• Breaking News

    [Android][timeline][#f39c12]

    Monday, April 30, 2018

    The moment that elevated mum from $user to $admin Tech Support

    The moment that elevated mum from $user to $admin Tech Support


    The moment that elevated mum from $user to $admin

    Posted: 29 Apr 2018 07:29 AM PDT

    Hey TFTS. LTL;FTP.

    Like most of you here, I too have parents whom are largely tech-illiterate. but over the last two years, I've been making a conscious effort to get my parents (especially mum) to understand computers better.

    I'm a big believer of the ol' give a man a fish, and you'll feed him for a day, teach him how to fish, and he can have food for life mentality. So rather than showing mum how to resolve her every problem, we go through a process of:

    • what do you think is wrong?
    • and how are you going to solve it?

    Now admittedly, things do get incredibly frustrating in this process, and it can often take ~1/2 hour up to 1 hour to resolve issues. BUT, it has slowly been working.

    So today, mum came to me with a problem, and as usual, seemed to blow it way out of proportion.

    $mum: My phone is broken.

    $me: What do you mean?

    $mum: The camera doesn't work.

    $me: What do you mean exactly?

    $mum: When I go to the camera app, it says connection cannot be establised

    $me: So have you tried anything to resolve it? (insert smirky face)

    $mum: I turned it off and on again. But that didn't work..

    $me: uh huh.

    $mum: So then I booted the phone into recovery mode.

    $me: (cue disbelief)

    $mum: And then I wiped the cache partition.

    $me: (sustained disbelief)

    $mum: But when I rebooted the phone, it still didn't work. So I thought the problem might be larger than that.

    $me: ...

    $mum: So I went onto several forums, and a lot of other people describing similar problems said it turned out to be a hardware fault.

    $me: How the hell did you know how to do that?

    $mum: I googled it.

    $me: (cue jaw drop) So..I guess your phone is broken.

    $mum: Yeah. That's what I told you in the beginning.

    This is the same person whom two years ago didn't even know how to use the volume buttons on her phone - now troubleshooting all on her own...

    Mum, I am so proud of you. You've now been granted admin privileges.

    submitted by /u/tan_iel
    [link] [comments]

    a Big Bank nearly cut by Hanlon's Razor

    Posted: 28 Apr 2018 11:46 PM PDT

    I alluded to the following at the bottom of this tale. Please note, the dialogue is not verbatim, but close enough to the story as (a) I remember it and (b) as I am telling it.

    It was very early the 21st Century, and I was working for a(nother) multinational - this one based out of Europe, and specialising in First Generation Internet Banking (IB) software. In fact, it is where I found my passion for Web Application Security and Hacking - which led me a few years later to teaching that topic (among others) at a Technical College, and contributing a little here and there to some other research in the area. But I digress.

    This incident was reported to me by the BigBankingCustomer people that I had 'won over' (won back?) in my previous tale (above). We now had a mutually high level of trust, and things were pretty well "back on track" as far as the relationship went. Oh, btw - I did spend some more time on site with them when we had a "major upgrade" to the software (Java client, Windows Web Server front end and my UNIXTM server middle). I was blown away by their entirely separate 'copy of the Internet' in their test centre - it was limited in where you could go, but it was an amazing little data centre for testing their entire suite of software - including our IB software - in a "real world" environment.

    Well, when I say the "incident was reported to me by the BBC" - that's not quite true. They had another issue; one I couldn't reproduce on our test system (too small, no where near enough transactions per minute) so I asked them to send me their log files.

    They did. Burned to a CD-ROM. Sent by snail mail. With no protection (well, a piece of cardboard). Not even "sign on receipt".

    So, I pop the CD in, and start trawling through the log file. I thought "hmmm... I wonder if my banking id number is in here?" It was.

    I then I noticed something that sent a chill down my spine.

    Several lines later, my password was there - in plain text - for all (where "all" is defined as "me" in this particular instance) to see.

    "Oh $#!+!" I thought. I don't think I said it with my 'outside voice' - but I may have.

    I called my lead tech contact at BBC and asked them if they had an account with their employer, and if they used the IB system?

    "yes" and "yes" - followed by "why?"

    Me: what's your banking id? Them: 123456789 [obviously not the real number]
    /me does quick grep of file - and bingo! Look a couple of lines down...
    Me: is your password "abcdefg"? [again, not the real password - what kind of a schmuck do you think I am? ;) ]

    silence...

    Me: hello?
    Them: how did you get that info?
    Me: you gave it to me?
    Them: no, I didn't.
    Me: yes you did. You sent me the logs on CD last week. They're all there, in plain text.
    Them: $#!+!
    (they may have actually said an anagram of "French Connection United Kingdom" - it's a while back)

    Me: I am going to release an "Emergency Mandatory Patch" next week - as part of the install script we will backup and encrypt the old log files with a user-entered password, erase the logs, and then start writing new logs with obfuscated passwords. I will get back to the [original problem] after that.

    I did.

    Now kiddies, let's talk about "responsible disclosure". I could have trawled through the log files and picked up hundreds of userid / password pairs and tried them on the live system to "check that they worked". And this is the sort of thing that some have wound up in gaol for (or are facing some serious time). If by checking something, and you are pretty sure your suspicions are confirmed, then it makes no sense to do it another hundred or so times to "make sure". You already know. Especially after two items are confirmed as "real", there is no need to iterate through another hundred, or two.

    it worked for n, and it worked for n+1, there is no need to test for n+2..1000 (or more).

    Fortunately, the Europeans had done a good job of architecting the logging of this system, and so there was only one place I needed to make a change, so that whenever the password was about to be issued to the log file, a string of "********" was sent to the logfile. Yes, the password was still in memory - but it was required as it was being sent to the BBC's Big Iron via a message queueing system, where the actual account details resided.

    I passed the same patch to my team mates looking after other banking institutions, and passed the fix back to Europe so they could roll it out to all the other customers across the globe. In less than a month my mandatory patch had been applied many many times across many financial institutions. Of course, having worked for |a|n|a|l|o|g| the previous century (before they were gobbled up) it was not my first 'global rodeo' ;)

    tl;dr - massive security leak averted by eagle eyed (newbie) C-programmer - shares his joy horror with BBC colleague - and then around the world.

    edit: formatting {sigh}

    p.s. yes, I did fix the originally reported problem - from memory it was a memory leak, and I just needed to release an object when it was no longer required (no garbage collection in C).

    submitted by /u/harrywwc
    [link] [comments]

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel