Seer of the tapes! Knower of the episodes!

  • 0 Posts
  • 21 Comments
Joined 1 year ago
cake
Cake day: July 3rd, 2023

help-circle













  • E-mail is a lingua franca. It’s used not because it’s superior, but because you don’t have to worry about whether your recipient is using the right software setup to receive your message. It’s the lowest common denominator of internet messaging and can only be replaced in that role by a new lowest common denominator.

    • A company that rejected basic email would necessarily be rejecting some percent of legitimate messages and/or increase their IT costs. While this doesn’t mean it’s impossible, it would be at least be a painful transition. Users will hate it.
    • Adding PKI just amplifies the software setup problem because now you have to worry about primitive selection, centralized authorities, key lifecycle management, etc. And there’s no way for the sender and recipient to negotiate security parameters, so they have to be agreed on in advance, something basic email doesn’t need.
    • PKI is too finicky and abstract for the average user to understand or care about. We can’t reasonably expect them to make good decisions about a subject that even professionals and large organizations struggle to understand. A big reason for email’s longevity and success is that the average user doesn’t need to understand it at any technical level.

  • Even the researcher who reported this doesn’t go as far as this headline.

    “I am an admin, should I drop everything and fix this?”

    Probably not.

    The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection’s traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection’s encryption mode.

    […]

    “So how practical is the attack?”

    The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the client or server to the remote peer. This is difficult on the Internet, but can be a plausible attacker model on the local network.

    https://terrapin-attack.com/



  • As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

    So, does disabling the boot logo prevent the attack, or would it only make the attack obvious?