Automatically Hacking Computers

25. April, 2008

Imagine, you had access to the Windows Update servers. What could you do?

No, no write access. Just read access.

Not to the harddisk or the OS, just the normal patch download access via HTTP.

You could automatically hack any software that Microsoft patches (or anyone who supplies security patches for their software for that matter).

Confused?

Okay. Follow along on a little thought experiment. Security patches contain fixes for security bugs. Security bugs allow to do bad things with your computer like turning it into a spam zombie. Or make it steal your bank account data. Or allow someone you’ve never met to put illegal stuff on your computer like stolen music or pr0n.

The security patch fixes that. But there is a catch. The security fix is a little piece of program with instructions how to install it. Basically, it replaces a piece of program that is already on your computer.

How could someone possibly abuse this? Isn’t the security hole fixed after the patch?

Actually, for the kind of attack we’re talking about here, this is irrelevant. What is interesting is this: The patch is almost identical with the program that you already have. The difference is a few bytes which fix the security hole.

While it is usually very hard to find a security hole in a program (you’d have to analyze a whole lot of code), the security patch is actually a map to the hole. It tells you exactly what was broken and how it was fixed.

That allows for two kinds of attack: First, you can now easily write a program which can successfully attack all computers which don’t have the patch, yet. And you can check if the guys made a mistake with the fix. If they did, you now have a perfect recipe for disaster.

To make things worse, there is only a limited amount of ways to make a program break in such a way that you get a security hole. This means: It is possible to write a program which compares the original code and the patch and which comes up with a virus for the hole which has just been fixed (or not). Automatically.

This program could just sit there, watch the Windows Update servers, wait for a new patch to come up, create a virus from that and distribute it to already cracked websites.

Scientists from three different universities were able to show that it is actually possible to do this.

For you, this means two things: Firstly, whenever a security patch is available, you must install it immediately. Secondly, you must not visit any website until you have installed all available security patches. Otherwise, you’re risking to be infected by visiting an innocent website that someone has hacked. Remember, those are vulnerable to the same kind of attack: A cracker could have gained access to the computer of one of the administrators of the site with the attack described above and could have got a copy of the password with the help of a keylogger.

In a few years, we’ll have an immune system for the Internet.

Or we won’t have an Internet anymore.

Leave a Comment » | Software | Tagged: | Permalink
Posted by digulla

Creating a Visual XML Editor

23. April, 2008

A long time ago, I’ve complained about XML editors and that there is no decent XML editor out there which you can use as the basis for a nice visual editor for your custom XML format.

It seems my prayers have been heard.

Leave a Comment » | Software | Tagged: , | Permalink
Posted by digulla

Rewind for GDB

17. April, 2008

Every developer has used a debugger once in a while. And sometimes, you had this “stepped once too many” problem: You ran your code too far. Since there is no way to go back, your only option was to start all over again.

A guy called “teawater” has just published a patch for GDB which does just that: It allows to reverse the program execution. Kind of an undo for the CPU registers, stack and memory. Can’t wait to see this for Java!

Leave a Comment » | Software | Tagged: , | Permalink
Posted by digulla

Public Talk: Quantum Computing (2nd Try)

14. April, 2008

After my back is back, I’ll give the talk about quantum computing this week, Thursday 17th of April. See this page for details.

2 Comments | Talk | Tagged: , | Permalink
Posted by digulla

IllegalStateException: The PluginDescriptor for the plugin … was not found

14. April, 2008

Ever saw this error?

java.lang.IllegalStateException: The PluginDescriptor for the plugin Plugin [org.apache.maven.plugins:maven-resources-plugin] was not found.
        at org.apache.maven.plugin.DefaultPluginManager.addPlugin(DefaultPluginManager.java:325)
        at org.apache.maven.plugin.DefaultPluginManager.verifyVersionedPlugin(DefaultPluginManager.java:212)
        at org.apache.maven.plugin.DefaultPluginManager.verifyPlugin(DefaultPluginManager.java:176)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.verifyPlugin(DefaultLifecycleExecutor.java:1274)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.getMojoDescriptor(DefaultLifecycleExecutor.java:1542)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.bindLifecycleForPackaging(DefaultLifecycleExecutor.java:1033)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.constructLifecycleMappings(DefaultLifecycleExecutor.java:997)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycleExecutor.java:477)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures(DefaultLifecycleExecutor.java:330)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultLifecycleExecutor.java:291)
        at org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExecutor.java:142)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:336)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:129)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:287)

When you see this, check:

  1. That the JAR file of the plug-in is okay and that it contains a file META-INF/maven/plugin.xml
  2. That the pom.xml of the plug-in exists and is valid.
  3. That all parent POMs exist and are valid.

Good luck. I’ve opened this issue to get a better error message.

4 Comments | Software | Tagged: | Permalink
Posted by digulla

Do Not Reply

25. March, 2008

Do not send mails to donotreply.com

Oh, you don’t?

Sure?

Really?

Well, just make sure that none of the many applications and servers you’re running doesn’t send mails with “ignore@donotreply.com” in the mail header as a hint to the recipient that they should not reply to this mail.

Because if you don’t do that, someone will get a lot of mail from your business and some of that mail (error messages, security information, etc) is of the type you don’t want to leak.

I especially like the post about the Department of Homeland Security. If people like that “protect” America, then I understand why the General Public puts so much emphasis on religion and faith.

And who is this General anyway? 😉

Leave a Comment » | Software | Tagged: | Permalink
Posted by digulla

Have Phun?

22. March, 2008

Did you have Phun lately? No? Not sure? In that case, check it out! It’s great!

Phun is a “2D physics sandbox”. You can draw objects with your mouse and then have nature have its way with them. Even if that sounds stupid or a waste of time to you, check the flash video on the home page out. If you played with Lego or Fischertechnik as a child, this one is definitely for you (and since that was probably already a few years in the past: for your children, too).

On the site, you’ll find links to insane machines people have already built and of course, there is already a huge amount of videos on YouTube.

And last but not least, there is a Windows and Linux version (32 and 64bit!).

Have Phun!

Leave a Comment » | Fun, Software | Tagged: | Permalink
Posted by digulla

Giant In The Playground

10. March, 2008

I enjoy the odd RPG session and I love comics, so it comes natural that I adore comics about gamers. There are the usual suspects like Dork Tower (“I kill Gandalf” – priceless) but there are also one or two gems to be plucked from the muddy seabed of the Internet.

Like “The Order of the Stick” from Giant in The Playground Games. Visuals that you either love or hate. Ignore them for now, it’s the texts that counts. A deep understanding of gamers and their troubles (“That’s not a core spell!”), a bunch of really great characters with a lot of hilarious weaknesses (height, family problems and laws) and cunning ways to deal with them (cutting enemies to size, meeting your ancestors in the after life and explaining why you’re keeping a mass assassin as companion who kills anything that moves and loves every cut while you’re being judged for afterlife). Way to go, Rich!

Leave a Comment » | Book | Tagged: , | Permalink
Posted by digulla

Public Talk: Quantum Computing [Update]

10. March, 2008

Because of major back pain, I can’t give this talk today. I’ll post a new announcement when I knew the new date. Sorry.

If you ever wanted to meet the mind behind the blog and you happen to be in Zurich on April, 4th, you can. I’ll be giving a public talk about quantum computing for the LUGS (Linux User Group Switzerland). The talk will be in German.

It’s not mandatory to be a member of the LUGS to attend the talk but of course, you’re welcome to become a member of Switzerland’s largest LUG, too.

Leave a Comment » | Talk | Tagged: , | Permalink
Posted by digulla

You Gotta Be Kiddin

25. February, 2008

… must … resist …

Oh, I so suck at resisting …;-> Gimme that chocolate cake …

I mean … “Source Fource [sic]”???

Okay, I admit it has all the usual ingredients for a successful M$ product: Funny, cute, lots of color, no brains, based on technology which every competitor threw out a decade ago (so they could buy it cheaply last Thuesday) and nothing a sane person would want to use unless being paid for. We’re in for a huge success, for sure.

“Windows Server Crusader”? Whow! Sounds like fun, slaughter, middle ages … remember? Middle ages? At school? Torture, diseases, boiling oil, blunt weapons and brute force to solve important problems like starvation, civil rights and who’s gotta own Jerusalem next week? Yay! Does it come with UT2007, Quake III or DOOM3 preinstalled? Can I finally kill processes with a shotgun and a lot of splatter?

“Mobile Gal” … travels faster than light! Whow! Faster than light! I mean, she is so far ahead, there is no way that anything she says could ever get back to us … faster than light, get it? It’s physics. No matter. If physics were any concern to customers of M$, they wouldn’t be customers of M$ in the first place …

“SQL Server Gal” … perfect memory … and she “loves checking out leather-clad biker boys” … I wonder how that adds up … I mean, they say she’s so smart and hangs around guys who can’t get a decently paid job, who love to get drunk and who aren’t widely accepted as role models for treating a woman like she deserves … ’nuff said.

“Visual Studio Guy” … “[m]orphs and transforms everyday objects into masterpieces.” … oookay … so … like Picasso? Nice to look at (even though you can’t quite grasp it), very expensive, totally useless no matter what problem you have to solve? Way to go! Finally, I can waste more paid hours on a stupid product to solve problems which we wouldn’t have without it.

“ISV Super Gal” … can’t even figure out what she’s supposed to be.

“Windows Vista Sensei” … “[m]artial arts master trained in the ancient art of combat, security, and connectivity.” Translation: There is a lot of pain and suffering in your future. Even simple tasks (like fetching a bucket of water) will become an exercise in humiliation. Remember all those martial arts movies where the pupil meets the master to learn the ropes? Great fun to watch but imagine just for a moment who will be the pupil, now … you or Vista?

“Office Master” … waitaminute … doesn’t that read like “Windows Vista Sensei” with Cut’n’Paste? I guess the money M$ poured into the ads for these great now products didn’t reach to this guy. Shame.

So all in all, we’re in for a lot of fun and enjoyment in the future! Not our fun and enjoyment, sure, but a lot of it nonetheless! M$ will again make a lot of money, funnel it into a cheap ad campaign to foo^B^B^Beducate the foo^B^B^Bcustomers out there because who in their right mind would waste all that good money on developing great software that sells just because it’s … great?

Nobody!

Disclaimer: This post was neither endorsed nor encouraged (even if you could argue about that one) by any companies that brought you edlin, DOS, IE or word processing software that eats your documents faster than you can save them but who are insanely rich despite all that which only proves that there is no intelligent live down here … at least not in positions where decisions are made.

Leave a Comment » | Fun | Tagged: | Permalink
Posted by digulla

« Previous Entries
Next Entries »