Mike Meredith

Security: So What Is An Exploit Anyway?

 Computing, Security  No Responses »
Jun 122015
 

This is going to be relatively lightweight in terms of technical content; most explanations of what a security exploit is do tend to be very technical in nature. 

So what is an exploit? At the most fundamental, it is what an attacker uses to take control of your computer. It can be compared with the installation routine you normally run to install a new application, because an exploit is effectively how an attacker installs their agent onto your computer.

There are on a simplistic level two kinds of exploits out there – the kind that works against people (the attacker tricks the person into running their code) or the kind that works against software. Of course there are exploits that sit in the middle and defy this simplistic classification, but as this is a simplistic posting, we'll gloss over those.

Exploits against people are frankly quite boring. All that is needed to protect against them is to apply the relevant operating system patches and avoid turning off malware protection. Unfortunately people tend to be very resistant to operating system patches and often indulge in practices that turn off their malware protection (drinking!).

The technically interesting exploits are the exploits against software. And when I say "technically interesting", it means that they get very technical and difficult to describe very quickly.

But at the core, such exploits involve tricking the computer into treating what should be considered as data as code. As a very simplistic example, imagine you have a web form that takes input from random strangers on the Internet, and the input from that form is added to a database. If the code has been written naively an attacker can simply append their code to the end of the input and it will be run.

All computer data is at the lowest level nothing more than numbers. The word "Hello" is actually encoded as a stream of numbers: 72, 101, 108, 108, 111, 10. Taking just the first three numbers, and I find there is a photo of myself with that sequence. And one of the editors I use (EMACS) also contains that sequence. The meaning of a sequence of numbers is dependent on how the computer chooses to interpret it.

A great deal of computer code is dedicated to interpreting those sequences of numbers as intended – so a picture is shown as a picture and not run as code in a Python interpreter. If a computer mistakenly (or is tricked into) misinterpreting a sequence of numbers as some kind of data that it is not, then the result could be just about anything but is most likely to be a crash or displaying garbage.

And just occasionally the computer will run that misinterpreted data as code.

And that in some circumstances can be called an exploit. But what happens after the exploit? What does the attacker do then? 

That's something for another time.

Elements Have Their Way

Welsh Parliament To Ban Public Vaping

 General, Politics  No Responses »
Jun 092015
 

And Just How Dumb Are Welsh Politicians?

According to the news this morning, the Welsh assembly is to prohibit vaping in enclosed public spaces in the same way that smoking is banned; a bit of cut&paste on the old law. You might expect a moron in a hurry to look at vaping, and say "It looks like smoking so it must be bad." but you should be able to expect that politicians would make a decision based on the available evidence.

However it appears that Welsh politicians have more in common with a moron in a hurry than an idealised poltician.

Before I carry on, let me explain that despite being a vaper (and ex-smoker), if I were to live in Wales, this ban would make practically no difference to me. I don't vape at work (in the office!), in pubs, shops, on trains, or anywhere you can expect the Welsh ban to take effect. I do sometimes wish there was a vaping lounge I could go to on occasions.

The main reason this is such a stupid ban is that it treats vaping as if it were as harmful to the health as smoking. There is not a single serious person who would claim that vaping is as dangerous as smoking. And treating it the same as smoking tells smokers (remember the moron in a hurry) that there's no point in switching to vaping instead because vaping is just as harmful.

There is an argument that whilst the risks are unknown for sure (there is no evidence that secondary vaping is harmful; and plenty of studies that show that secondary vaping is harmless [1], [2], [3]), that it would be nice to stop vaping in public enclosed spaces; just not on the same level as smoking. For example :-

  • Allow pubs to decide whether they allow vaping or not. And to encourage a bit of trendy localism: Why not allow the pub regulars to vote on whether vaping should be allowed or not?
  • Ban vaping in restarants (some of the strange flavours could easily put people off their food) but allow vaping in a lobby area or other ventilated but isolated space.
  • Allow other work-places to set up isolated "vaping lounges".

The intention is to minimise a probably non-existent risk to non-vapers whilst letting vapers get away with just a bit more than smokers. 

Amusingly enough, by consigning vapers to the same sin bin as the smokers, these dumb politicians open themselves up to a class action suit in the future – why should I have to endure the risk of secondary smoking?

There are two daft arguments that I heard used this morning which indicate that some of the Welsh politicians realise just how dumb they're being :-

  1. Allowing vaping in enclosed public spaces normalises smoking. It doesn't normalise smoking unless you're a moron in a hurry – it's quite easy to tell the difference between vapour and smoke. The smell of vapour is far nicer! It "normalises" vaping as a better choice than smoking.
  2. It acts as a gateway to smoking. No; it's a gateway out of smoking. 

Even if you were to disagree with my assessments of these two arguments, the fact they are being made at all indicates just how poor the argument for banning vaping in public really is. 

Bring Back Hunting? Sure, But With A Couple Of Small Changes …

 Politics  No Responses »
May 242015
 

Apparently there is some senile old fart who has decided to try and turn the clocks back to the 18th century and wants to bring back hunting with packs of ferrocious animals desperate to rip apart cute fluffy animals (with the assistence of a few hounds). It would seem that wannabee toffs have been nagging their Tory glove-puppets and David Cameron has caved in to their whispers.

For those who were too young back in the day, or for those who have forgotten, we used to let inbred morons ride around the countryside on horses (often crashing through land they didn't have a right of way over) with a gang of yapping hounds chasing around something they could kill – foxes, deer, peasants (well perhaps the later wasn't too common). During the Great Debate on hunting (which wasn't that great really as their excuses for hunting were really quite pathetic), the hunting lobby tried to convince everyone that they were only hunting for the good of agriculture. 

Which had us all rolling aboutt the floor laughing of course.

Perhaps the most ridiculous comment about the prospect of removing the ban on hunting comes from the Countryside Alliance who clain that removing the ban will eliminate the risk of their supporters from being prosecuted for "accidental" fox killings whilst they are playing at hunting. A bit like claiming that murder should be made legal because if I fire off a shotgun repeatedly in a crowded supermarket, I might "accidentally" kill someone.

It's strange how easy it was to ban certain cruel "sports" (such as cock-fighting and bear baiting) which were more popular with the working class whereas the "sport" of the wannabee toffs is trying to make a comeback. Anyone would suspect that class differences are still important today.

But yes let's bring back hunting with a couple of small changes :-

  1. Hunts have to turn in their hounds in favour of Chihuahuas.
  2. They have to release and hunt Grizzlies.

That should either make hunting less popular, or at least reduce the number of hunters to an appropriate level (zero).

Just to pierce a few pre-conceptions about those opposed to hunting :-

  1. I don't like animals much.
  2. Whilst I live in a city, I grew up in a semi-rural area

Linux: Missing Mouse Pointer? Try This

 Computing, Working Notes  No Responses »
May 222015
 

So on my upgrade from Wheezy to Jessie, I found myself (amongst other issues) looking at a graphical interface where the mouse worked fine, but no mouse pointer was visible. After trying a few other things, it turned out that :-

gsettings set org.gnome.settings-daemon.plugins.cursor active false

Did the trick.

Of course that tip came from somewhere else, but as it worked for me, it’s worth making a note of.

 Older Entries  Newer Entries