'George Orwell was an optimist. Show me a search history, I'll show you a perv or a crook'

Hm. Do optimists really have more fun?

QuoTW Google researchers came clean about a nasty little security vulnerability they discovered in SSL 3.0 this week, though not before El Reg first caught wind of it.

The backdoor into the ancient old encryption standard can only be used if you can intercept the victim’s packets, potentially with a malicious Wi-Fi link, but once they’re in, hackers can slurp your cookie data. Security expert Robert Graham explained:

POODLE (Padding Oracle On Downgraded Legacy Encryption) allows the hacking of clients – your web browser and such. If Heartbleed or Shellshock merited a 10, then this attack is only around a five.

It requires someone to be a man-in-the-middle to exploit. This means you are probably safe from hackers at home, though not safe from the NSA. However, when at the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack.

What the hacker will try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account. Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages.

The vulnerability shouldn’t matter because SSL 3.0, which is 18 years old, should have been retired years ago. However, the internet being the buggy back-compatible thing it is, the standard is still kicking about. Google security bod Adam Langley said:

This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago.

However, the internet is vast and full of bugs. The vastness means that a non-trivial number of SSL 3.0 servers still exist and workarounds for the bugs mean that an attacker can convince a browser to use SSL 3.0 even when both the browser and server support a more recent version.

Thus, this attack is widely applicable.

Apple design guru and revered genius Sir Jony Ive has made it clear that he doesn’t find it the least bit flattering when other devices bear any resemblance to the fruity firm’s precious iThings. At Vanity Fair’s New Establishment Summit in San Francisco, he told an audience member who asked about similar designs from rivals like Xiaomi:

I think it’s really straightforward: it really is theft, and it’s lazy and I don’t think it’s OK at all.

Though he later admitted that might have been a bit harsh and made him seem just a tad bitter. Xiaomi boss Lin Bin certainly seemed to feel Ive had gone a bit far. He told the China News Service:

Xiaomi is a very open company, which would never force anyone to use its products. However, one can only judge Xiaomi's gadgets after he or she has used them. I'm very willing to give a Xiaomi cell phone to [Ive] as a present, and I look forward to hearing his remarks after he uses it.

In Blighty, a new test from mobile survey coverage company GWS shows that commuting into London sucks even more than commuters thought, because phone service on trains is now officially rubbish. One in three data tasks and one in seven voice calls attempted on commuter routes failed in areas where there should be decent coverage. GWS CEO Paul Carter said:

Leaves on the track, the wrong kind of snow, having to stand up all the way to work and back – commuters have enough to contend with without the kind of mobile connectivity problems we’re revealing today. It’s hard to believe we’re in 2014 and in a situation whereby a trained wizard would have a tough time getting a signal on the Hogwarts Express while it’s sitting in St Pancras.

Meanwhile, Microsoft aficionado Charles Petzold, whose Programming Windows book taught a generation of developers how to code for Redmond’s products, has told The Reg that he figured out the API all by himself. He said:

I never worked for Microsoft. I really liked figuring things out on my own. Early on in the development of a new version of Windows, I would explore it, I would try out various things, I would see what worked, I would see what didn’t work.

For Windows 1.0, there were five sample apps. The first one was a hello world app, except that it was very large because it included a menu, and the menu triggered an about box, and a lot of people thought all that stuff was necessary.

So I took that program and stripped away everything that seemed to be not necessary. I took away the about box and the program still worked. I took away the menu and the program still worked. I took away other things and simplified it as much as possible and that became the first sample program in my book.

In other Microsoft news, the firm has managed to tick off a load of the faithful by issuing DMCA takedowns that were a little too aggressive. Loyal podcasters and video bloggers found themselves issued with warnings and had their YouTube accounts suspended for supposed copyright infringement. Yet their musings on Windows were often just comment and advice pieces. Respected Windows nerd Chris Pirillo said in a YouTube comment:

They're going after ANYTHING with "Windows" in the title, it seems. My video was on a completely benign topic - not a review: "Windows 7 Upgrade or Anytime Upgrade?" Video ID: kUtY1AFZGTI - and I'm the type of person who intentionally avoids music, sounds, video, images, etc. WARN ALL THE TECH YOUTUBERS THAT THEY MIGHT WANT TO STOP TALKING ABOUT WINDOWS.

And the community also took to Twitter:

While Microsoft frantically tried to fix the damage:

And finally, in the security world, guru Mikko Hyppönen has told El Reg that law enforcement and intelligence agencies should stop complaining about the improving security on mobile phones, because they brought it on themselves.

FBI Director James Comey, US attorney general Eric Holder and Europol boss Troels Oerting have all moaned that increased data protection on mobes was going to make fighting crime and terrorism more difficult. But Hyppönen said:

Governments annoyed by companies taking a stand on security should remember they caused this themselves by hacking companies from their own countries.

Instead of just considering attacks from criminals some of the largest software companies have to consider attacks from their own governments too.

He also said that current surveillance was too pervasive:

I’m not against surveillance per se: I’m against blanket surveillance. There’s a trade off between privacy and security.

Law enforcement is imperfect so the question is whether or not it’s a good trade off to have blanket surveillance.

Intel agencies will go to any means to get what they want. I can understand why they might want to infiltrate standards bodies and push weaker cryptography but that weakens everybody’s security.

Speaking at the IP Expo conference, he told delegates:

George Orwell was an optimist. Governments can not only watch what you do (telescreens) but what you think… Show me your search history and within five minutes I'll find something embarrassing or incriminating. Guaranteed.


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022