Friday Squid Blogging: Vulnerabilities in Squid Server

It’s always nice when I can combine squid and security:

Multiple versions of the Squid web proxy cache server built with Basic Authentication features are currently vulnerable to code execution and denial-of-service (DoS) attacks triggered by the exploitation of a heap buffer overflow security flaw.

The vulnerability present in Squid 4.0.23 through 4.7 is caused by incorrect buffer management which renders vulnerable installations to “a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials.”

“When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data,” says MITRE’s description of the vulnerability. “Squid does not check that the decoded length isn’t greater than the buffer, leading to a heap-based buffer overflow with user controlled data.”

The flaw was patched by the web proxy’s development team with the release of Squid 4.8 on July 9.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on August 23, 2019 at 6:19 PM50 Comments


Dancing On Thin Ice August 23, 2019 7:12 PM

A website’s guestbook is getting heavy spam.

CAPTCHA is being bypassed and I’ve notified a budget hosting company that their backend must have been compromized.
I added a nonsense field using their guestbook form generator but that code was never used on the website
Bad posts with web links to Яussian sites stand out from legitimate comments because they include the phony field filled in.
It’s a budget plan of just editing html so CSS hides new posts until there’s time to review for any legit posts.

Not naming them to give them a chance to respond to the info provided to them.

Ismar XBN-019 August 24, 2019 4:34 AM

Some security related news from Australia that got a bit too close for comfort for me yesterday

Namely, after trying to be a responsible citizen and asking the Guardian journalist responsible for publishing the story to notify the powers to be that the compromising information may still be available on the internet via Way back machine all I got in return was a couple of ASIO agents circling the building I live in for the better part of yesterday.
This is definitely the last time I am being decent towards these guys which are so clueless that despite having all technical , financial and Human Resources at their disposal still believe me being some sort of foreign agent just because I am not afraid to speak my mind when I see injustice being done regardless of who might be the perpetrators.

Larry the wanab IT guy August 24, 2019 6:34 AM

@Ismar-that’ll learn ya! No good deed goes unpunished!
@Patriot-No surprise there!

Alejandro August 24, 2019 7:22 AM

It’s for your own good comrade!

HARPA (HARPA-DARPA, get it?) is a “proposal to develop a way to identify early signs of changes in people with mental illness that could lead to violent behavior.”

The HARPA GOVERNMENT MASS SURVEILLANCE OP would develop “breakthrough technologies with high specificity and sensitivity for early diagnosis of neuropsychiatric violence,” says a copy of the proposal. “A multi-modality solution, along with real-time data analytics, is needed to achieve such an accurate diagnosis.”

The document goes on to list a number of widely used technologies it suggests could be employed to help collect data, including Apple Watches, Fitbits, Amazon Echo and Google Home. The document also mentions “powerful tools” collected by health-care provides like fMRIs, tractography and image analysis.

Looks like they want wide open access to our digitized medical records, too.

Got a pimple on your butt? The government wants to know about because it might mean you are violent.



1&1~=Umm August 24, 2019 8:16 AM

@Ismar XBN-019:

“Some security related news from Australia that got a bit too close for comfort for me yesterday”

It’s rather more than just the wayback machine…

But consider it from another perspective. It was a senior ASIO individual who was named, and they would probably not be going ‘into the back of beyond’ at any time or be any more likey than any other civil service salaryman of receiving attention of foreign powers (because their name is already known by them).

Also remember ASIO want an entire and perpetual blackout including all their activities even how many toilet rolls are used. They are very anti-transparancy as it puts a damper on their illegal activities (or activities not prescribed under public law).

They no doubt will see this as yet another oportunity to push for far less transparancy in their activities and who the choose to persecute etc. Like the Public Relations notion that ‘There is no bad publicity just publicity’ I suspect ASIO have a similar moto such as ‘There is no publicity only fundraising’… So expect to see something favourable to ASIO appearing in the not to distant future.

Clive Robinson August 24, 2019 9:50 AM

@ Bruce,

Another scam to add to your file,

Put simply crooks get sufficient of peoples details to order in their name online valuable tech such as the latest phones.

They then try to intercept the package as it’s delivered. If they can not they then visit the property pretending to be a courier saying that the package got delivered to the wrong address.

If they do manage to intercept the package usually the first the person living at the address kbows is when they discover money missing from their bank account.

If they are lucky and the scammers don’t get the items, they then have the long process of returning the goods, getting police reports etc then changing all their bank accounts etc.

Usually with little or no help from the authorities, banks or companies… If people think about it for a few minutes it’s the fact that it is this quite deliberate “no help” policy that makes these sorts of crimes not just possible but profitable for the scammers. Because those involved who are being unhelpful are “externalising the risk” and “blaiming the victim” as a “matter of business”.

Sed Contra August 24, 2019 4:10 PM


The (short) arxiv paper linked in the Ars article seems to discuss simple “sieve” methods for primality.

nobodyspecial August 24, 2019 4:30 PM

I don’t know if these scams have made it to the file yet…

1) Warshipping:

Why find a vulnerability in a target’s computers when you can just mail them one?

2) With Amazon, apparently one scam is never to ship the product, just take the money and put it in the bank earning interest. If someone complains, and they often don’t, then tell them it got lost in the mail and send them a refund. Still nets you several months earning interest in the meantime.

3) And another Amazon fraud: Buy a cheap & popular item. Sell it at a huge markup on Amazon. Open Amazon accounts for random strangers. You’re creating the accounts. You have the passwords. Have your random stranger accounts buy your product. Pay with gift cards. Amazon takes their cut of course, but you still get most of the money back. (It’s one way to launder Amazon giftcards, received from criminal activities, back into cash. Or they can be legit.)

Now your random stranger accounts are “Verified Buyers”, so have them post amazing reviews! This moves you up to the top choice for your product. It costs more, but hey look at all these glowing reviews, it must be worth it. Meanwhile your random strangers get boxes of stuff they never ordered from Amazon. All you need is their name & address. A phone book will suffice.

4) Also, the more mundane frauds:

JonKnowsNothing August 25, 2019 11:59 AM

The Intercept has a detailed article on the ongoing deployment of US Border Patrol massive surveillance towers. They are built with technology from an Israeli company Elbit, based in Haifa, Israel.

…160-foot surveillance tower capable of continuously monitoring every person and vehicle within a radius of up to 7.5 miles. The tower will be outfitted with high-definition cameras with night vision, thermal sensors, and ground-sweeping radar, all of which will feed real-time data to Border Patrol agents at a central operating station in Ajo, Arizona. The system will store an archive with the ability to rewind and track individuals’ movements across time — an ability known as “wide-area persistent surveillance”.

The system, which Elbit originally developed for the Israel Defense Forces, is used to monitor people’s movements along Israel’s border and separation walls. Now, it is also used by the Border Patrol at command centers across southern Arizona.

…video cameras and radar sensors adorning a demonstration tower on site. “This can be zoomed in for many, many miles,” Friederich explained.

An engineer clicked on one of the yellow dots, zooming in on one of the video feeds. Suddenly, several cars inching across U.S. Interstate 10 came distinctly into view. He zoomed in further, and the screen settled on a patch of shrubs adjacent to a roadway, close enough that the bright green, swaying tips of the creosote bushes were visible, though they were well over a mile away. The operating system uses artificial intelligence to assign an icon representing a human, vehicle, or animal…

All this persistent and detailed information is shared with Everyone+World.

ht tps://
(url fractured to prevent autorun)

Sherman Jay August 25, 2019 12:26 PM

ht t ps://
spaced the URL for security purposes

One of the critical elements of the article is that the u.s. govt is putting many of those spy towers very near the Tohono O’odham Nation’s towns. The residents there have, for the past few years been ever more fearful to leave their town because they get stopped by the border patrol and hassled. For hundreds of years their land stretched from below the border into AZ. Now, those residents are being treated like ants in an antfarm, spied on 24 hours a day by multiple methods and unable to go to their own land south of the border.

Since before the founding of the u.s., the u.s. gov’t has violated the sovereignty of Native American nations, slaughtering, stealing their land, etc. The u.s. gov’t ignores the guarantees of the constitution whenever Native Americans are concerned. ‘To be secure in their persons and property’, what a governmental farce.

tds August 25, 2019 3:30 PM

“North Carolina Court Deepens Split on Private Searches of Digital Evidence

An important Fourth Amendment issue that may be headed to the U.S. Supreme Court.

Imagine someone comes to the police and reports that she found evidence of a crime on someone else’s computer that she was using. She brings the computer to the police and asks them to investigate. Here’s the legal question: If the police agree to investigate, what search of the computer can the police conduct without a warrant? Can they search the entire computer? Can they search only the actual files that the private party saw? Or can they not search the computer at all?

I [Orin Kerr] have blogged over the years about this issue, which I have tended to label the “private search reconstruction doctrine.” That doctrine lets the police repeat a private search of an item without a warrant, with the private party’s permission, on the theory that the private party’s search already eliminated Fourth Amendment rights in the item searched.

In a new decision last week, State v. Terrell, the North Carolina Supreme Court deepened the existing 2-2 circuit split on how the doctrine applies to computers. It also added a new third answer to the questions above. The U.S. Supreme Court may take on this issue soon, perhaps in this very case. Here is a run-down of the case and why the Supreme Court might be interested in it.”

Sed Contra August 25, 2019 5:26 PM


Re: warrants

I don’t understand why in the case at hand a warrant would not be easy to get. A seemingly credible witness gives what seems ample probable cause.

What distinguishes computer search from search à la 19th century ? It seems in both cases the answer to the question “when is it a one and not a heap?” is involved, i.e. what are the limits on what is made apparent by the probable cause ? If I find a 10 page manuscript with something illegal in it on page 2, can I immediately read to page 10 ? If the document is in a file cabinet with 1000 other documents, can I immediately read those ? If the cabinet is in a file room with 100 other file cabinets, can I immediately etc. etc. etc. ?

JonKnowsNothing August 26, 2019 2:20 AM


Time may not always be on our side and yet time is not our enemy either.

A TV Space Opera had a great exchange on the topic of “time”.

iirc badly:

The hero says “We are running out of time…”
To which the reply is “You cannot run out of time, time is infinite”.

I am finite though except now, with perpetual care beyond Forest Lawn in the archives of the NSA, I will be like Time… Infinite and Infinitely Malleable, formable into any action with any words. In the theme of Cardinal Richelieu (maybe).

Qu’on me donne six lignes écrites de la main du plus honnête homme, j’y trouverai de quoi le faire pendre…

ht tps://

Clive Robinson August 26, 2019 5:18 AM

@ Anders,

The hackread article says what most of us who comment here would expect.

However the author has not thought about it in enough depth.

Take the first point about Governments and spying followed br a trillion dollar market argument.

Not once is it mentioned that the bulk of the spying is actually done by the corporates, or that by and large most of the security markets products are placebos at best and a down right risks at worst. Nor the important observation that the ICTsec market is in effect a “faux market” based on the fact the ICT market fails to deliver “fit for purpose” or “fit for market” products.

Whilst the current major security failing is humans, it always has been. The reality is that electronic communications makes people do things that paper mail rarely ever did. That is people are running a “Red Queens Race”[1] with their various inboxes and as a result don’t have time to think let alone “sanity check” what they are doing or the consequences. Blaiming lack of user training, is kind of “puting a sticking plaster on a broken bone” solution. What you need to do is first solve the foundation problem then go on to fix surface problems.

As our host @Bruce has pointed out in the past, when it comes to a choice between getting fired because you take time to do all the “security stuff” and putting food on the table because you at best pay lip service to the “security stuff” you know what is going to happen.

Thus if security is to be achived people need way less communications, clear and unambiguous barriers and importantly more time to carry out not just security checks but business process checks. Yes things happen faster when there are not any checks, but maybe people should consider the point that the lack of checks especially business checks is why phishing emails and other social engineering attacks by electronic communications are so prevelant.

The other thing to remember is that even if we use encryption for all our communications, it’s not going to stop social engineering or other end run attacks. It’s why you need business rules as well as security rules.

But the lack of mention of corporates and their nasty nasty behaviours makes me whince, especially when you read,

    Moving your XP, VISTA, WIN 7, 2003 and 2008 machines to 2012 and Win10 will do more for your organizational security than deploying an expensive anti-malware solution.

Shows several things wrong with his thinking.

The first point to remember is as we keep getting shown attack vectors that are “last century” are still present in the latest MicroSoft OS’s. The answer to why this is so is that the at the core of MicroSoft’s OS’s little has realy changed since NT4. What does get changed is the glitz of the UI to keep the MicroSoft money chain chugging along. That is deliberate focus on obsolescence by MicroSoft to drive profit rather than provide a secure product means that in many ways the latest MicroSoft OS’s are not as secure as earlier versions.

Worse what we also know is that since Win7 MicroSoft are “daya raping” their customers at an ever increasing rate. That is MicroSoft are very deliberately “backdooring” all their OS’s which means you can not have security with MicroSoft products…

The fact that as far as we can tell all the other Closed Source Commercial software providers follow a similar stratagem should give you a big clue as to why security in the ICT industry is at best a sick joke.

VinnyG August 26, 2019 9:48 AM

@alejandro re: HARPA – I’ve been anticipating some proposal to be advanced that would facilitate using proposed US federal red flag firearms prohibitions to conduct the wholesale disarmament of the public, and this could be it. Before someone protests that my suspicion is impossible because this proposal comes from the US political right, which is a staunch defender of the 2nd Amendment, consider that defense possibly to be pure political expediency. My opinion is that the fascists among us would as soon (or sooner) see a completely defenseless populace as would the progressives, absent the need for political theater.

can you really hide heterodyning forever? August 26, 2019 11:45 AM

Question: “Why do we do any of this stuff?”

Answer: (personal) “While several disparate groups are busy attempting to dominate or destroy each other, I prefer to maintain the landscape of which is both the battlefield and the areas most definately NOT a battlefield. Within such a disposition, I (and others) are attempting to preserve communication itself. “.


Peter August 26, 2019 4:38 PM

Russian secret bot networks, discrete twitter campaigns or hacked voting machines and other outside money influence are seen as dangerous interference of US elections.

But nothing beats doing it in plain sight infront of everyone. 🙂
Then nobody notices it.

”Trump may reveal peace plan before Israeli elections, thinks deal ‘will happen”

“US State Department drops Palestinian territories listing from website”

So it looks like Trump will announce the annexation of the West Bank just in time to save Bibi.

Clive Rovinson August 27, 2019 6:26 AM

@ Bruce, and the usuall suspects,

These days we talk glibly of “fake news” and cast marionette style villains behind it.

But what do you do with an AI that writes “fake news” such as,

It might not be very good when working outside of it’s core training data but it’s potentially a view of the future.

After all Main Stream Media is not actually about “news” but “profit” and as has been seen over the past couple of decades the MSM detests journalists as an expense to be reduced or replaced with technology. Hence the rise of “click-bait” “cut-n-paste” news with “talking head” idiocy a form of modern entertainment akin to “bear baiting” etc.

At each step on the way AI input into communications becomes more broadly used, which brings us back to the question of what do you do with an AI that writes “fake news”?

It’s a question that in various forms has been floating around for quite a while, some would say it’s roots goes back into the 1960’s. MIT’s ELIZA[1] created in their AI Lab to demonstrate not just simple natural language processing but also the superficiality of much of human conversational communications, thus being an early example of why the Turing Test has a major weakness in it.

Today we call such things as ELIZA “chatbots” but, things progressed with later designed systems that could clasify music by composer and written text by author. Some of this work has ended up being used to detect plagiarism and other cheating in students work by looking for a change in the students style etc.

But as has been pointed out such filters can fairly easily be turned into generators. Even simplistic brute force techniques will produce input into a cascade system that will refine it at each stage finally producing something that is acceptable.

As with malware writers testing their code against AV software untill it passes, the same techniques could be used to evade all the AI Social Media filters the likes of certain large Silicon Valley organisations are cooking up to fend off politicians mainly uninformed arguments.

Unfortunately as we know with Malware and AV Software it is a form of asymetric warfare where the defenders can only draw or loose, whilst the attackers will always have a time window in which to win.


Sancho_P August 27, 2019 10:58 AM

@tds, (Sed Contra)
Re: “Searches of Digital [NOT] Evidence”

Thank you for the (Volokh Conspiracy) Orin Kerr link !

Usually I avoid Orin Kerr because of already high blood pressure, but this one is another O.K. gem. The only doctrine he doesn’t know about is the doctrine of “Innocent Until Guilty”.

In my opinion a warrant is mandatory to deep search private property.

(I assume) Ms. Jones did not ask for permission to access briefcase or thumb drive.
So her action was wrong in the first place.
The officer did not ask for permission: This was wrong, too.
(Nice, they plug in whatever device they find, just to help … Good to know!)

Btw., what if Ms. Jones has planted the “evidence” on the drive, long ago, in a folder, not detected by the “victim”?

And if detected and deleted (found 10 deleted), still guilty of possession?
If someone uploads CP to my blog, has my provider to burn the server?

Right is right and wrong is wrong, only law twisters try to turn upside down.
It’s their business:

“Here, though, it seems that the government was just trying to find the file Jones had already seen.” (Orin Kerr’s innocent suggestion)

  • On Mr. Terrell’s property, was just trying to help, I see.

“Oh yeah let’s twist again, …”

I could, unpunished, punch O.K. in the face because someone else did it before?

  • Oh sorry, I understand, only police can.

MarkH August 27, 2019 5:35 PM

Russian Federation Cyberwarrior Recruiting

I saw an interview of Kate Fazzini, a cybersecurity reporter for financial news network CNBC.

Her recent book, Kingdom of Lies, profiles three cybercriminals, none of whom is identified by overt name.

In the interview, Fazzini discussed an arrangement used by the Russian government which has two benefits:

  1. aiding recruitment of high-level hackers, whose expertise is rare and often difficult for governments to access; and
  2. assisting Russian denials of its cyber warfare activities.

The essence of this arrangement, is that the government will identify an exceptionally proficient cybercriminal, and agree to allow that person to continue lucrative criminal activities in exchange for doing government-directed attacks when requested.

An excerpt from the interview transcript:

… you have criminals who are sort of allowed to do what they do as long as when it comes time for the Russian government to call them, they are willing to pay the price, pay the tax for being allowed to do those criminal activities and what you have is this beautiful plausible deniability [when] Russia is taking part in some major action against the Ukraine or the United States.

It is very easy for the Russian government to say “we didn’t tell these people to do this stuff,” or that “they are not parts of the government.”

“Maybe they were just patriotic Russians,” which is the line Putin has used, “but they aren’t actually working for us.”

It has set them up with a situation that is hard to fight from our point of view.

In contemporary Russia, partnerships between the national government and criminal organizations are fairly routine, so this “hacker recruitment” tactic is not exceptional.

tds August 28, 2019 9:00 AM

tl;dr 60 Minutes on Ransomware and Spyware

“CEO of Israeli spyware-maker NSO on fighting terror, Khashoggi murder, and Saudi Arabia

An Israeli company licenses software around the world that can crack just about any smartphone, but is its use always on the side of good?

Tonight we’ll take you inside the growing, shadowy global market of cyber-espionage. We looked specifically at a controversial Israeli company called the NSO Group, valued at nearly a billion dollars, that says it developed a hacking tool that can break into just about any smartphone on earth.

As we first reported in March, NSO licenses this software, called Pegasus, to intelligence and law enforcement agencies worldwide”

Clear Blue Oceans August 28, 2019 12:59 PM

Magic Unicorn Thought of the Day:

How can modern and archaic tools be creatively used in alternative and surprising (or subtle) ways to actively reduce harms to lives?
Think specifically, of if you suddenly had to resist every modern technological convenience as well as a few older traditional circumstances or infrastructures.
How would you be able to regain self control, freedom, expressiveness, mobility, stamina, and memory?

Kurzgesagt Hints of Hope:

0) Innovate techniques to block and halt misdirected or misinterpreted control signals and data signals.
1) Optimize for lowest reasonable working bandwidth possible (and begin using those settings!).
2) Study your own time management abilities.
3) Sideload internetworked activities to non networked replacements.
4) Study the history and procedures of your chosen activities and attempt to improve them and solve their historical problems.
5) Consider your most needed resources at all times.
6) Profile every disruptive attack style that affects your work and play to better block and halt them.
7) Introduce your frenemies to alternative activities and items which specifically and strategically are safer and much less bothersome and less dangerous (ideally, those activities ought to be totally harmless).
8) Restructure interfaces to better translate (or not translate at all) into other languages and formats; specifically, preplan to defend against mistranslations and syntax errors derived from adapters and pattern recognition systems, automated conversion systems, and automatic translation services. (I’m not very good at it yet either!)
9) Consider real and hypothetical mistakes made by yourself and attempt to adjust, adapt, recover, and modify.


0) What are the digital data risks of entangled computer cords? I already know the answer to this, I just want to see if anybody else want’s to explain or corroborate or expand knowledge of this phenomenon. . . . ?
1) What are some additional beneficial locksmithing techniques that can be implemented physically for digital systems? (non digital, non binary switches and mechanical aparatus)?
2) What are some additional suggested beneficial techniques of self protection beyond data theft protection and the use of ballistics?
3) Which organizations and individuals affect the transportation industries the most?
4) Which organizations and individuals affect civic engineering industries the most?
5) What are several other security oriented websites (instead of this one) that are worth studying?
6) *How would you solve the problems of if all of your communications techniques were ostensibly blocked and you had lost significant physical control of your own body? (This one is quite important and quite serious, yet 100% legitimate)…?
7) *What would you want to communicate to others if all of your communications techniques were ostensibly blocked and you had lost significant physical control of your own body? (This one is ALSO quite important and quite serious, yet ALSO 100% legitimate)…?
8) Which organizations do you believe are the most dangerous yet the least known?
9) WITHOUT NAMING NAMES, which types of behaviors best enhance cultural and technical stability in the largest effective quantities within a modest duration of time?


The URL above was a previous project of mine which was derailed by malicous hackers:

No serious worries, it’s mostly only images. The explained contents of such images are still of use to any Linux users who might still want to use PulseAudio instead of JACK Audio Connection Kit, yet without the extreme default latency (lag time).
This is also of use to those who don’t mind using Wine Is Not an Emulator (WINE) to run Microsoft Windows compatible programs from within Linux. Keep in mind, there are several^several editions and versions and permutations of Linux (the operating system). The popularity and ranking statistics and reviews and even printed books can be rather misleading; really, the only way to get a decent idea of which ones are more reliable is to combine trial and error with active study and research. If you can’t do all that, you’ll need to be friends with someone else who does those things. And certainly do not antagonize them; you might need their help someday, even if you currently prefer to use other tools.

Please be warned that there are a few errors that are not yet corrected, and probably never will be, because the hackers locked me out of my own accounts (as they usually do). So I won’t be fixing the mistakes because I can’t get to my own files on the server.
Still, PNG files aren’t very hard to view from almost any digital device. And even an OCR (optical character reader) could still interpret some of the contents despite the curly Q arrows and annotations.

FREE LOSSLESS IMAGE FORMAT (FLIF): I think the “*.flif” format shows a lot of promise. In particular, it could be further developed for uses similar to LICEcap.exe (screen_to_animated_GIF).


Sherman Jay August 28, 2019 6:29 PM

I know this is not new to most here, but it is still a dangerous security issue that has not been addressed by those who could do something about it.

‘the russians’ aren’t the biggest threat to voting security.

Stacy Abrams is very intelligent and concise in her description of how ‘voter fraud’ (voters voting more than once) has been proven a myth and how targeted voter suppression is a huge threat to voting security. (North Dakota just made it impossible for most Native Americans to vote, the N.D. govt now requires a ‘street address’ for voting registration. Yet, most N.D. Native Americans live on tribal land where there are no street addresses)

AND, on the continuing ‘absurd technology’ side of things: among many sites reporting this viral video

ht tps://

this is only one example of the ‘clown-tech’ status of voting machines being used in the united states. As some would have us believe, Audit Trails are for sissies!

Clive Robinson August 30, 2019 4:59 AM

@ Bruce and the usuall suspects,

Another one for the password file,

It’s an analysis of passwords that have survived other cracking attempts.

It starts as a fairly dull read (like most such articles) however it gets more interesting in the latter half.

However as the author notes they have not found “Atlantis”, which is actually not that surprising really. Because such a mythical password strategy by definition would be “unguessable” by ordinary mortals, and the “Gods of Chance” tend not to give up gold very often if at all.

If there is such a mythical password strategy the logical way to find it is to “backdoor” the “oneway process” in some way. The obvious one being to send the plaintext to a file etc. But as backdooring security processes is a big “No NO” anyone who does come up with this holy grail of the mythical password strategy is going to be suspected of doing just that… But the flip side is also logically, if you do find a mythical password strategy, that overcomes the deficiencies of the average human mind it will cease to be an effective strategy if you tell anyone.

Clive Robinson August 30, 2019 5:29 AM

@ Bruce and the usuall suspects,

An interesting paper on automating the design development of addaptive chosen ciphertext attacks on symmetric encryption schemes,

Title :

    Using SMT Solvers to Automate Chosen Ciphertext Attacks

Authors :

    Gabrielle Beck, Maximilian Zinkus, and Matthew Green


    In this work we investigate the problem of automating the development of adaptive chosen ciphertext attacks on systems that contain vulnerable format oracles. Unlike previous attempts, which simply automate the execution of known attacks, we consider a more challenging problem: to programmatically derive a novel attack strategy, given only a machine-readable description of the plaintext verification function and the malleability characteristics of the encryption scheme.

Clive Robinson August 30, 2019 5:46 AM

@ All,

In a blog posting that could easily be entitled “seeing around corners” rather than “Wave-based Non-Line-of-Sight Imaging in Julia”,

Keith Rutkowski gives,

    An introduction to non-line-of-sight imaging, and how to create images of hidden objects around a corner in under 10 minutes!

It uses the recent work of David B. Lindell, Matthew O’Toole, and Gordon Wetzstein and a few lines of Julia code you can download and play with.

Clive Robinson August 30, 2019 7:23 AM

Facebook app code signing key misapropriated

It appears Facebook let a code signing key for one of it’s Android apps escape from it’s grasp and it’s been subsequently used by others.

So a big security “no no” by Facebook and exploitation of the “no no” by others, but worse Facebook has not come clean about it thus endangering many users,

tds August 30, 2019 9:01 AM


Thanks for your post.

iOS 12.4.1 is out ( ). More links:

“Google finds malicious sites pushing iOS exploits for [almost three] years

Google finds exploits for 14 iOS vulnerabilities, grouped in five exploit chains, deployed in the wild since September 2016.


“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a member of Google Project Zero, Google’s elite security team.

The exploits also didn’t require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner.

“We estimate that these sites receive thousands of visitors per week,” Beer said.


The Google researcher also warned that other similar hacking campaigns and exploit chains might still be around, and described the sites Google found as “a failure case for the attacker.

“There are almost certainly others that are yet to be seen,” he said.

Google didn’t release any information about the sites serving the exploits.

So, people with access to big chunks of network traffic should probably scout for HTTP POSTs to "/list/suc?name=".
— Costin Raiu (@craiu) August 30, 2019"

tds August 30, 2019 9:14 AM

“How to Extract and Decrypt Signal Conversation History from the iPhone

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decrypt Signal databases extracted from the iPhone via physical (well, file system) acquisition, and that was a tough nut to crack.

What exactly makes Signal so difficult to crack? Let us first look at how one can gain access to users’ communications occurring in other instant messengers.”

MarkH August 30, 2019 10:11 AM


Wow, that business of imaging around corners is bizarre! I would have thought it infeasible, but it started to make sense when I saw its reliance on laser illumination.

The picosecond exposure time corresponds to a “light depth” of about 0.3 mm.

In the future, everything will be visible … but nothing will be seen.

Sancho_P August 30, 2019 5:52 PM

@tds re O.K.

I can’t parse his the twitter lines, but:

I think on page 15 of the 11th circuit paper there is a mistake, ignoring that the IP address is also a location information, by stating ” … but it [the NIT malware] didn’t (and couldn’t) reveal whether the computer was at the owner’s home or office, at Starbucks, or in the car on the move.”

For each and every “location” one would likely connect to a different provider, say company, at home, at Starbucks and to the mobile provider from the car. While at first glance the IP will not reveal a street address, it will allow the distinction between locations, in contrast to access from one single place like home.

Call it a technical misunderstanding, not a technical noncompliance, but the result will be the same.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.