Some days ago GitHub received a DMCA complain from the RIAA to remove youtube-dl due to copyright violations. The youtube-dl website is still online and I mirrored the files to my website just in case.
Now, due to a bug in GitHub – known for a long time – it’s possible to add files to other users’ repositories without modifying the checkout. You can’t change the current hash, but when adding files a new hash is created and you can link to that exact hash in order to get the files. Very neat!
So, long story short, that’s exactly what someone did.
Uninterrupted, good quality mobile phone reception is extremely important to rail passengers. In technical terms, it’s the pièce de résistance for every network provider because the demands on bandwidth increase with data-intensive applications. Swisscom has now successfully achieved a transmission speed of over 1 Gigabit per second on a moving train under test conditions. This result sets a new benchmark for the mobile phone industry.Source: Swisscom
BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here.
BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.
One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.
This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here.Source: Hanno’s Blog
I never understood why you need to include external files or webpages in such a document and I can’t even think of a use-case why this is a great idea, unless you want to fuck up things.
Here’s the PoC, in case you’re interested.
Alle 19 Geheimdienste von Bund und Ländern dürfen demnächst heimlich Geräte hacken. Die Bundesregierung hat einen entsprechenden Gesetzentwurf beschlossen. Lange hatte die SPD Bauchschmerzen, jetzt ist sie umgekippt. Auch die Vorsitzende Saskia Esken war dagegen, jetzt trägt sie den Kompromiss mit.Quelle: Netzpolitik
Von der Verräterpartei erwartet man mittlerweile ja auch gar nichts anderes mehr. Im Umfallen sind die Weltmeister. Dass durch solche kolossalen Fehlentscheidungen die Sicherheit der gesamten Bevölkerung gefährdet wird, scheint da nicht angekommen zu sein. Folglich muss davon ausgegangen werden, dass man es zumindest billigend in Kauf nimmt. Wann fangen die endlich mal an, auf Experten zu hören und keine Politik mehr gegen das Volk zu machen?
Apple has clarified the situation with the WordPress iOS app, apologizing for the mistake of blocking developer updates to the app until they added in-app purchases, despite the app not including any functionality involving payments.
On Friday, it was reported the lack of app updates for the WordPress app were due to it being “locked” on the App Store. After three weeks of absence, developers of the app had agreed to implement some form of in-app purchase to the app to enable updates to go through again, among other possible solutions.
In a statement provided to AppleInsider on Saturday, Apple claims the issue with the app has been “resolved” overnight.Source: AppleInsider
Nothing to see here. Go ahead.
WordPress, the iOS app, lets you build and manage a website right from your iPhone or iPad, for free.
Separately, WordPress.com also happens to sell domain names and fancier website packages.
Now, WordPress founding developer Matt Mullenweg is accusing Apple of cutting off the ability to update that app — until or unless he adds in-app purchases so the most valuable company in the world can extract its 30 percent cut of the money.
The app simply lets you make a website for free. There isn’t even an option to buy a unique dot-com or even dot-blog domain name from the iPhone and iPad app — it simply assigns you a free WordPress domain name and 3GB of space.Source: The Verge
Thanks, but no eroded fruits for me ever.
Physical locks are one of the most prevalent mechanisms for securing objects such as doors. While many of these locks are vulnerable to lock-picking, they are still widely used as lock-picking requires specific training with tailored instruments, and easily raises suspicion. In this paper, we propose SpiKey, a novel attack that significantly lowers the bar for an attacker as opposed to the lock-picking attack, by requiring only the use of a smartphone microphone to infer the shape of victim’s key, namely bittings (or cut depths) which form the secret of a key. When a victim inserts his/her key into the lock, the emitted sound is captured by the attacker’s microphone. SpiKey leverages the time difference between audible clicks to ultimately infer the bitting information, i.e., shape of the physical key. As a proof-of-concept, we provide a simulation, based on real-world recordings, and demonstrate a significant reduction in search space from a pool of more than 330 thousand keys to three candidate keys for the most frequent case.Source: ACM Digital Library
President Trump said late on Tuesday that he would support Oracle’s buying TikTok, the Chinese-owned viral video app that his administration says must be sold in the next few weeks.
In comments to reporters at an event in Arizona, Mr. Trump called Oracle a “great company” and said the firm, which specializes in enterprise software, could successfully run TikTok.
“I think that Oracle would be certainly somebody that could handle it,” he said.Source: New York Times
Oracle’s one of those companies which has successfully managed to kill technology in the past. Just think of Sun and Java. So, if he really wants TikTok to be dead Oracle is the right choice.
Just keep in mind that he talks about lots of things he isn’t capable of to understand.
Toyota has expanded its collaboration with Amazon Web Services in ways that will see many of its models upload performance data into the Amazonian cloud to expand the services the auto-maker offers to drivers and fleet owners.
Toyota already operates a “Mobility Services Platform” that it says helps it to “develop, deploy, and manage the next generation of data-driven mobility services for driver and passenger safety, security, comfort, and convenience”.
That data comes from a device called the “Data Communication Module” (DCM) that Toyota fits into many models in Japan, the USA and China.
Toyota reckons the data could turn into “new contextual services such as car share, ride share, full-service lease, and new corporate and consumer services such as proactive vehicle maintenance notifications and driving behavior-based insurance.”Source: The Register
I don’t like their cars anyway. They are too small, too slow and the level of quality is bad. They use lots of plastic where others at least hide that under some fine leather or alcantara. The real issue with this is that others also collect driving behavior and will likely sell that data to insurance companies. Toyota is just the one who did the first step into that direction. So, you’re better off buying an old car without any phone-home crap in.
Paywalls are justified, even though they are annoying. It costs money to produce good writing, to run a website, to license photographs. A lot of money, if you want quality. Asking people for a fee to access content is therefore very reasonable. You don’t expect to get a print subscription to the newspaper gratis, why would a website be different? I try not to grumble about having to pay for online content, because I run a magazine and I know how difficult it is to pay writers what they deserve. Source: Current Affairs
I’d rather say “Proper news are paywalled while opinions are free”. News require analysis and research. Both is expensive, so since opinions are free and everyone has one, it’s quite easy to spread that opinion and claim it’s news.