. As you move just a little from the careless fringe of those involved with LIBOR you start to see signs of more careful activity. Insider trading is suspected to be rampant, but difficult to catch.

Again it involves groups of people well known to each other from shared pasts but now working in different organisations sometimes several time zones appart. Some of them have been known to have "burner" phones and email accounts with cryptic or styalistic traffic and "Petraeus tricks" that would be sufficient to get you hung drawn and quatered if you were a suspect terrorist, but go unnoticed if you are a trader. Which is just one reason why the Feds wanted to have laws forcing traders and others to register ALL phones, email accounts etc on pain of actual jail time for non compliance.

But these sort of communications are as we know not even regarded as trade craft. As the sums of money get larger and the stakes get higher the use of cut outs both human and technical becomes normal along with other well tried and tested methods of fieldcraft.

That weekend ski trip mentiond is just an obvious version of the "City break meeting" where accidental meetups between wifes and girlfriends (WAGS) happen and innocent looking messages and phone numbers etc are exchanged. At another level "Champagne Duels" in night clubs enable messages to be sent via waiters, or mobile phones to be exchanged by supposed theft or just discreatly slipping it into somebody's coat pocket.

A few years ago the monitoring of bluetooth traffic showed some very odd behaviour in and around clubs and restaurants frequented by traders, likewise some HTC (and other) phones that could act as WiFi APs to other WiFi phones or just peer up etc...

These people are smart and they have very large sums of money to make and "walled garden" existances to protect. Getting around surveillance by low paid low resourced Government investigators is trivial. And further unlike those spying they are not trying to fit in in somebody elses territory, thus the environment they are in is of their own making and outsiders stand out like light houses on cliff tops. But even worse for investigators these people have known each other as a closed circle for ten or twenty years which means getting into the circle is well neigh impossible and turning people is likewise very difficult.

And at the end of the day the complexity of the systems they use is so high it's almost impossible to test to see if one smart trade is any different from another especialy when it all starts with a (supposed) hunch that only traders get...

mooJanuary 30, 2013 9:21 AM

Off-topic:
Researchers at Rapid7 scanned 80 million UPnP devices at public IP addresses. Over half of them appear to be vulnerable to at least one of 3 known attacks:
http://threatpost.com/en_us/blogs/...

Probably a lot of consumer-grade routers running several-year-old vulnerable firmware.

kashmarekJanuary 30, 2013 5:20 PM

off topic...

Suddenly, NBC News has spawned praise Bill Gate day with:

http://video.msnbc.msn.com/nightly-news/25393508/...

Bill Gates did not define, invent, or coin the phrase "electronic mail" in 1992 as one of the videos indicates. email was part of ARPANET in 1972 (RFC 561) and defined in SMTP in 1982 (RFC 821). Wikipedia has a more complete discussion.

What's with NBC News? Have they lost their ability to distinguish reality (they certainly fail to do their research).

TJanuary 30, 2013 7:18 PM

@Clive

Thank you Sir, I can't disagree with a word you said. (You realize of course that still leaves me alone on Mars.)

However! Does that mean that you never listen to Jon Stuart on the Daily Show for news with humor?

If you know how to listen to the audio component of that show, which is probably just as great as the audio/visual, would you let me know?

Your being blind from birth and online gives me a lot of questions. There are so many tools for the blind online, but I don't know them. (my eyesight just went through a major downgrade)

Are there tools I could use that could help me listen to websites for languages I'm studying? Is there software to read foreign language sites, in the foreign language? Simply read what is written on the sites? (I need pronunciation and comprehension practice)

I've been wondering about that for a long time now.

Your treatise amuses me because I've never read anyone directly criticize arrogance and ignorance in mainstream program development. I tend to refer to it as "MBA Meant Well" software-- maximizing profits before thinking it through.

And I'd still like to know how to handle this type of situation where a serious bug encourages me to turn off a ubiquitous piece of software, and then breaks my online access to information--it's been a serious handicap for me.

Half the time I think I should just turn it back on, after making sure I have re-install disks, and run the risk. Part of me hates that idea, but part of me says "everyone else is doing it" and "gratification". Honestly, in this day and age, how long can I go without Daily News or other flash information, before I get a medal for self-denial? :)

Thanks.
T


Clive RobinsonJanuary 31, 2013 9:33 AM

@ T,

Your being blind from birth and online gives me a lot of questions

Ahh what I actually said was,

However I need to say that in the world of Flash in your picturesque terms I am a person blind from birth

I'm not actualy blind yet but neuropathy is getting me there slowly as is old age.

I was using it as an analogy, what I ment was you were portraying your situation as some one who had become blind after a life of normal sight and thus suffered the significant disconnect such an event brings.

Whilst I having never used Flash for what I do, have in effect been a person blind to both it's disadvantages and any possible advantages thus, I have not become reliant on it in some way that would causee me problems.

Having been involved with a charity for the visually impared back in the 80's helping them set up computers for those who were blind I was always amazed at the difference between those who had never seen and those who had.

I know it seems trite but those who had never seen did not miss it, it was not as though they were unaware of what sight is (which in of it's self is pretty amazing) and they were aware they were different because of not having it. But to them it was not a handicap it was just a part of their everyday life. They had not had to adapt just grow up and thus their other senses somehow compensated and become in some way heightend or more attuned to their needs. Their bigest complaint about computers was not the usability but the noise they made but even this told them things such as the computer was not booting up properly because the disk drive was making a different set of sounds, they could even tell from the noise the monitor made if it was in a particular application or not.

Back then the options were limited due in part to the lack of computer horse power but also in the fact that technology was so rapidly evolving. However they were realy realy inquisitive and made the use of what was available to them extrodinarily well. It was almost like a game to them and one they were going to play for the high score and they did.

There were a few spooky moments at first but you kind of got used to them like when you'ld look up from what you were doing and one of them turning towards you and start talking to you and when you asked how they knew I was looking up and in their direction they would say something like "I can hear you watching me" and they were amazed that I could not do the same. Likewise they could hear I was left handed and would throw a ball etc to that side of me.

The one thing that was clear to me at the time that was although the comand line usage was not a problem, full screen aplications like word processors were, unless they could get some kind of feedback on where the cursor was and what word was at the begining of the line. That said they could touch type, and produce documents such as letters without much trouble although some prefered to use a manual typewriter as the tactile feed back was there.

However for those who had lost their sight when older they were noticibly different it was not just what the had lost but the inability to adapt to the same degree. You would see not casual but deliberate behaviour, that is a cup would not be just put down it was put down in a specific way like close to or against a larger object, or with refrence to the corner of the table. The use of their hands was more hesitant and moving around was less fluid.

For them using a computer was much harder in some respects, and the early versions of Dragon Dictate were a godsend for them.

However changes in local government spending and education funding ment the resource center was closed and volunteer helpers became unpopular with LEA staff who thought they could do it all in house...

Anyway I reckon they taught me as much if not more than I taught them.

Sadly though as far as visual impairment aids I'm long long out of that area, so cannot be of much help. That said BCAB the (British Computer Assoc for the Blind) is the oldest such organisation around and I used to have contact with them, however as with many of the visually impaired sites they publish subscription only mags. This is true of the RNIB (Royal National Institute for the Blind) technology site as well.

I do know that there is a linux project for the visuallly impaired called BLINUX and I've seen significantly visually impared people use EmacSpeak more quickly than fully sighted people using their favourite Windoze app for Email and the like. However be aware like any realy usefull tool the learning curve is steep.

For various reasons a lot of computer related stuff for the visualy impaired originates from Northern Europe. But as with all things with a limited market the prices are high very high in quite a few cases.

However some of the Ebook makers have caught onto the fact that the visualy impaired like to read and thus you can get an ordinary Ebook reader with very large fonts.

But a phone call to a friend I used to work with who now does work in that area has told me that most Ebooks including some commercial ones can also be used (via plugins) on Linux and she suggested looking at "Caliber" to manage them etc (works on Mac and Win as well). Apparently all you need to know is on Caliber's Wikipedia page.

However she did say that if you use a text to speach interface the books can be hard work where there is dialog.

Ollie JonesJanuary 31, 2013 4:35 PM

The New York Times has a story today about how Chinese crackers have been intruding in their systems hoping to find out about sources on the paper's story about high-level corruption.

http://www.nytimes.com/2013/01/31/technology/... (paywall)

Notable: they claim they've definitively banished the crackers. Also notable is the discussion of rainbow tables and harvested password hashes.

TJanuary 31, 2013 6:44 PM

@Clive

My apologies for my misunderstanding.
Your information on online work the blind is fantastic, thank you!

I avoided mentioning earlier that I have a cousin that has been blind from birth. Partly because as brilliant as he is, he never helps me understand the software that is available that he uses--maybe he doesn't get what I'm asking. Maybe I haven't asked it well, or maybe it's just social stuff.

So thank you very much for that information. Greatly appreciated.

Again, however, you have not told me whether you have found a way to get the Daily Show in audio, without Flash. I only harp on this because it's about to drive me round the bend. No news. I truly hate American television news, and CNN etc are not much better, even BBC can be canned insipidness--the contradictions in logic just drive a person batshit. please forgive.

So? How could we fix this Adobe Flash dependency? Is it perhaps possible to convert flash files to simple mp3 or another format? I'm primarily interested in audio content, though the visuals are sometimes terrific ways to pass the message. But audio would do for most of what I'm missing: news and music.

I apologize for my misunderstanding.
T

Nick PFebruary 1, 2013 10:51 AM

SECURITY NEWSBITE

Brian Krebs just reported on an interesting new skimmer used against an unnamed brick and mortar store.

http://krebsonsecurity.com/2013/02/...

The thing I find interesting about this is that the designer used an AES variant and the microcontrollers hardware protection mechanisms to lock the data in. The security company is having a hard time breaching it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..