Archive for May 2018

In a seriously unpopular move, smartphone maker Huawei disclosed that they will stop offering unlock codes for their devices’ bootloaders. They say they want to

[…] deliver the best user experience and prevent users from experiencing possible issues that could arise from ROM flashing […]

As in: digital self-determination, full control over the devices that you paid for, removal of bloatware, or just the general freedom to mess around with stuff that you own. This is definately a reason to no longer buy Huawei devices. Manufacturers that want to dictate how you use your device should not be supported at all. Reddit and Twitter are apparently already loaded with Huawei customers that are announcing to return their most recent Huawei merchandise in order to move to more open brands.

In the end I think that we urgently need laws prohibiting hardware manufacturers from locking down their systems. If you pay for it, the silicone should be yours to do with as you please. Of course, if you brick the device in the process, it is your own damn fault. So no suing of hardware manufacturers because you decided it was a good idea to yank out the data cable while flashing a new rom! But you should have the right to do whatever you want to your devices.

This is actually the same reason why I would never ever buy an iPhone. I am the one telling my phone what to install, what to load, and what to execute, not the other way around.

The German right-wing political party AfD apparently has been offering 50 Euro (German link) to people willing to attend a rally, scheduled for the 27th of May, to protest “for Germany” in Berlin. Overall they apparently wanted to use 1500 EUR to pay for the first 30 protesters to join up.

After a member of the AfD at first denied these allegations, the party’s speaker Robin Classen confirmed the plan to pay off protesters. The sweet sweet irony in this is that numerous members of the AfD claim that the left-wing parties regularly pay people to attend political demonstrations. For a while now I have been getting the feeling that the AfD is trying to immitate Trump to the best of their abilities. Especially his proclivity for fucking up in the most embarrassing of ways ^^

Remember the urgent public safety issue from not too long ago? Turns out the FBI has repeatedly overstated figures in connection to the so-called encryption threat to the Congress and public. Among others the FBI claimed they were locked out of nearly 7,800 devices connected to crimes when, in reality, the actual number was more between 1,000 and 2,000. Apparently a “programming error” is to blame which lead to miscounting of the devices. Yeah … right …

Another Day Another Backdoor

Wed, May 23, 2018

Kaspersky Lab researchers have discovered a backdoor in D-Link DIR-620 routers. There is also no way for the owners of these routers to disable this account. There are also three other vulnerabilities the researchers found in the firmware of these devices. Recovery of Telnet credentials, URL injection leading to the execution of OS commands, and XSS in the “Quick Search” admin panel are the other three.

The United States senate has voted to preserve net neutrality. Three Republicans joined all of the Democrats. This is a good first step but this vote is only the beginning. The issue still has to pass the House where supporters have to win over more than 20 Republicans. Of course a few states are already implementing net neutrality rules themselves but this vote sends a nice signal out to the current administration.

PGP Vulnerabilities Discovered

Mon, May 14, 2018

Security researchers have discovered vulnerabilities within implementations of PGP and S/MIME. Now, apparently the GnuPG team was not contacted beforehand and they dismiss the recommendation of the researchers, to immediately stop using anything PGP or S/MIME related, as overblown.

While the researchers refused to immediately disclose the exact nature of the vulnerabilities the GnuPG team has released a statement. The gist of the vulnerabilities seems to be using malicious scripts to exploit broken MIME parsers. This also means that you are only vulnerable if you are using HTML mails, in which case you are evil anyway. ;)

A new cryptojacking campaign is going around which leverages a vulnerability in the Drupal content management system. Security researcher Troy Mursch has a nice writeup on the issue and also runs a list of affected sites.

Basically the vulnerability is exploited to install cryptomining javascript code which then leverages the CPU of website visitors to mine cryptocurrency.

Among the affected sites are also such names as Lenovo, the UCLA, the Turkish Revenue Administration Aydin Tax Office (oh sweet irony), and DLink Brazil. Serving as an important reminder what can happen if you do not update your shit!

The German computer magazine c’t has published an article (english version) in which it claims to have exclusive information regarding eight new security holes in Intel processors.

Dubbed “Spectre Next Generation”, or Spectre-NG for short, these flaws apparently are more severe and more easily exploited than the previously known variants. At the moment they refrain from posting technical details to give Intel a head start but apparently one of the imposed deadlines runs out on May 7th.

With Spectre-NG you can attack the host system from a virtual machine or other VMs running on the same host, making these bugs extremely destructive to cloud and shared hosting providers.

It will be interesting to see how things unfold. Together with the recently released updated Ryzen CPU line from AMD, which seems to perform quite well so far, this might be even more reason to consider a switch to AMD. Provided they are not affected by Spectre-NG.