Archive for the ‘Security’ Category

Free beer is not OK

Coding, Operating Systems, Security, Technology []

The phrase “free, as in beer” is often used in connection with Open Source software, to indicate that the software is being given to users without any expectation of payment. This distinguishes it from “free, as in speech” which might erroneously suggest that the software could do whatever it liked.

Actually, were it not for Andres Freund’s recent discovery, a certain piece of software called xz utils might have actually become free to do whatever it liked (or more correctly, whatever its evil master desired). NIST gives it a criticality of 10/10. Freund announced his discovery a month after the tainted xz had been released, though thankfully before it had worked its way into production systems.

The xz utilities provide [click title to read more…]

AI, AI captain

Legal and Political, Security, Technology []

Artificial Intelligence is appearing everywhere and it is increasingly difficult to stop it seeping into our lives. It learns and grows by observing everything we do, in our work, in our play, in our conversations, in everything we express to our communities and everything that community says to us. We are being watched. Many think it is just a natural progression from what we already created. To me, it is anything but natural.

Spellchecking: an AI precursor

Half a century ago, automatic spell-checking was introduced to word processing systems. Simple pattern matching built into the software enabled it to detect unknown words and suggest similar alternatives. By adding statistical information it could rearrange the alternatives so that the most likely [click title to read more…]

Dragged by the roots

Networking, Security, Web

This one had me scratching my head for a while today. A client and an ex-client both contacted me with strange HTTP connectivity issues, which manifest as errors occurring on one server while the exact same code is working elsewhere. The logs revealed that a HTTPS connection was being rejected because the connection to the external site could not be validated. The problem was that the root certificates were out of date, and the external site was using Let’s Encrypt SSL certificates, which as of this month (October 2021) has a new compatibility restriction meaning their certs can only be validated by a client if the client trusts the ISRG Root X1 certificate. That restriction prevents functionality on iPhones running [click title to read more…]

e-Criminals

Security

I woke this morning to the news that Ireland’s health service was hit by ransomware, crippling a vital component of our society in the middle of a global pandemic. The first reported casualty of this evil deed was a maternity hospital. As the day goes on we will find the consequences of this attack will expand to include more hospitals, medical clinics, doctors’ surgeries and particularly worrying the Covid-19 processes (testing and vaccination). Some or all of these will have to go offline. Much will have to move to alternative mechanisms, such as pen and paper!

Undoubtedly any ransom demand will be rebuffed. To accede would simply raise a flag saying “we pay” and invite more attacks. No, this will [click title to read more…]

Sneak peek

Hardware, Security

In the past few days the tech community has gone into a panic over a discovery that computers have been vulnerable to a specific kind of attack for over 20 years. Despite being present for a very long time, it would seem that nobody has exploited the vulnerability. The details are complicated, but let’s consider a part of their discovery in more simple terms:

The problem is in the processor (CPU), the thing that does calculations using information in the computer’s main memory (RAM). Decades ago, CPU designers from companies like Intel, AMD and others, decided that they could speed up a computer if they could get it to do some calculations ahead of time, even if the results of [click title to read more…]