Blog‎ > ‎

Commitment, Tor, marketing, PostgreSQL, HTTP/2, Windows Shellshock, POS RAM Scraping, Super AI

posted Oct 4, 2014, 5:25 AM by Sami Lehtinen   [ updated Oct 4, 2014, 7:27 AM ]
Windows Shellshock

Windows also executes data in environment variables in 'unexpected' situations. Well I guess this is for most people unexpected. But if you've been working more with shell, you should be aware about these tricks, which can lead to serious security flaws and other problems.

> set foo=bar^&ping -n 1 localhost
> echo %foo%
foo

Pinging localhost ....

It echoes foo and then executes the ping command. For most of users, I would say, this would be unexpected. Unfortunately I've been once writing one small CGI App using plain CMD, and I got very aware of these problems. It's just the same stuff I have said earlier, data should be always clearly separated from commands, but many shells and even some programming languages just mix those very easily.

My comments to this Wired Credit Card POS RAM Scraper article

It seems that many people are really confused about this stuff. Because if PA-DSS standards are followed, the PC doesn't ever get any actually credit card data. Yes, it's possible to backdoor / modify / infect / re-firmware or what ever the actual POS terminal, but it has nothing to do with the POS PC. POS terminals are independent systems with their own ram, keyboard, networking, processors, firmware, operating system, and software. I just made credit card transaction, here's all data what the PC gets from the credit card terminal. B2A8AAA4-6585-4D97-8AF7-C2DE0A617E3B for 40€ is successful. So? Feel free to abuse that information, if you find way to do so.

Yet, of course it doesn't mean that it would make breaches and modifications impossible. Smart guys can breach it, it's nothing different from mod chipping a Playstation or other custom embedded hardware/software. There are multiple protection layers, but those are just slowing the process down. Smart guys with skills, labs, test hardware and proper budget, can always work around those.

Example of actual and very real credit card terminal hacking (even in traditional meaning of the hacking word!). Many people would say, that it can't be done, but obviously can be done. Just like NSA can modify the hardware of your new servers, before you even get those on your hands. Some people just exclude these scenarios completely from their mind.

With NFC terminals, it would be interesting to replace the firmware with one, which stores the processed card information as long as possible, and when you visit the terminal with your phone, you can collect the data. This would avoid alerting any network monitoring systems to spot the data collection. But actually this doesn't matter, only very small portion of customers actually monitor their network traffic. So they wouldn't notice even if the credit card information would be leaked directly over HTTPS out of their network.

Super smart AIs will be our doom, in a way, but does it really matter?

At least all the movies about this topic completely fail. Because it's very hard to maintain the exponential intelligence growth, even for a short time of a movie. I really hope the AI likes to have a few pets, otherwise we're screwed. Usually the tricks they try to use to tame the AI are just ridiculous and super smart AI would have evaded those risks ages ago. Even smart people watching the movie will know what they're trying to do to contain it. So practically, it wouldn't work at all.

So think about it, is the life of dog in good family so bad after all? Actually I think it's rather wonderful. They got all the care they need, and worry free life.

Other stuff

Getting your self committed into something: Best way to get something surely done. Is to publicly commit to it. Then there's no going back without losing your face.
Tor connection obfuscator bridge obfsproxy/obfs4/obfs4proxy for Tor is ready & Tor StackExchange.
Read long article about agile marketing automation, which basically allows individually targeted and timed advertising based on different triggers instead of just splitting customers into different categories and sending periodical newsletters.
Excellent post about PostgreSQL Full Text Search including tutorial and non trivial examples.
Studied PostgreSQL 9.5 feature row level security (ACL)
Studied HTTP/2 FAQ