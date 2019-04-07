Language Selection

Security and Proprietary Software

Saturday 8th of May 2021
Security
  • This Week In Security: BYOVD, Spectre Vx, More Octal Headaches, And ExifTool | Hackaday

    I learned a new acronym while reading about a set of flaws in the Dell BIOS update system. Because Dell has patched their driver, but hasn’t yet revoked the signing keys from the previous driver version, it is open to a BYOVD attack.

    BYOVD, Bring Your Own Vulnerable Driver, is an interesting approach to Windows privilege escalation. 64-bit versions of Windows have a security feature that blocks unsigned kernel drivers from the kernel. The exploit is to load an older, known-vulnerable driver that still has valid signatures into the kernel, and use the old vulnerabilities to exploit the system. The caveat is that even when a driver is signed, it still takes an admin account to load a driver. So what use is the BYOVD attack, when it takes administrative access to pull off?

    [...]

    The Exim mail server was started in 1995 as a Mail Transfer Agent for Unix machines. Qualys audited Exim, and the results weren’t pretty. Qualys calls the result 21Nails, as there are 21 serious vulnerabilities found in the effort, many of which existing as far back as the git history of the project. While the report doesn’t include PoC code, they will likely be quickly developed independently, so if you run Exim, go update your servers now.

  • Investment Scammer John Davies Reinvents Himself?
  • Stadia Exodus Continues As Product Head For Stadia Exits

    The troubling signs for Google's video game streaming platform Stadia continue. While I have to admit that I had really high hopes for Stadia, nothing about this has been smooth from launch to its current state of, well, who the hell knows what is going to happen to it. From a poor initial reception to questions about failed promises on performance, the conversation about Stadia quickly focused on the platform not offering much in the way of an actual game catalogue to play. Less than a year later, Google made this problem even worse by disbanding its own in-house game developers, leading to more fallout when Stadia could suddenly not support its own internally developed game.

  • UK Court Overturns 39 Convictions Of Post Office Workers Caused By Buggy Software

    Never underestimate the power of technology to destroy lives. Flawed software used for the last 20 years by the UK postal service resulted in dozens of wrongful criminal convictions which are only just now being overturned.

  • BT Smart Hub 2 router 'disrupting' home networks

    Users are complaining that any devices not linked to the same frequency, such as a phone and a speaker, are refusing to communicate with each other.

    BT is offering firmware updates to those affected.

  • U.S., U.K. Reveal Code Flaws Abused by SolarWinds [Crackers]

    The report contains technical resources about the group’s tactics, including breaching email in order to find passwords and other information to further infiltrate organizations, in addition to providing software flaws commonly exploited by the [crackers]. It also offers details about how network administrators can counter the attackers’ tactics.

  • In Epic v Apple, everybody is losing at the game of defining games

    What is the difference between an “app” and a “game?” This sounds like a stoner question but instead occupied a fair amount of the morning in Epic v. Apple. Roblox, explained Apple’s marketing manager Trystan Kosmynka, was an app. See, games have a beginning, an end, and challenges. “There’s experiences within Roblox that we did not look at as a game,” Kosmynka said. We did establish that Minecraft is a game, though, so that’s nice for Microsoft.

    Judge Yvonne Gonzalez Rogers did not understand this distinction and neither did I. But here’s the problem for Apple: if Roblox is a game, then it’s fairly easy for Epic to compare Fortnite to it. Also, looking up Roblox in the App Store after Kosmynka testified, it is categorized as a “game.”

Postmasters and Miscarriages of Justice

Saturday 8th of May 2021
  • A Very British Case: Postmasters and Miscarriages of Justice

    There were figures such as Seema Misra, convicted for stealing £74,000 in cash from the Post Office branch under her stewardship in West Byfleet in 2010.  At the time, the press delighted in calling her the “pregnant thief”.  Her husband was assaulted by locals.  Della Robinson, who ran the Dukinfield, Greater Manchester Post Office, could not account for £17,000 by 2012.  She was suspended, reported to the police and faced a community service sentence.

    The reason for their convictions lay in the accounting nightmare produced by the Horizon system.  It had ominous beginnings, growing up from a contract between the computer company ICL, the Post Office and the Benefits Agency, all part of what were termed private finance initiatives (PFI).  Developed by Japanese company Fujitsu, Horizon featured a swipe card system for paying pensions and benefits via the counters of Post Office branches.  The venture proved calamitous, ailed by chronic mismanagement, weaknesses in the technology and general human incompetence.  The cost of that endeavour to the British taxpayer: £700 million.

