Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?


Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Send us news
44 Comments

Excuse me, what just happened? Resilience is tough when your failure is due to a 'sequence of events that was almost impossible to foresee'

There was no big bang – and it could happen to you

Feature When designing systems that our businesses will rely on, we do so with resilience in mind.

Twenty-five years ago, technologies like RAID and server mirroring were novel and, in some ways, non-trivial to implement; today this is no longer the case and it is a reflex action to procure multiple servers, LAN switches, firewalls, and the like to build resilient systems.

This does not, of course, guarantee us 100 per cent uptime. The law of Mr Murphy applies from time to time: if your primary firewall suffers a hardware failure, there is a tiny, but non-zero, chance that the secondary will also collapse before you finish replacing the primary.

Continue reading

FTC approves $61.7m settlement with Amazon for pocketing driver tips

Delivery drives to get refund

The US Federal Trade Commission on Friday announced the approval a consent order against Amazon that requires the company to pay $61.7m to resolve charges that for two and a half years it took tips intended for Amazon Flex drivers and concealed the diversion of funds.

The deal was proposed in February but required sign-off from the US trade watchdog. It arises from FTC charges that Amazon misrepresented both to Amazon Flex drivers and to the public what the company would pay for delivery work.

The tech giant launched its Flex service in 2015, promising drivers – which it classified as independent contractors and referred to as "delivery partners" – that it would pay $18-25 per hour for the delivery of goods from Amazon.com, Prime Now (household goods), Amazon Fresh (groceries), and Amazon Restaurant (takeout).

Continue reading

Amazon exec's husband jailed for two years for insider trading. Yes, with Amazon stock

Couple now definitely past their Prime

The husband of an Amazon financial executive was sentenced on Thursday to 26 months behind bars for insider trading of the web giant's stock.

Viky Bohra, 37, of Bothell, Washington, reaped a profit of $1,428,264 between January 2016 and October 2018 by buying and selling Amazon stock using eleven trading accounts managed by himself and his family.

Bohra was able to pocket these big gains because he got copies of Amazon's confidential financial figures from his wife, Laksha Bohra, who worked as a senior manager in the mega corp's tax department. Laksha had access to Amazon’s earnings before the numbers were publicly disclosed and reported to the Securities and Exchange Commission. Her husband "obtained" this secret information, despite her being repeatedly warned to not leak the confidential data, and used it to favorably trade in Amazon stock and options.

Continue reading

Cloudflare network outage disrupts Discord, Shopify

And its CAPTCHA alternative challenged by security researcher

Following in the rickety footsteps of Fastly, bedeviled by a bug earlier this week, network services biz Cloudflare briefly stumbled on Friday as an elevated error rate interfered with connectivity for customers in Chicago and Los Angeles.

"Cloudflare is aware of, and investigating an issue which potentially impacts multiple customers," the company said on its status page on June 11, 2021, at 1617 UTC. "Further detail will be provided as more information becomes available."

Sixteen minutes later, the biz said it had identified the problem and was working on a fix.

Continue reading

Women techs fume, offer crowdsourced fixes as Michelle Obama's online keynote crashes

'Unforeseen server conditions' blamed

Attendees at this week's Women In Technology Online Festival were trying to watch keynote speaker Michelle Obama when the stream crashed within seconds of starting, leaving many unable to see the former US First Lady at all.

When conference screens began flashing up 502 gateway errors and network error messages during Wednesday's feature conversation, chat functions filled up with attendees' advice to events organiser Ascend Global Media on how to correct issues that affected the livestream.

Continue reading

Ireland warned it could face 'rolling blackouts' if it doesn't address data centres' demand for electricity

Utilities watchdog launches consultation that may affect green island's mega bit barns

Ireland could be facing frequent power cuts following a warning from the country's Commission for Regulation of Utilities (CRU) that data centres are having a "major impact on the Irish electricity system."

Publishing a consultation paper earlier this week [PDF], the regulator said that the integrity of Ireland's power grid was under threat as data centres continue to hoover up vast amounts of 'leccy.

In a stark warning, the CRU said: "When this is also considered in the context of wider system security… it is clear that measures must be implemented in order to encourage data centres to address some of these risks."

Continue reading

Pakistan's Punjab province tells citizens to get jabbed or have their SIM card blocked

Well, that's one way to do it

The government of Pakistan's Punjab region has a new weapon up its sleeve in the fight against vaccine hesitancy: blocking the mobile service of anyone who refuses to get jabbed.

As reported by local newspapers , and confirmed by the Punjab health authority, those who swerve the COVID-19 vaccine may find their mobile SIM "blocked" in response.

The move has come at a crucial juncture for Punjab's vaccine rollout, with shots now available to those over the age of 18.

Continue reading

New York State Senate first to pass landmark right-to-repair bill – but don't go popping the champagne just yet

... lower house, the State Assembly, is not likely to pass the bill

The New York State Senate has approved landmark right-to-repair legislation which forces original equipment manufacturers to provide schematics, parts, and tools to independent repair providers and consumers.

S4104, which advances the Digital Fair Repair act, was passed with overwhelming bipartisan support. At a virtual session, 51 senators approved the motion, with just 12 voting against.

Some distance remains before the bill ultimately becomes law. It must win the approval of lawmakers from the lower house, the New York State Assembly, which is currently considering its own version of the bill (A7006).

Continue reading

UK tells UN that nation-states should retaliate against cyber badness with no warning

Even nuclear missile attacks came with a 4-minute heads-up

Comment Britain has told the UN that international cyber law should allow zero-notice digital punishment directed at countries that attack others' infrastructure.

A statement made by UK diplomats to the UN's Group of Governmental Experts on Advancing Responsible State Behaviour in the Context of International Security (UN GGE) called for international law to permit retaliation for cyber attacks with no notice.

"The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances," said the British submission to the UN GGE, made in advance of the G7 heads of government meeting in Cornwall this week.

Continue reading

Dealing with the pandemic by drinking and swearing? Boffins say you're not alone

While social media gets a portion of the blame for COVID-19's initial spread

The impact of lockdowns during a global pandemic appears to be making itself known in a variety of ways – subtle and otherwise – including increased drinking and swearing. Or, as we like to call it, "the weekend".

There's no denying that the pandemic has been tough, and the IT industry was far from immune. We've seen numerous events cancelled, supply chain issues and the joys of looking terrible on camera – and those were all in the first three months.

How did we react? Well, we drank. And swore.

Continue reading

UK competition bods to keep tabs on Google, ensure 'Privacy Sandbox' doesn't distort competition

CMA claims to have taken 'oversight role' over removal of third-party cookies

The UK's competition regulator intends to keep a weather eye on Google as it works to address concerns around its proposals to remove third-party cookies from its Chrome web browser.

The Competition and Markets Authority (CMA) said it will take up a role in the design and development of Google's "Privacy Sandbox" proposals to ensure they do not distort competition.

While the commitments aim to address concerns raised in Blighty, they are likely to have implications for Google that stretch across the globe.

Continue reading