Could Say It, But...: Difference between revisions

Line 266:

* The British satirical magazine ''[[Private Eye]]'' is regularly sued for libel. On one occasion the initial letter from the opposing lawyers stated that the level of damages demanded would be based on their response. They replied by asking "What would the damages be if our response was 'Fuck Off'?.

* "I never comment on referees and I’m not going to break the habit of a lifetime for that prat" – Ron Atkinson

* There's no such thing as pure "reading" access in network - you need to ''send a request''. Obvious? But people often miss this.

* There's no such thing as pure "reading" access in network or otherwise between systems supposed to be compartmentalized - you need to ''send a request'' for it. Which itself contains data. Obvious? But people often miss this.

** Even security experts occasionally don't see this trap. E.g. an antivirus runs suspicious files in an emulator and its coders [~~https:~~//bugs.chromium.org/p/project-zero/issues/detail?id=769#c2 presumed that non-state changing requests can be safely passed to OS as is] (it's faster). [[What Could Possibly Go Wrong?]] OS is Windows and APIs to which they pass humble read-only requests include both ''reading'' keyboard state, and ''reading'' attributes of files that aren't necessarily local, but may be URL somewhere on Internet. The result: malware only needs to change directory (which checks its attributes) to "<nowiki>http://www.WeHostHomePages.com/~Im_11_yrs_old_and_what_is_this/more-cat-pictures(</nowiki>''your_key_presses_go_here''<nowiki>)/</nowiki>", the remote server only needs to log request for a non-existent location as an error... and that's how a hacker got in an easily filtered text file all the passwords you typed while the file you have downloaded, but never started ran again and again.

** Even security experts occasionally don't see this trap. E.g. an antivirus runs suspicious files in an emulator and its coders [//web.archive.org/web/1/bugs.chromium.org/p/project-zero/issues/detail?id=769#c2 presumed that non-state changing requests can be safely passed to OS as is] (it's faster). [[What Could Possibly Go Wrong?]] OS is Windows and APIs to which they pass humble read-only requests include both ''reading'' keyboard state, and ''reading'' attributes of files that aren't necessarily local, but may be URL somewhere on Internet. The result: malware only needs to change directory (which checks its attributes) to "<nowiki>http://www.WeHostHomePages.com/~Im_11_yrs_old_and_what_is_this/more-cat-pictures(</nowiki>''your_key_presses_go_here''<nowiki>)/</nowiki>", the remote server only needs to log request for a non-existent location as an error... and that's how a hacker got in an easily filtered text file all the passwords you typed while the file you have downloaded, but never started ran again and again.

** Another exfiltration trick falling under this uses the fact that error messages are a debugging mechanism, thus designed for the developer's convenience and not always subjected to very strict security measures. After all, it would just report a ''failure to'' serve any useful data and echo the request that caused it (which the same user have sent in the first place), right? But in combination with certain other generic and excessively user-friendly functionality it may say too much. The target machine receives a request as XML which amounts to an overcomplicated form of something like "give me <nowiki>./public/herp-derp#(contents of /etc/passwd)</nowiki>", and answers with "Error! We cannot give you <nowiki>./public/herp-derp#[actual contents of /etc/passwd]</nowiki> (No such file or directory)" (see [//christian-schneider.net/GenericXxeDetection.html here and in references]).