security research, software archaeology, geek of all trades
318 stories

Legacy Code Strikes Again


This blog post describes using binary diffing to find security-relevant bugs in Windows 7 that were fixed in Windows 10. It's an interesting example of the problems you can get into if you don't fix bugs across all your product versions at about the same time.

CVE-2017-8685 is particularly sad. The system call NtGdiEngCreatePalette can leak uninitialized values from kernel memory to user-space; these leaks are quite serious security issues. This is basically the old GDI CreatePalette function. It's a system call because in Windows NT 4.0 (1996) Microsoft moved the GDI subsystem into the kernel for performance reasons. That may have made sense at the time, but at that time GDI was already a mess of complicated legacy code, so this was a large increase in attack surface that's been hurting security and stability for Microsoft users ever since.

What's especially sad about this function is that CreatePalette is only useful for palette-based displays, which became obsolete in the 1990s, around the time NT 4.0 came out. It's been about 20 years since this API was useful for anything other than compatibility with even older software ... or kernel memory disclosure!

Read the whole story
9 days ago
Does anyone know why GDI hasn't been taken back *out* of the NT kernel? Modern graphics hardware wants to be driven completely differently anyway, I seriously doubt it's still a worthwhile performance hack...
Mountain View, CA
9 days ago
NT 4 has been quite the gift for attackers
Washington, DC
Share this story

Making Every Vote Count – CNN at 6:45pm Eastern/ 3:45pm Pacific

1 Share

This morning I was on CNN with Mike Smerconish to talk about why to replace the Electoral College with a national popular vote. It’s not for partisan reasons. Today’s Electoral College puts both major parties at risk – and also opens a giant security hole. Hackers can target as few as five states to swing an election.

Interested in fixing it? Read more at Making Every Vote Count. Also, the CNN piece will rebroadcast today at 6:45pm Eastern, 3:45pm Pacific. Or…watch it right now, here.

Read the whole story
10 days ago
Mountain View, CA
Share this story

A tale of three cities, or The smart city as will and category error: a piece for the Seoul Biennale 2017

1 Share

The following short piece is my contribution to Imminent Commons, the catalogue accompanying the 2017 Seoul Biennale of Architecture and Urbanism. I hope you enjoy it.

Humanity is now, we are so often told, an urban species. Though there are real
questions as to what the numbers actually mean, the statistics on planetary
urbanization are so often bruited about that they have become something of a cliché. What’s more, popular discourse on the subject appears to have internalized the
notion that the great cities of Earth aren’t merely significant for their concentration of
habitation, but for the beneficial effects that habitation gives rise to.
Disproportionately generators of economic vitality, technical innovation and cultural
dynamism, our cities may even be able to function as lifeboats capable of sustaining
us through the ecological reckoning that is now bearing down on our civilization.

If it is an urban age, though, it is also a networked one. Between the comprehensive instrumentation of the built environment, and the smartphones that so many of us now carry through every moment of the waking day — simultaneously sensor platform, aperture onto the global network, and remote control for the connected systems and services all around us — the colonization of everyday urban life by information processing is virtually complete.

And finally, we appear to have entered an age in which the more-or-less stable
neoliberal consensus that held global sway for the past four decades has started to
erode. Thus far, the most notable and distressing result of this erosion has been a
turn toward authoritarian and xenophobic ethnonationalisms of one stripe or another,
its traces evident in the Brexit referendum, the 2016 US presidential election, and a
long list of autocracies in the ascendant, from Russia to Turkey to the Philippines.
But more hopefully, the eclipse of neoliberal hegemony has opened up a space in
which some dare to imagine an entirely new way of organizing the productive
processes of life: a commons beyond state and market both, in which networked
collaboration, distributed material and energetic production, and horizontal forms of
governance give rise to striking new possibilities for a just, equitable and fructifying

By leveraging the decentralizing tendencies that appear to be implicit in our
networked technologies, and the configurations of power they in principle give rise
to, we can even begin to imagine what a networked urban commons would look like,
and how it might work, at global scale — as a desirable end in itself, an antidote to
the anomie and widespread sense of powerlessness that underlie the turn toward
xenophobic authoritarianism, and a means of restoring some semblance of
ecological balance.

Those of us who are interested in bringing such a state of affairs into being, though,
might find that our hopes are dashed at the outset by a lack of clarity about how the
technologies involved actually work, naiveté about those parties who currently wield
them most effectively, or confusion about what a true commons would require of us.
At present, we can see networked technology being layered onto urban place along
three basic trajectories: one based largely on the needs of multinational technology
vendors; one with roots in the Silicon Valley startup culture; and one — the subtlest
yet most promising of all — as yet indistinct. By examining each of them in turn, we
can learn more about what is at stake in the advent of networked urbanism, and
perhaps chart a course through the Scylla and Charybdis of unwise choices toward
a more fruitful future for all.

§ Avatar I: Songdo

In his public appearances, the presidential candidate Moon Jae-in is fond of invoking
a comprehensive vision of heavily technologized everyday life that involves “smart
house, smart road, smart city” — indeed, an entire “Smart Korea.” There may be no
place on Earth closer to concrete fulfillment of Moon’s objective than New Songdo
City, a municipality of 90,000 souls built on some 53 square kilometers of tidal flats
recovered from the Yellow Sea. In Songdo, both domestic spaces and the entire
built fabric have been instrumented, allowing the city’s controllers to monitor and
adjust traffic flow and energy utilization in real time.

As ambitious as this sounds, it’s an only slightly more elaborate version of a
conception of networked urbanism that is common to municipal administrators and
technology enthusiasts the world over. In its raw outlines, this conception seeks to
harness the CCTV cameras and networked sensors installed throughout the urban
milieu, as well as the torrential streams of data flowing off of our personal devices, to
realize greater efficiency and enhance that ever-elusive property known as “quality of
life.” By submitting these flows of data to advanced analytic techniques based on
machine learning, all kinds of benefits can be obtained: the nominal “optimization” of
material and energetic flows, the streamlined delivery of municipal services, even the
preemption of undesirable conditions (whether traffic jams or criminal offenses).

This, anyway, is the theory of smart urbanism. In practice, however, a number of
issues conspire to ensure that what gets delivered invariably turns out to be rather
less than the sum of its parts. The first is that, in looking to a rising technology sector
to achieve this ambition, municipal-scale actors leave themselves at the mercy of
powerful vendors — globally, multinationals like Siemens, IBM, Hitachi or Microsoft; in
Korea the infrastructure, systems-integration and real estate development arms of the
familiar chaebol. Because they generally lack the organic technical competence to
determine what kinds of hardware and software might best serve their needs, city
governments entering this market are perforce compelled to buy what these vendors
have to sell, whether or not the problems those systems are designed to solve bear
any particular resemblance to the issues perceived by their constituents. This was
certainly the case in Songdo, where the expensive and elaborate Cisco
“telepresence” hardware planned for each apartment unit in the city was rendered
obsolete even before it was deployed, outmoded instantly by free smartphone- and
tablet-based video chat applications like Kakao Talk and FaceTime.

The second problem follows on from this. By its very nature, the municipal
procurement process involves one set of centralized, hierarchical actors (i.e.
technology vendors) interacting with another (local bureaucracies). As a result, the
multispectral awareness that might in principle be derived from large-scale analysis
of data is generally retained for the exclusive use of municipal administrators,
habitually and instinctively — and not, in other words, made available to the public
who generated the data in the first place. What is offered to us wreathed in the
glamor of technological futurity, then, is here revealed to be something that’s actually
rather dowdy and retrograde: old-style technocratic management from the top down.
Not by any stretch of the imagination something consonant with the will to collective
self-determination, it cannot be reconciled with the commons without contortions
that verge on intellectual dishonesty, however well-intentioned they may be.

And there is a final issue: daily life in Songdo, at least, appears to be rather soulless
and dull. NPR quotes a young resident who describes it as a nonplace and a
“prison,” and compares her escape into Seoul and all its nightlife at the end of the
workweek to a jailbreak. This is admittedly a single data point, but it hardly makes a
compelling argument for quality of life in the well-tuned city.

In its current form, then, the smart city as delivered by vendors is not merely illadvised,
nor merely unlikely to support the kind of vivid experiences we associate
with big-city life, but actively detrimental to the achievement of an urbanism
consistent with the values of the commons. A case in point can be found in the
recent Korean experience of mass public demonstrations, which illustrate like
relatively few other moments in history the power that an aggrieved citizenry claims
for itself when it takes to the streets in protest of an order that has become
intolerable. As it happens, the technologies bound together under the banner of the
smart city have no way of accounting for this kind of active practice of democracy.
Far from recognizing mass demonstrations as the signal of public sentiment they
surely are, the smart city can only interpret such protests as a disruption to business
as usual: first as an anomaly to be detected, then as an inefficiency to be contained,
minimized, neutralized or eliminated.

§ Avatar II: San Francisco

It’s worth unpacking just what business as usual looks like to the architects of the
smart city, what conceptions of the normal and the ordinary they may hold in mind
when designing the algorithms responsible for detecting imminent departures from
normalcy and triggering preemptive action.

And here we need to address the fact that even in software development, there is
such a thing as fashion. Once something practiced by a self-consciously
professional cohort given to horn-rim glasses, crisp short-sleeve shirts and pocket
protectors — call it the Mission Control look — software engineering is, in its Northern
Californian and Pacific Northwest fastnesses, dominated by a young, privileged and
remarkably homogeneous technical elite. At present, you cannot walk down the
streets of San Francisco — a city whose name was once synonymous with the
radical, the queer, the experimental and the frankly marginal — without running
headfirst into a mostly male scrum of software engineers in their mid-twenties, in
their universal uniform of fitted hoodies and $400 sneakers, talking unit tests and
code sprints. To a surprisingly great extent, it is their tastes, predilections, priorities
and values that urban technology is increasingly designed around.

If the multinational vendor, in all its centralization, conservatism and ponderous lack
of agility, represents one of the two predominant modes in which information
technology is now applied to the life of cities, the other is typified by the proverbial
Bay Area tech startup, with its addiction to venture capital and its imperative to
“move fast and break things.” Thus the emphasis on convenience and immediate
gratification we see in offerings like Airbnb, Tinder, TaskRabbit and above all Uber:
services whose socially corrosive effects were self-evident virtually from the outset,
though they are only recently becoming matters of widespread controversy.

It is now beyond dispute that Airbnb has undermined the market for affordable rental
housing in city after city, just as Uber’s massive, outsourced fleet has drastically
increased traffic in cities around the world, even as it drained custom and resources
from public transit. What these services offer is nothing less than a shared reality
platform for everyone wealthy enough, and sufficiently comfortable with technology,
to use them fluently — a platform that privatizes benefits and sheds costs on the
public so nakedly indeed that we no longer hear much talk of a putative “sharing
economy.” Though these effects can be noted in every market where these services
operate, they’re felt particularly acutely in the Bay Area, where life for those who
most closely resemble software developers demographically and psychographically
often does seem to consist of near-effortless algorithmically-streamlined ease, albeit
at the cost of a slowly decaying public realm for everyone else.

It is telling, in this withdrawal from any pretense at convivial urbanity, that we don’t
even discuss progress anymore, only “innovation.” In doing so, we preemptively
surrender the terrain of the social imagination to the likes of Elon Musk, Jeff Bezos
and Mark Zuckerberg, if not still more impoverished souls like Travis Kalanick or
Peter Thiel. If the urban condition that results from their everted imaginings is not
quite the brutal reality of first-generation smart cities like Masdar City, in the United
Arab Emirates — where Pakistani, Bangladeshi and Filipino guest workers labor long,
thanklessly and at great personal risk to keep the city turning over, and end their
days in metal shipping containers arrayed behind razor wire under the broiling desert
sun — neither does it have much to do with how cities have traditionally generated
meaning and value for their inhabitants. Thus far, at least, everyday life in this
capsular, app-mediated city appears to be defined by its exclusions.

§ Avatar III: Seoul

By contrast, the Greek architect and activist Stavros Stavrides, in his recent book on
practices of spatial commoning
, emphasizes the profoundly invitational aspect of any
true commons, its quality of radical openness and porosity. If neither the multinational
nor the startup way of doing networked cities quite works to produce such
conditions on the ground, where can we go looking for a model that might do so?

Perhaps the greatest irony of all, in the present context, is that certain aspects of
vernacular Korean urbanism already work quite well in this regard. Without fetishizing
them, or sugarcoating their less felicitous aspects, Korean cities even now reliably
generate an informality and canniness in the use of space that comes much closer to
achieving the vision of a life in common than anything on offer from either wing of the
tech industry. Not so much the newly-built, gated apartment complexes, of course,
with their Ballardian full-service towerblocks rising in endless numbered ranks, but in
older city cores throughout the country. Here the ajeossi play an impromptu game of
baduk in a doorway, seated on torn cardboard box covers; there a sudden chickenand-beer
stand has popped up on an unused concrete forecourt; above, tucked into
the fifth floor of an otherwise anonymous office building, is the jjimjilbang with beauty
salon and restaurant and game parlor attached, pulsing with life and activity through
24 hours of the day. These things may not read that way to a globalized elite smitten
with enticingly glossy corporate visions of the future, but to a certain kind of Western
visitor, these feel like signals of the way life in the networked city could be:
spontaneous, mobile, flexible, convivial, and above all open.

Could we design networked platforms and systems that generated this kind of urban
experience, not merely for a few, but for everyone? The answer is almost certainly
yes — but successfully doing so would require that we learn to wield networked
technology quite differently than we do at present.

It would be necessary, first, to step back and ask what we are actually trying to
achieve by deploying networked systems in the urban frame. We would have to test
and iterate and test again, and discard for good that which is seen not to work. This,
of course, runs almost directly counter to several aspects of the way we do things
now: the headlong pace of technical innovation most obviously, but also its

It would be necessary to press for specifics, whenever we are offered hype,
buzzwords and promises. We would have to ask hard questions about how
technologies actually function when used by real people in real environments, and
not simply be seduced by lovingly-crafted renderings or animated flythroughs.
It would be necessary to nurture more space outside the market in particular. If “the
commons” is to mean anything at all, it can only refer to a milieu where neither the
values of the state nor those of the market prevail, leaving room for mutuality,
solidarity and positive-sum collaboration — the diametric opposite, in other words, of
the condition that broadly obtains in the West now, where the market sets the
ground conditions of everyday life, and the state is increasingly figured as something
that exists solely to guarantee the operating conditions for private enterprise. It
remains to be seen how this model might apply to a place like Korea, where the
dynamics of the developmental state retain a powerful hold on the national psyche,
but it would clearly be an uphill battle.

Finally, regardless of the particular set of political commitments we hope to see
observed in the design of urban technologies, it would be necessary for us to
consider with the greatest care what kind of subjectivity our use of these systems
give rise to. We would have to ask who we become in their presence and through
their use, and be prepared to redesign everything if we don’t much care for the

The examples I’ve offered here ought to make it clear if what we seek to achieve is a
life in common, the whole quest for technological “smart” is something akin to a
category error, where it isn’t simply intellectually bankrupt. We know in any event that
any city deserving of the name is always already smart, and that its intelligence
resides in the people who live in it and give it life. The task that remains before us is
to design technical systems that are respectful of that intelligence, and allow it to
speak itself. In the final analysis, this task cannot be outsourced. It cannot be
optimized. It cannot be automated. It will require of us profound investments of time,
energy and care. But the reward would be considerable: a place, or a meshwork of
places, where everyday life is spontaneous and convivial, where the conditions of
equity, justice and ecological balance are finally realized, where our quest to be
human in full might find at last a natural home and ground.

Read the whole story
40 days ago
Mountain View, CA
Share this story

vongoladodicesimo: sadakotetsuwan: kaytayzombay: showerthoughtsofficial: How important do you...

1 Comment





How important do you have to be to have been “assassinated” instead of “murdered”?

That is…a good question

If the motivation is political, then it’s assassination. Otherwise it’s murder. You cannot be assassinated by accident.

If a jilted ex murders the Prince of Placeland, it’s just a murder.

If a jilted ex is also a member of a rival political faction, it may be assassination.

If a jilted ex is driving home in tears and accidentally runs over the Prince of Placeland in the middle of the night in a neighborhood where the streetlights are out because of the prince’s questionable infrastructure policy, it’s manslaughter.

Thanks murder side of tumblr

Read the whole story
57 days ago
There may be a gray area when organized crime is involved, but otherwise this seems sound
Mountain View, CA
Share this story

The truth has got its boots on: what the evidence says about Mr. Damore’s Google memo

1 Comment and 2 Shares
Read the whole story
58 days ago
Click through for the full 19k words — and hope ships soon — covering Damore's misuse of science in his manifesto.

Feel free to buy Erin a coffee for taking the time to ferret out the original papers behind the anecdotes and reviewing their quality, too. Catching up with a raging Gish Gallop takes a lot more work than starting it:
Washington, DC
58 days ago
Mountain View, CA
Share this story

Security Keys


Security Keys are (generally) USB-connected hardware fobs that are capable of key generation and oracle signing. Websites can “enroll” a security key by asking it to generate a public key bound to an “appId” (which is limited by the browser based on the site's origin). Later, when a user wants to log in, the website can send a challenge to the security key, which signs it to prove possession of the corresponding private key. By having a physical button, which must be pressed to enroll or sign, operations can't happen without user involvement. By having the security keys encrypt state and hand it to the website to store, they can be stateless(*) and robust.

(* well, they can almost be stateless, but there's a signature counter in the spec. Hopefully it'll go away in a future revision for that and other reasons.)

The point is that security keys are unphishable: a phisher can only get a signature for their appId which, because it's based on the origin, has to be invalid for the real site. Indeed, a user cannot be socially engineered into compromising themselves with a security key, short of them physically giving it to the attacker. This is a step up from app- or SMS-based two-factor authentication, which only solves password reuse. (And SMS has other issues.)

The W3C standard for security keys is still a work in progress, but sites can use them via the FIDO API today. In Chrome you can load an implementation of that API which forwards requests to an internal extension that handles the USB communication. If you do that, then there's a Firefox extension that implements the same API by running a local binary to handle it. (Although the Firefox extension appears to stop working with Firefox 57, based on reports.)

Google, GitHub, Facebook and Dropbox (and others) all support security keys this way. If you administer a G Suite domain, you can require security keys for your users. (“G Suite” is the new name for Gmail etc on a custom domain.)

But, to get all this, you need an actual security key, and probably two of them if you want a backup. (And a backup is a good idea, especially if you plan on dropping your phone number for account recovery.) So I did a search on Amazon for “U2F security key” and bought everything on the first page of results that was under $20 and available to ship now.

Yubico Security Key

Brand: Yubico, Firmware: Yubico, Chip: NXP, Price: $17.99, Connection: USB-A

Yubico is the leader in this space and their devices are the most common. They have a number of more expensive and more capable devices that some people might be familiar with, but this one only does U2F. The sensor is a capacitive so a light touch is sufficient to trigger it. You'll have no problems with this key, but it is the most expensive of the under $20 set.

Thetis U2F Security Key

Brand: Thetis, Firmware: Excelsecu, Chip: ?, Price: $13.95, Connection: USB-A

This security key is fashioned more like a USB thumb drive. The plastic inner part rotates within the outer metal shell and so the USB connector can be protected by it. The button is in the axis and is clicky, rather than capacitive, but doesn't require too much force to press. If you'll be throwing your security key in bags and worry about damaging them then perhaps this one will work well for you.

A minor nit is that the attestation certificate is signed with SHA-1. That doesn't really matter, but it suggests that the firmware writers aren't paying as much attention as one would hope. (I.e. it's a brown M&M.)

Feitian ePass

Brand: Feitian, Firmware: Feitian, Chip: NXP, Price: $16.99, Connection: USB-A, NFC

This one is very much like the Yubico, just a little fatter around the middle. Otherwise, it's also a sealed plastic body and capacitive touch sensor. The differences are a dollar and NFC support—which should let it work with Android. However, I haven't tested this feature.

I don't know what the opposite of a brown M&M is, but this security key is the only one here that has its metadata correctly registered with the FIDO Metadata Service.

U2F Zero

Brand: U2F Zero, Firmware: Conor Patrick, Chip: Atmel, Price: $8.99, Connection: USB-A

I did bend the rules a little to include this one: it wasn't immediately available when I did the main order from Amazon. But it's the only token on Amazon that has open source firmware (and hardware designs), and that was worth waiting for. It's also the cheapest of all the options here.

Sadly, I have to report that I can't quite recommend it because, in my laptop (a Chromebook Pixel), it's not thick enough to sit in the USB port correctly: Since it only has the “tongue” of a USB connector, it can move around in the port a fair bit. That's true of the other tokens too, but with the U2F Zero, unless I hold it just right, it fails to make proper contact. Since operating it requires pressing the button, it's almost unusable in my laptop.

However, it's fine with a couple of USB hubs that I have and in my desktop computer, so it might be fine for you. Depends how much you value the coolness factor of it being open-source.

KEY-ID FIDO U2F Security Key

Brand: KEY-ID, Firmware: Feitian(?), Chip: ?, Price: $12.00, Connection: USB-A

I photographed this one while plugged in in order to show the most obvious issue with this device: everyone will know when you're using it! Whenever it's plugged in, the green LED on the end is lit up and, although the saturation in the photo exaggerates the situation a little, it really is too bright. When it's waiting for a touch, it starts flashing too.

In addition, whenever I remove this from my desktop computer, the computer reboots. That suggests an electrical issue with the device itself—it's probably shorting something that shouldn't be shorted, like the USB power pin to ground, for example.

While this device is branded “KEY-ID”, I believe that the firmware is done by Feitian. There are similarities in certificate that match the Feitian device and, if you look up the FIDO certification, you find that Feitian registered a device called “KEY-ID FIDO® U2F Security Key”. Possibly Feitian decided against putting their brand on this.

HyperFIDO Mini

Brand: HyperFIDO, Firmware: Feitian(?), Chip: ?, Price: $13.75, Connection: USB-A

By observation, this is physically identical to the KEY-ID device, save for the colour. It has the same green LED too (see above).

However, it manages to be worse. The KEY-ID device is highlighted in Amazon as a “new 2017 model”, and maybe this an example of the older model. Not only does it cause my computer to reliably reboot when removed (I suffered to bring you this review, dear reader), it also causes all devices on a USB hub to stop working when plugged in. When plugged into my laptop it does work—as long as you hold it up in the USB socket. The only saving grace is that, when you aren't pressing it upwards, at least the green LED doesn't light up.

HyperFIDO U2F Security Key

Brand: HyperFIDO, Firmware: Feitian(?), Chip: ?, Price: $9.98, Connection: USB-A

This HyperFIDO device is plastic so avoids the electrical issues of the KEY-ID and HyperFIDO Mini, above. It also avoids having an LED that can blind small children.

However, at least on the one that I received, the plastic USB part is only just small enough to fit into a USB socket. It takes a fair bit of force to insert and remove it. Also the end cap looks like it should be symmetrical and so able to go on either way around, but it doesn't quite work when upside down.

Once inserted, pressing the button doesn't take too much force, but it's enough to make the device bend worryingly in the socket. It doesn't actually appear to be a problem, but it adds a touch of anxiety to each use. Overall, it's cheap and you'll know it.

Those are the devices that matched my initial criteria. But, sometimes, $20 isn't going to be enough I'm afraid. These are some other security keys that I've ended up with:

Yubikey 4C

Brand: Yubico, Firmware: Yubico, Chip: NXP?, Price: $50 (direct from Yubico), Connection: USB-C

If you have a laptop that only has USB-C ports then a USB-A device is useless to you. Currently your only option is the Yubikey 4C at $50 a piece. This works well enough: the “button” is capacitive and triggers when you touch either of the contacts on the sides. The visual indicator is an LED that shines through the plastic at the very end.

Note that, as a full Yubikey, it can do more than just being a security key. Yubico have a site for that.

Many people lacking USB-A ports will have a Touch Bar, which includes a fingerprint sensor and secure element. One might spy an alternative (and cheaper solution) there. GitHub have published SoftU2F which does some of that but, from what I can tell, doesn't actually store keys in the secure element yet. However, in time, there might be a good answer for this.

Yubikey Nano

Brand: Yubico, Firmware: Yubico, Chip: NXP?, Price: $50 (direct from Yubico), Connection: USB-A

Another $50 security key from Yubico, but I've included it because it's my preferred form-factor: this key is designed to sit semi-permanently inside the USB-A port. The edge is a capacitive touch sensor so you can trigger it by running your finger along it.

It does mean that you give up a USB port, but it also means that you've never rummaging around to find it.

Read the whole story
61 days ago
Washington, DC
61 days ago
Mountain View, CA
Share this story
Next Page of Stories