This weekend GPG developer and habitual liar Werner Koch announced a vulnerability that consumes unsanitized input allowing control characters to be called when file names are displayed (archived). The announcement and offered mitigations in conjunction with Koch's history suggest an intentional vulnerability in the software being "burned".
Category Archives: Software
S/MIME And Poor OpenPGP Email Client Behavior Leak Plaintext
Today disclosure of two plaintext leaking behaviors in email clients handling OpenPGP and S/MIME encrypted messages has been released (archived). The vulnerability affecting S/MIME is baked into the S/MIME standard and may only be mitigated by abandoning S/MIME, no other mitigation is possible. Meanwhile the plaintext leaking behavior affecting OpenPGP encrypted emails requires certain common but very stupid behavior on the part of an email client and the user allowing the email client to be involved in decrypting the message.
The attack in OpenPGP encrypted email involves the message being molested on the wire in such a way the plaintext metadata surrounding the cyphertext is modified to engage your typical email client's HTML rendering engine. If the email client is allowed to be involved in decrypting the cyphertext as is common with various client "plugins", the email client can "phone home" the plaintext after decryption to the message's molester according to the spurious instructions delivered to the HTML rendering engine. The mitigation for this vulnerability is hygiene and not allowing your email client to be involved in cryptographic operations beyond sending and recieving cyphertext blobs encrypted and decrypted elsewhere.
Intel Kills Internet Of Shit Remote Management App After Realizing Security Model Broken
Intel has killed its Android and iOS "Intel Remote Keyboard" app used to manage embeded computers in their line of Internet of Shit products (archived). The move was prompted by the discovery of three vulnerabilities allowing keystroke injection and arbitrary code execution. Rather than patch these vulnerabilties and the others likely to be found, Intel simply killed the app leaving their customers to find other remote management solutions.
USG Whispers Pleas Of "War On Terror" And "Special Operations Command" In MikroTik Router Shitware Case
In the absence of firm admissions of guilt, known USG influence outlets including Conde Nast publications are pleaing that the malware pushed into phuctorable MikroTik routers was part of a US Special Operations Command anti-Terrorism effort (archived, archived). Presumably this is part of the terrorist Pantsuit USG campaign to creating dialogue points for shifting the overton window on shitware.
"Bittorrent Inc" Milks Window To Let Code Execution Bug Live
Bram Cohen's (WOT: nonperson) venture "Bittorrent Inc." has let the full 90 day window for a remote execution vulnerability revealed through Google's irresponsible disclosure program nearly expire before issuing a supposed fix to their uTorrent software. To ensure a timely upgrade panic the details and a demonstration of the vulnerability are already available (archived).
Fiat Ram Trucks May Smash Their Operators
Reluctant to relinquish its tried and true status as THE day-late-dollar-short member of not yet Great Again American automakers; Fiat Chrysler Automobiles (FCA) announced today that it would be following in the footsteps of General Motors in recalling a great many of its great trucks for a "software error" that could end in a smushy death.
Affecting RAM 1500 and 2500 trucks built from 2013-2016 as well as big mother RAM 3500 trucks built from 2014-2016, over one million units will be recalled starting next month, significantly more than the number affected by FCA's Hot Death but only a quarter of GM's numbers from 2016.
The Dodge "software error" has been implicated in at least one death to date when side airbags and seat belt pretensioners failed to activate following an underbody collision leading to a vehicle rollover. No word on whether Dodge's engineers were also responsible for bugs in other TBTF products of Not Yet Great Again. Also no word on whether Herr Trump is planning to extend his recent Executive Order to include automakers but it would be pretty sweet if he did.
US Department of "Justice" Absconding With Botnet In Spanish Arrest
Fresh on the heels of an arresting alleged hacker Peter Levashov in Spain, the Department of Justice announced plans to disable a botnet – known as Kelihos – they claim was under his control and used to send spam emails and infect systems with ransomware. Acting assistant attorney-general Kenneth Blanco said the operation will "redirect Kelihos-infected computers to a substitute server", in order to block communications between infected devices and the botnet server, instead redirecting the compromised machines to the DOJ's own botnet servers. Levashov reportedly had been operating the botnet since 2010, and targeted computers running all variants of Microsoft Windows, the preferred target OS of botnet harvesters worldwide. The Department of Justice statement concluded by stating that "The US government will share samples of the malware with antivirus vendors in facilitate updates to their programs which will allow them to detect and remove Kelihos" while leaving government backdoors firmly in place.
"Bitcoin" (Altcoin) Unlimited Experiences Drop In Node Count Due To Remote Crash Vulnerability
The "Bitcoin Unlimited" node count experienced a very sharp ~65% drop around 7:30 PM UTC as a remote-crash vulnerability was made public on Twitter. The node count, as reported by coin.dance, fell to 259 from a previous measurement of 764 moments earlier.
The actual vulnerability is a result of the ineptitude of the "Bitcoin Unlimited" developers to incorrectly implement the usual "monkey see, monkey do" approach to software, by messing up the copy-pasting of power-rangerolade.
Peter Todd's straight Twitter disclosure was made in a context of heightened tensions among the two main flavors of idiocy, namely the SegWit peddlers and the Roger Verified "Bitcoin Unlimited" followers.
Death Cult Propagates Among Some Chinese Miners
As mentioned in Shinohai's latest shitcoin Roundup, a few single language Chinese miners have taken to expressing an unjustified degree of loyalty to yet another doomed anti-Bitcoin forking effort. In the same week the fork effort's defective client unintentionally fell out of consensus due to its inherent slop, Andrew Quentson (WOT:nonperson) published a purported "cosmetically corrected" interview with Jiang Zhuoer (WOT:nonperson) where among other things Zhuoer confesses to "SPV mining" while asserting to have 100 million dollars1 committed to destroying any actual Bitcoin network which remains after splitting his favored altcoin from Bitcoin.
If Zhuoer's intent actually corresponds to what the words printed in English mean,2 it represents a paltry counter to the deterrent presented by Mircea Popescu and other lords of the Most Serene Republic, which has thus far damped off earlier social engineering attempts to fork Bitcoin into something else before they could root.
Continued imprudence among mining pool operators suggests that a solution to the mining bug3 in order to disabuse certain activist factions of their imagined participation in Bitcoin. Importantly, recent efforts by the People's Bank of China to bring sanity to their local fiat/Bitcoin interfaces does not preclude future statal attempts to attack Bitcoin via the mining vector from the People's Republic of China. Sorry for your loss.
A mere 10,000 Bitcoins today, less tomorrow ↩
Such is the least of the curses handicapping the monophone single language speaker. ↩
Some solutions have been proposed to constrain the impact of the bug ↩
Bitcoin Foundation Celebrates Month Of Activity And RELEASE Milestone
In their September state of Bitcoin address the Bitcoin Foundation was able to celebrate a substantial milestone in the clean up of the reference Bitcoin implementation. A flurry of testing and tweaking has lead to foundation co-chair mod6 (WOT:mod6) declaring the project has finally reached its long awaited milestone of version 0.5.4 RELEASE. Though most of the functional improvements to the reference implementation have long been enjoyed on actual running of Bitcoin nodes, the title of RELEASE was withheld until sanity could be brought to the makefiles and build process at large. Substantial contributions in time, sweat, and blood were made by ben_vulpes (WOT:ben_vulpes), shinohai (shinohai), and trinque (trinque).