Each Security Hole Is Created By Someone Deliberately.

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.

There Is Enough Wasted Electricity To Power All Cars In USA

I was confronted with a serious argument against Tesla cars (or electrically powered automobiles in general). It reads thusly: «If you replace all cars with Teslas the power grid will not be able to sustain the resulting tremendous surge of energy consumption». To me it sounds like a legit matter for a quick investigation, so here we go.
Read more →

What Would It Look like If The Web Developers Run A Grocery Store

Imagine, you enter a grocery store to buy a loaf of bread.
— Welcome to the Shop & Co!
— Hello. I am looking for…
— Where have you been recently?
— In a hardware store. Why?
— Do you use a car to get to us?
— No, I use a bike.
— Which model?
— XYZ123. Fucking Why?!
— Have you been to our store before? Any receipts?
— Nope.
— Where are you from?
— Me?! From Lithuania.
— Why do you speak English then?
— ...I don't know, I feel like doing so.
— May I speak Lithuanian?
— No way! just give me fucking bread!
— We are so sorry, we do not have Lithuanian bread right now.
— Can you give me any other goddamn bread!!!
— Nope.

This is exactly what happens every time you visit a website.

Flattr this

Utilizing Wasted Energy Of The Slag Dumps

Today I want to talk about ecology, in a very unorthodox manner, as I always do with any subject. There is one very necessary practice in the metallurgy all over the world: slag dumping. Of course, our cherished environmentalist buzz-makers know nothing about that, because steel and copper, just like coffee and croissants, grow on trees. And it is much better to keep them at their present state of ignorance, as long as we want a serious, intelligent, and productive discussion on the topic.

First of all, there is nothing wrong with the metallurgy in general and the slag in particular. However, there is some room for a significant improvement that benefits our «environment», unlike bullshit «carbon taxes» or «wind turbines». In order to understand the basics of the problem watch any of the «slag dump» videos on youtube, like this one www.youtube.com/watch?v=zKOENNXsSBQ This «molten lava» is slag, an inevitable byproduct of any metallurgical process. It has no use in the industry, it contains no precious components, and it has to be removed from furnaces, in order to keep them running.

The first thing that must strike you as you see the action is: «what a waste of energy!!!» Indeed, slag is hellishly hot, where «hot» means two important properties: abundant and high potential, which makes the energy easily CONVERTIBLE. But, hold on, this shit is solid under normal conditions. When you extract energy from molten slag it will solidify, incapacitating any conceivable heat exchanger.

Let's apply some IT reasoning here. While it is difficult to take energy away, how about taking an energy consumer in? Picture that, you have to heat something, so you mix it into hot slag. The output will very likely to be total garbage… Yes! GARBAGE! Put garbage in, melt it by the heat contained in the slag, and then shape it in building bricks, or fillers, or whatever you need to build artificial islands…

In the end you get a pretty normal solid waste processing plant running on free energy.

On The "Bottom-Up" Approach To Data Security

Once I stated the title I immediately realized that there are many distinct dimensions having their own «bottoms» and «ups». So I must specify. The «bottom» is a set of elementary data manipulation operations available to you as a programmer or a data security specialist (although it is often the same «you»). The «top» is a transitive closure of this set. The set of operations available for a user is rather close to the «top», and mapping them into the basic data handling operations constitutes the essence of the programmer's job. The «bottom-up» approach to data security is a job of defining all the necessary data access rules in terms of the basic data handling operations — you apply certain restrictions to various data elements and they affect the data system overall behavior, namely data accessibility in the high-level terms used by the end users. The most elaborated text-book example of this approach is SQL — it gives you very low-level security bricks to build a custom building without specifying explicitly this building emergent properties.
Read more →

A CERN Physicist Fails At Elementary Physics

Recently I had a conversation with a renowned CERN physicist Konstantin Toms. In this conversation, all of a sudden, he exposed himself failing to spot the difference between power and work. The conversation happened in a public place here: lj.rossia.org/users/ktoms/17248.html
it was performed in Russian, so I have to translate it for you, however, Dr. Toms is informed of this fact and is welcome to make his corrections if he has any.
Read more →

A Better SQL Security Approach

This is not only an SQL's problem, I am going talk about, this is a pretty general problem of all complex systems dealing with user permissions, however SQL constitutes the best possible illustration to the issue.The principal source of all evil is the generalized security policies, policies trying to cover the entire space of user actions by being formulated in basic general terms.
Read more →

An Embarrassing Security Hole In FFmpeg (how is it even possible?!)

A russian researcher Maxim Andreev (Максим Андреев) from cloud.mail.ru has discovered recently an appaling (and also embarrassing) security hole in FFmpeg (a popular open source video/audio processing library (yes, thanks god(s) it is open source)). The vulnerability may potentially lead to SSRF and local file read (which in turn may be pretty devastating). To put your computer at risk it is sufficient to keep it connected to the internet while processing with FFmpeg a specially crafted .mpeg file. So the attack may be aimed at servers and desktops as well, and it is important for the desktop users to know that nearly all GUI-oriented filemanagers and file-dialogs do run without a user's consent ALL the .mpeg files in the scope through the thumbnail creation procedure which is often built around FFmpeg library. Oh, my dear «user-friendliness»! Do you feel how problems are piling up?

The vulnerability is based upon the HLS (HTTP live streaming) feature (thanks to the reported vulnerability I now know what is live streaming — what a useful feature it must be). The core of the vulnerability is (as it happened many times before) a masquerade of filetypes multiplied by the stupidity of the modern days programmers. Effectively the worm is a PLAYLIST file masquerading as an ordinary .mpeg. And FFmpeg is programmed to process them «transparently» i.e. HIDE the distinction between them from the user. The playlist file is allowed to prescribe HTTP requeststs (supposedly to retrieve a file to play) and FFmpeg is eager to obey! Thus, FFmpeg being entitled to the access privileges of its caller SILENTLY sends HTTP-requests (full of potentially sensitive data) to an arbitrary HTTP-server in the internet.

Well done FFmpeg! well done!
And I personally send many non-sarcastic thanks to Maxim Andreev.

By the way, Maxim in his original article on habrahabr.ru describes some interesting practical exploits of the vulnerability, if anyone is interested, i can translate his article to English and post it here.

...and remember all vulnerabilities are deliberately created by someone.

There Is No Such Thing As Binary Data In This World

The «binary data» is a myth, created by very unintelligent people. This is just another undefined term in IT amongst millions of its brethren. Oh, dear! if you disagree I challenge you to define it or at least look up a definition. Seriously, give it a try.
I have challenged many advocates of «binary data» to define their beloved product of words. All of them (who are not indoctrinated enough to refuse the challenge altogether) immediately slipped into reasoning about text editors, terminals, and ASCII. But, wait, «my terminal can not display binary data» — is your terminal's problem and nothing more. Some terminals can not display unicode — is it «binary»? All different kinds of terminals unable to display different kinds of data. The same goes to the text editors — which particular byte sequences make a text editor cringe and glitch is specifically defined within the text editor and nowhere else.
Read more →

On Education, part 2: Middle School

(previous part: Elementary School)

There is an unspoken grievance bothering all us kids for the entierty of schooling. It feels like an earworm with a forgotten title, you hear it in your heead, but you can not articulate it no matter how hard you try. And it lasts for years. Here it is: «Why on Earth I must learn the disciplines that my teachers have failed to learn?! — If they are more stupid than I, why on Earth they are teachers in the first place?! — If it is just normal to be ignorant about the majority of the school curriculum, why do they teach me all the shit they themselves do not want to know and still have their jobs and live normal lives?!»

Yes, I am talking about the specialization of teachers, this ultimate manifest of ignorance! The very existence of your English literature teacher cries silently: «I don't give a damn about all your maths!». «I spit on your Shakespeare!» — is written all over the face of your maths teacher. An your biology teacher is completely happy being ignorant about maths, literature, geography, phisics, and the rest.

When you attend to all these compulsory courses you see the big picture: all these courses are in fact optional — the school lies to you at the very core of its doctrine. Every day the teachers as a whole demostrate you practically that every individual teacher preaches lies to you. This is how the school finishes your motivation off (if there was any remaining after the primary school). I can not concieve a more devastating impact on one's motivation that that.

And again the solution is way simpler than you might expect. It does not require any new institution, it requires a romoval job again. We must abolish the specialization of teachers. All compulsory courses must be taught by a single teacher from the very beginning of the school to the very end. One teacher for the complete curicullum — a role model of an educated person. Teachers must comply to the standards they impose on their pupils.