Daily Archives: June 30, 2020

Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution

Posted on by

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.

Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take control of a computer running Bitdefender’s antivirus package. The bug, privately reported in April, was patched in May.

[…]

It’s important to note that Bitdefender said the bug was within its Chromium-based “secure browser” SafePay, which is supposed to protect online payments from hackers and is part of its Total Security 2020 suite. Meanwhile, Palant said the vulnerability was within a component called Online Protection within that suite, meaning it could be exploited by any website opened in any browser on any computer running Bitdefender’s vulnerable antivirus package.

[…]

When the antivirus suite wanted to flag up suspicious or broken HTTPS certificates, which are sometimes a sign shenanigans may be afoot, Bitdefender’s code generated a custom error page that appeared as though it came from the requested website. It would do this by modifying the server response.

It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible

There was nothing to stop a web server with a bad certificate from requesting the contents of Bitdefender’s custom error page, though, because as far as your browser is concerned, the error page came from the web server anyway.

Thus, a malicious web server could serve a page with a good certificate, and cause a new window to open with a page from the same domain and server albeit with an invalid certificate. Bitdefender’s code would jump in, and replace the second webpage with a custom error page. The first page with the good certificate could then use XMLHttpRequest to fetch the contents of the error page, which your browser would hand over.

That error page contained the Bitdefender installation’s session tokens, which could be used to send system commands to the security software suite on the user’s PC to execute. Palant’s proof-of-concept exploit worked against a Windows host, allowing a malicious page to install, say, spyware or ransomware on a victim’s computer.

“The URL in the browser’s address bar doesn’t change,” Palant explained. “So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out.

Source: Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution • The Register

Burger King Is Leveraging Tesla Autopilot’s Confusion To Sell Whoppers

Posted on by

the Monarch of Meat announced a campaign that takes advantage of some sloppy sign recognition in the Tesla Autopilot’s Traffic Light and Stop Sign control, specifically in instances where the Tesla confuses a Burger King sign for a stop sign (maybe a “traffic control” sign?) and proceeds to stop the car, leaving the occupants of the car in a great position to consume some Whoppers.

The confusion was first noted by a Tesla Model 3 owner who has confusingly sawed the top off his steering wheel, for some reason, and uploaded a video of the car confusing the Burger King sign for a stop sign.

Burger King’s crack marketing team managed to arrange to use the video in this ad, and built a short promotion around it:

Did you see what I was talking about with that steering wheel? I guess the owner just thought it looked Batmobile-cool, or something? It’s also worth noting that is seems that the car’s map display has been modified, likely to remove any Tesla branding and obscure the actual location:

Illustration for article titled Burger King Is Leveraging Tesla Autopilots Confusion To Sell Whoppers

The promotion, which Burger King is using the #autopilotwhopper hashtag to promote, was only good for June 23rd, when they’d give you a free Whopper if you met the following conditions:

To qualify for the Promotion, guest must share a picture or video on Twitter, Facebook or Twitter with guest’s smart car outside a BK restaurant using #autopilotwhopper and #freewhopper.

Guests who complete step #3 will receive a direct message, within 24 hours of posting the picture/video, with a unique code for a Free Whopper sandwich (“Coupon”). Limit one Coupon per account.

It seems Burger King is using the phrase “smart car” to refer to any car that has some sort of Level 2 semi-autonomous driver’s assistance system that can identify signs, but the use of the “autopilot” in the hashtag and the original video make it clear that Teslas are the targeted cars here.

Source: Burger King Is Leveraging Tesla Autopilot’s Confusion To Sell Whoppers

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Posted on by

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.

This means the ISP, which has joined Moz’s Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.

Last year Comcast and other broadband giants were fiercely against such safeguards, though it appears Comcast has had a change of heart – presumably when it figured it could offer DNS-over-HTTPS services as well as its plain-text DNS resolvers.

At some point in the near future, Firefox users subscribed to Comcast will use the ISP’s DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.

[…]

Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers’ web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here’s Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.

ISPs “have access to a stream of a user’s browsing history,” Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. “This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS.”

Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program’s rules.

Source: Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers • The Register

Russia returns to space tourism and offers a first citizen spacewalk

Posted on by

Russia’s space agency Roscosmos has re-entered the space tourism market and this time will offer one person the chance to spacewalk.

The agency on Thursday announced a new deal with US outfit Space Adventures to take two people to the International Space Station atop a Soyuz rocket. One of the tourists, according to Space Adventures’ announcement, “will have an opportunity to conduct a spacewalk outside the space station, becoming the first private citizen in history to experience open space.”

The spacewalking tourist will be accompanied by a professional Russian cosmonaut.

The two companies have previously launched seven space tourists including Ubuntu daddy Mark Shuttleworth in 2002. Your correspondent interviewed him about the experience in 2005 and he was still clearly awed by the power of the Soyuz, weightlessness and the views from above, to the extent that he said a sub-orbital tourist flight with the likes of Virgin Galactic held little appeal.

The trip will see the pair of tourists spend 14 days in the Russian module of the ISS.

Source: Russia returns to space tourism and offers a first citizen spacewalk • The Register

As advertisers revolt, Facebook commits to flagging ‘newsworthy’ political speech that violates policy

Posted on by

As advertisers pull away from Facebook to protest the social networking giant’s hands-off approach to misinformation and hate speech, the company is instituting a number of stronger policies to woo them back.

In a livestreamed segment of the company’s weekly all-hands meeting, CEO Mark Zuckerberg recapped some of the steps Facebook is already taking, and announced new measures to fight voter suppression and misinformation — although they amount to things that other social media platforms like Twitter have already enahatected and enforced in more aggressive ways.

At the heart of the policy changes is an admission that the company will continue to allow politicians and public figures to disseminate hate speech that does, in fact, violate Facebook’s own guidelines — but it will add a label to denote they’re remaining on the platform because of their “newsworthy” nature.

It’s a watered-down version of the more muscular stance that Twitter has taken to limit the ability of its network to amplify hate speech or statements that incite violence.

Zuckerberg said:

A handful of times a year, we leave up content that would otherwise violate our policies if the public interest value outweighs the risk of harm. Often, seeing speech from politicians is in the public interest, and in the same way that news outlets will report what a politician says, we think people should generally be able to see it for themselves on our platforms.

We will soon start labeling some of the content we leave up because it is deemed newsworthy, so people can know when this is the case. We’ll allow people to share this content to condemn it, just like we do with other problematic content, because this is an important part of how we discuss what’s acceptable in our society — but we’ll add a prompt to tell people that the content they’re sharing may violate our policies.

The problems with this approach are legion. Ultimately, it’s another example of Facebook’s insistence that with hate speech and other types of rhetoric and propaganda, the onus of responsibility is on the user.

Source: As advertisers revolt, Facebook commits to flagging ‘newsworthy’ political speech that violates policy | TechCrunch

Apple: We’re defending your privacy by nixing 16 browser APIs. Rivals: You mean defending your bottom line

Posted on by

Apple has said it has decided not to implement 16 web APIs in its Safari browser’s WebKit engine in part because they pose a privacy threat. Critics of the iGiant, including competitors like Google, see Apple’s stance as a defense against a competitive threat.

These APIs, developed in recent years to allow web developers to have access to capabilities available to native mobile platform coders, have the potential to be abused for device fingerprinting, a privacy-violating technique for constructing a unique identifier out of readable device characteristics that can be used for tracking individuals across websites and can be correlated to follow people across devices.

“WebKit’s first line of defense against fingerprinting is to not implement web features which increase fingerprintability and offer no safe way to protect the user,” explains the WebKit team’s recently updated post on tracking prevention.

[…]

In a message to The Register, Lukasz Olejnik, an independent researcher and consultant, characterized the decision as a win for privacy, noting that research he co-authored in 2015 and subsequently on the privacy risks of the Battery Status API and other browser fingerprinting threats helped shape Apple’s policy.

Concern about abuse of the Battery Status API, which websites and browser-based apps can use to check the battery level of a visitor’s/user’s mobile device, prompted Mozilla to remove support in October 2016. Around the same time, Apple, which had implemented the API in code but never activated it, decided not ship it.

Google meanwhile shipped the Battery Status API in Chrome 45, which debuted on July 10, 2015. Rather than removing it, the web giant in May committed to modifying it by allowing developers to disable the API with their apps and in third-party components.

Apple, trying to control its market? No!

Google engineers coincidentally are among those expressing frustration with Apple for holding the web platform back.

Apple requires that all web browsers on iOS devices use Safari’s WebKit rendering engine, which has made mobile browsers on iOS something of a monoculture: Though users may choose to run Chrome on iOS, it’s essentially Safari under the hood.

Over the past few years, Apple’s leisurely (or cautious) pace of API deployment in Safari has meant that Progressive Web Apps (PWAs) – installable web apps that run offline – haven’t worked properly on iOS devices.

As a result, web developers, particularly those interested in PWA adoption, have accused Apple of trying to hamstring web apps to protect its financial stake in native iOS apps, for which it gets a 30 per cent share of revenue through its App Store rules. Those same rules are now the subject of an EU antitrust inquiry.

[…]

Or as Ben Thompson, tech analyst for Stratechery, put it in a blog post on Monday, “Making the web less useful makes apps more useful, from which Apple can take its share; similarly, it is notable that Apple is expanding its own app install product even as it is kneecapping the industry’s.”

Asked about whether these competitive concerns have substance, Olejnik acknowledged that some people see Apple’s technical decisions in that light.

“That said, some privacy concerns are legitimate,” he said.

And for what it’s worth, the technical barriers to PWAs have been falling.

Source: Apple: We’re defending your privacy by nixing 16 browser APIs. Rivals: You mean defending your bottom line • The Register

How to jam neural networks

Posted on by

Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN applications, from image recognition to natural language processing (NLP). Adversaries might use these examples for all sorts of mischief – from draining mobile phone batteries, though degrading the machine-vision systems on which self-driving cars rely, to jamming cognitive radar.

So far, our most spectacular results are against NLP systems. By feeding them confusing inputs we can slow them down over 100 times. There are already examples in the real world where people pause or stumble when asked hard questions but we now have a dependable method for generating such examples automatically and at scale. We can also neutralize the performance improvements of accelerators for computer vision tasks, and make them operate on their worst case performance.

One implication is that engineers designing real-time systems that use machine learning will have to pay more attention to worst-case behaviour; another is that when custom chips used to accelerate neural network computations use optimisations that increase the gap between worst-case and average-case outcomes, you’d better pay even more attention.

Source: How to jam neural networks | Light Blue Touchpaper

OpenAI GPT-2 creates credible texts from minimal input

Posted on by

We’ve trained a large-scale unsupervised language model which generates coherent paragraphs of text, achieves state-of-the-art performance on many language modeling benchmarks, and performs rudimentary reading comprehension, machine translation, question answering, and summarization—all without task-specific training.

Our model, called GPT-2 (a successor to GPT), was trained simply to predict the next word in 40GB of Internet text. Due to our concerns about malicious applications of the technology, we are not releasing the trained model. As an experiment in responsible disclosure, we are instead releasing a much smaller model for researchers to experiment with, as well as a technical paper.

[…]

GPT-2 displays a broad set of capabilities, including the ability to generate conditional synthetic text samples of unprecedented quality, where we prime the model with an input and have it generate a lengthy continuation. In addition, GPT-2 outperforms other language models trained on specific domains (like Wikipedia, news, or books) without needing to use these domain-specific training datasets. On language tasks like question answering, reading comprehension, summarization, and translation, GPT-2 begins to learn these tasks from the raw text, using no task-specific training data. While scores on these downstream tasks are far from state-of-the-art, they suggest that the tasks can benefit from unsupervised techniques, given sufficient (unlabeled) data and compute.

Samples

GPT-2 generates synthetic text samples in response to the model being primed with an arbitrary input. The model is chameleon-like—it adapts to the style and content of the conditioning text. This allows the user to generate realistic and coherent continuations about a topic of their choosing, as seen by the following select samples

Source: Better Language Models and Their Implications