Security

Code for open-source Facebook littered with landmines

Diaspora release not for noobs

Dan Goodin Thu 16 Sep 2010 // 23:32 UTC

Four New York University students who raised a bundle of cash to build a privacy-preserving alternative to Facebook sure have their work cut out for them.

The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

“The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is installed on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”

Diaspora grew out of deep-rooted dissatisfaction many people expressed earlier this year in response to Facebook privacy changes that without warning exposed details many users didn't want to share with world+dog. When the developers sought funding, according to The New York Times, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000.

McKenzie first voiced his concerns on a online hacker discussion devoted to Wednesday's release. Diaspora representatives didn't respond to an email seeking comment.

To be fair, the Diaspora creators are very clear that Wednesday's release comes with “no guarantees” and includes known “security holes and bugs.” But McKenzie said he isn't sure that message has reached some of the project's most fervent fans.

“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”

He's not the only one who has found bugs. Among the list of reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.

Encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding attack,” being demonstrated this week at the Ekoparty conference in Argentina, but then again, so are many banking apps. ®

50 Comments

Other stories you might like

'Extraordinary' pigs step in to protect Schiphol airport from marauding geese

Plane-wrecking idiot fowl sent packing by heroic porcine defenders of commercial aviation

Matt Dupuy Tue 28 Sep 2021 // 19:45 UTC

An unlikely battle is currently going on betwixt the runways of one of Europe's busiest airports, after a company called Extraordinary Pigs was contracted to bring their animals to help protect Amsterdam's Schiphol Airport from marauding geese.

Schiphol is the main international airport for the Netherlands, a major transit hub and also a major air cargo facility. These factors make it Europe's third-largest airport in terms of passenger numbers and the biggest in terms of total aircraft movements.

It occupies a vast 10.3 square mile (2,787 hectare) site on reclaimed land which is entirely below sea level, and it is situated about 10km southwest of Amsterdam. As a result, the area it sits on is lush and often has a lot of standing water, which makes it an appealing spot for birds to roost and forage for food.

Continue reading
The secret to speaking to customers across multiple channels … is to speak with one voice

Smooth your path to CX nirvana with this ebook

David Gordon Tue 28 Sep 2021 // 19:00 UTC

Sponsored Customer interactions these days are ongoing and dynamic, constantly taking place across multiple channels and touch points from the web to social media, from chatbots to call centers.

That might suggest you need an ever-expanding tool box – and budget – just to keep pace with the competition and your customers’ expectations.

Yet some of the companies poised to be most successful connecting with their customers, may be the ones who trim their tech spend and consolidate their CX tooling and technologies this year, Forester has suggested.

Continue reading
ASUS patches ROG Armoury Crate app after researcher spots all-too-common flaw

It tries to load a file from a location any old user can write to

Gareth Corfield Tue 28 Sep 2021 // 18:31 UTC

A flaw in ASUS's ROG Armoury Crate hardware management app could have allowed low-privileged users to execute code as administrator.

The now-patched privilege escalation vulnerability was uncovered by "Federico" from Italian hacker collective APTortellini.

Federico discovered the vuln after taking a close look at ROG Armoury Crate, finding a DLL hijacking vuln that allowed ordinary users to execute code with SYSTEM privileges after pasting a crafted file into a directory used by the app.

Continue reading
Azure Purview is a preview no more: Microsoft is ready to sniff your sensitive data

Governance and compliance are the watchwords here

Richard Speed Tue 28 Sep 2021 // 17:45 UTC

Azure Purview has hit general availability, affording assistance to admins facing governance data overload.

The service is pointed at an organisation's data estate, offering up a map of data assets over the likes of SQL Server, Oracle and Salesforce regardless of their location (on-prem or – heaven forbid – some cloud that is not Microsoft's).

AWS S3 scanning is present in the generally available product while scans for Erwin, IBM DB2, Salesforce, Google BigQuery, Looker, and Cassandra remain in public preview.

Continue reading
Oracle flexes its hardware muscles with beefed-up Exadata X9M appliance

Kicking sand in the faces of less mighty systems, it is only worth the price tag if stellar performance is a must

Lindsay Clark Tue 28 Sep 2021 // 17:01 UTC

Oracle has released the latest upgrade to its Exadata database appliance series, claiming to better earlier iterations on I/O and throughput.

Building on the heritage of tightly integrated hardware and software it acquired with Sun Microsystems back in 2009, Big Red's beefed-up Exadata X9M claims online transaction processing (OLTP) with more than 70 per cent higher input/output operations per second (IOPS) on its earlier release, the X8M. Oracle also reckons the system performs with 19µs I/O latency from database to storage, 10 times faster than flash memory.

Exadata X9M is pitched as enabling customers to reduce the costs of running transactional workloads by up to 42 per cent, and analytics workloads by up to 47 per cent, compared with the previous generation, Oracle said. Meanwhile, analytical workloads performed 87 per cent faster.

Continue reading
Ofcom unveils broadband switching plans, but providers claim it's not so easy

‘One Touch Switch’ is great, but logistics are an issue for BT, while Virgin cites data protection worries

Tim Richardson Tue 28 Sep 2021 // 16:30 UTC

Switching broadband providers could be about to become a lot easier if proposals unveiled by Ofcom today are put into place.

But even as the plans were announced it's clear there are some providers in the industry that are unhappy with them – citing issues such as data protection and concerns it could lead to people being switched without their consent.

Ofcom hopes the scheme – dubbed "One Touch Switch" – will streamline the way people chop and change providers as new services are launched.

Continue reading
Latest FinFisher spyware upgrades 'particularly worrying,' says Kaspersky

Eight-month analysis finds four-layer obfuscation, two-stage loader, and a new UEFI attack

Gareth Halfacree Tue 28 Sep 2021 // 15:50 UTC

Kaspersky has presented the findings of an eight-month probe into the FinFisher spyware toolset – including the discovery of a UEFI "bootkit" infection method and "advanced anti-analysis methods" such as "four-layer obfuscation."

FinFisher, also known as FinSpy, is a product from Anglo-German spy firm Gamma International and supplied exclusively to law enforcement and intelligence agencies for use as a surveillance tool. The software was allegedly used by the former Egyptian government of Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.

The toolkit receives frequent updates to evade detection and add new functionality, with Kaspersky having previously investigated a 2019 update which boosted its spying capabilities to include chat, physical movement, microphone, and camera access, alongside locally stored data capture and exfiltration.

Continue reading
Texas cops sue Tesla claiming 'systematic fraud' in Autopilot after Model X ploughed into two parked police cars

Five officers seek $20m in damages from car maker and local restaurant

Gareth Halfacree Tue 28 Sep 2021 // 15:01 UTC

Five Texas residents have filed a lawsuit against Tesla and a local restaurant after an alleged drink-driver ploughed a Model X into the back of two parked police cruisers.

The complaint [PDF] accuses the company of "defects in Tesla's safety features," the functionality of which has been "vastly and irresponsibly overstated" to "pump Tesla's share price and sell more cars."

According to the suit, filed by the five police officers involved in the incident, the unnamed driver crashed his Tesla Model X into the back of two parked police cruisers at 70mph (112kph) after they had stopped to investigate a fourth vehicle for suspected narcotics offences in February.

Continue reading
A crypto-trading hamster is outperforming the S&P 500, Nasdaq, Bitcoin

As much as I wanted to be Gordon Gekko, I'll always be Mr Goxx

Matt Dupuy Tue 28 Sep 2021 // 14:15 UTC

A cryptocurrency-trading hamster is sending shockwaves through the financial world by generating returns that outperform the S&P 500 index, the Nasdaq 100, and Bitcoin.

Goxx Capital, fronted by Mr Goxx, a small brown hamster said by his colleague to be "nearly one year old", has been trading since June this year using a specially constructed "office" enclosure. It is claimed that he has been involved in hundreds of trades worth literally tens of Euros.

His trading office, known as the Goxx Box, includes a number of special tools used to action his keen financial decisions. The largest of these is known as the "Intention Wheel", a hamster exercise wheel demarcated to determine which of around 30 different assets he will pick to trade. Then there are two "Decision Tunnels", one marked "Buy" and one marked "Sell", which determine which trade he will make with the chosen currency.

Continue reading
Typical. Crap weather halts work on subsea fibre-optic cable between UK and France

Summer was good while it lasted

Tim Richardson Tue 28 Sep 2021 // 13:30 UTC

Strong winds and choppy seas have delayed the deployment of a new subsea fibre cable running under the English Channel connecting data centres in France and the UK.

The cable – called CrossChannel Fibre – is due to link Equinix data centres in London and Paris via Brighton on the South Coast of England and Veules-les-Roses near Dieppe.

Work was due to start this week, but the arrival of autumn storms has meant that cable laying has been put on hold until calmer weather is forecast.

Continue reading
The indie RPA dream is over for Blue Prism after being gobbled by private equity

UK firm failed to make an impact against the market leaders

Lindsay Clark Tue 28 Sep 2021 // 12:45 UTC

Blue Prism, poster child of the UK's modest tech boom, has been bought by Vista Equity Partners (VEP) to be merged with Tibco, the integration and buiness intelligence vendor.

Known for its robotic process automation (RPA) wares, Blue Prism is to be acquired for £1.1bn as interest in the RPA software segment hots up.

According to Forrester, the market for RPA software will be worth $2.9bn in 2021, up from $125m in 2016. The two biggest independent players – those that don't also sell big chunks of the enterprise stack – are US-based Automation Anywhere and UiPath (founded in Romania, but now based in New York), which have a combined valuation of around $39.2bn

Continue reading