Archive for April 2018

There is a new exploit out in the wild that can pretty much crash most windows computers within seconds.

Actually, this bug has been around at least since July 2017 and consists of a malformed NTFS image which, when placed on a USB thumb drive and inserting it into a Windows computer will crash it within seconds. One of the reasons this automatic BSOD generation works is due to the auto-play functionality. But even if it is disabled, manually opening the file, or having it opened by anti virus software snake oil will achieve the same effect.

Marius Tivadar, a researcher that has discovered this flaw in 2017, told Microsoft about it. Microsoft declined to classify the issue as a security bug and also downgraded the bug’s severity because

exploiting it requires either physical access or social engineering (tricking the user)

Now, when did “tricking the user” ever work? And of course Microsoft apparently has never heard of malware which can just download additional features such as this to your pc for your bluescreening pleasures.

A proof of concept code is available on github so everyone can have fun with this now. Also Marius published two videos of the exploit in action, showing that it can also crash locked pcs.

Authorities in Innsbruck, Austria have shut down the Patscherkofelbahn ski lift after two security researchers managed to gain access to the controls for operating the lift.

Settings for controlling the ski lift’s speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.

Of course the big question is: How did the researchers get access? After all, a transportation “vehicle” carrying thousands of passengers a day is reasonably secured against tampering from the outside, right?

The two were surprised because there wasn’t any login screen to prevent Internet user from accessing and interacting with the HMI [Human Machine Interface] panel.

Oh, ok.

Researchers have used the officially available Alexa SDK from Amazon in order to hack the Amazon Echo and turn it into an eavesdropping device.

They created a calculator app and simply set a parameter called shouldEndSession to false, leading to the app expecting a second question from the user right after the reply to the first. The fun thing is that this does not require another command phrase like “Alexa, open calculator”. Effectively Alexa remained open and listening, converting the speech into words that were stored as text and visible to the app developers via the app’s logs.

Every day I am puzzled by the stupidity of people paying Amazon in order to place a bug in their appartments.

The German Supreme Court has published a press release (German) which explains the decision in a recent court case about the adblocking software AdBlock Plus. The digital publishing house Axel Springer, in Germany probably most known for its tabloid BILD which likes to publish fake news, sued the adblocking company behind AdBlock Plus, claiming its software is anticompetitive.

Luckily, the court did not see it that way and ruled that providing and using an adblocker is legal. One of those rare and important wins.

On a side note:

The BILD tabloid is a particularly nasty piece of crap made in Germany and its owner Axel Springer has already been sued numerous times for deffamation and the spreading of lies. They particularly like to focus on people that have to defend themselves in court and prejudge them before their case is even close to being ruled on. Even if they win their case, BILD might still keep on printing articles as if they had been found guilty. The most famous case, against the weather presenter Jörg Kachelmann, who was wrongfully accused of rape by his ex-wife (she was convicted herself for false accusations in the end), ended in BILD having to pay (German) 395,000 EUR to Kachelmann in damages. Note to readers from the US: For Germany this is actually quite a lot. We do not have punitive damages in law, only compensatory. Quite often you never get more than a few thousand EUR if you sue for damages. Those 395k are therefore pretty extreme by German court decision standards.

The OPCW has released a shortened version of their report on the investigation of the agent used to poison Sergej and Yulia Skripal.

The results of analysis by the OPCW designated laboratories of environmental and biomedical samples collected by the OPCW team confirm the findings of the United Kingdom relating to the identity of the toxic chemical that was used in Salisbury and severely injured three people.

This confirms what it was but not who used it. Sadly a couple German media outlets have problems grasping the difference between what and who. The OPCW further notes that

The TAV team notes that the toxic chemical was of high purity. The latter is concluded from the almost complete absence of impurities.

Apart from the great wording (the substance is considered pure because it was pure) this also means that it is actually quite difficult to pinpoint the origin of the agent. This is usually achieved by looking at the impurities which can be characteristic for a certain point of origin. Not unlike a fingerprint, if you like to look at it that way. A state actor seems likely as purifying such agents is something that is resource-intensive. However, every high technology country out there could manage that, including the UK themselves.

In a nutshell, this report says “It was novichok and we have no idea where it came from”. Of course this does not stop the UK from taking this as proof that the Russians are behind it all.

This statement of course came from the Boris Johnson, who has already proven during the pre-Brexit era that truthfulness is not one of his main traits. Fun times ahead!

Last week, 18 Palestinians were killed by Israeli forces during protests taking place at the Gaza “border”.

The UN of course disagrees with this tactic and UN secretary general António Guterres called for Israel to excercise extreme caution. The UN human rights spokeswoman Elizabeth Throssel also chimed in, stating that wilful killing of civilians constitutes a breach of the fourth Geneva convention.

In the following attempt to reconcile, Israel shot at least 7 more. What were the Palestinians doing there anyway?

Among those who turned up was Ali Bakroun, 19. “I came here with my friends to fly the kite we made this week,” he said. “I wrote our names on it. We got close to the fence to throw stones but we stayed in a low place so we would be under cover. I’m not afraid to be shot or killed because our land deserves our lives.”

Throwing stones and flying kites… more than enough reason for Israeli soldiers to use live ammo…