Can you actually have enjoyable with FORTRAN? – Bare Safety

DOUG.  Juicejacking, public psychotherapy, and Enjoyable with FORTRAN.

All that and extra on the Bare Safety podcast.

[MUSICAL MODEM]

Welcome to the podcast, all people.

I’m Doug Aamoth; he’s Paul Ducklin.

Paul, how do you do in the present day, Sir?


DUCK.  I’m very effectively, Douglas.

I’m intrigued by your phrase “Enjoyable with FORTRAN”.

Now, I do know FORTRAN myself, and enjoyable is just not the primary adjective that springs to thoughts to explain it. [LAUGHS]


DOUG.  Properly, you may say, “You may’t spell ‘FORTRAN’ with out ‘enjoyable’.”

That’s not fairly correct, however…


DUCK.  It’s really astonishingly *inaccurate*, Doug! [LAUGHS]


DOUG.  [LAUGHING] Maintain that in thoughts, as a result of this has to do with inaccuracies.

This week, on 19 April 1957, the primary FORTRAN program ran.

FORTRAN simplified programming, starting with a program run at Westinghouse that threw an error on its first try – it produced a “lacking comma” diagnostic.

However the second try was profitable.

How do you want that?


DUCK.  That’s fascinating, Doug, as a result of my very own – what I at all times thought was ‘data’, however seems might be an city legend…

…my very own story about FORTRAN comes from about 5 years after that: the launch of the Mariner 1 house probe.

Spacecraft don’t at all times comply with precisely the place they’re imagined to go, and so they’re imagined to right themselves.

Now, you think about the sort of calculations concerned – that was fairly laborious within the Sixties.

And I used to be informed this semi-officially (that means, “I heard it from a lecturer at college once I was finding out laptop science, but it surely wasn’t a part of the syllabus”)…

..apparently, that bug was right down to a line in FORTRAN that was imagined to say DO 51 I = 1,100, which is a “for loop”.

It says, “Do 100 loops, as much as and together with line 51.”

However the individual typed DO 51 I = 1.100, with a dot, not a comma.

FORTRAN ignores areas, so it interpreted DO51I = as a variable project, assigned that variable the worth 1.100, after which went around the loop as soon as… as a result of it hadn’t been informed to loop at line 51, and line 51 simply executed as soon as.

I at all times assumed that that was the correction loop – it was imagined to have 100 goes to get the spacecraft again on course, and it solely had one go, and due to this fact it didn’t work.

[LAUGHS]

And it appears it might not really be true… could also be a little bit of an city legend.

As a result of there’s one other story that claims that truly the bug was right down to an issue within the specs, the place somebody wrote out the equations that wanted to be coded.

And for one of many variables, they stated, “Use the present worth of this variable”, when actually, you have been imagined to easy the worth of that variable by averaging it over earlier readings.

You may think about why that may toss something off track if it needed to do with course correction.

So I don’t know which is true, however I just like the DO 51 I = 1,100 story, and I plan to maintain eating out on it for so long as I can, Doug.


DOUG.  [LAUGHS] Like I stated, “Enjoyable with FORTRAN”.


DUCK.  OK, I take your level, Doug.


DUCK.  Each these tales are enjoyable…

One thing not so enjoyable – an replace to an replace to an replace.

I imagine that is at the very least the third time we’ve talked about this story, however that is the psychotherapy clinic in Finland that housed all its affected person knowledge, together with notes from periods, on-line within the cloud beneath a default password, which was leveraged by evildoers.

These evildoers tried to get some cash out of the corporate.

And when the corporate stated no, they went after the sufferers.

Ex-CEO of breached pyschotherapy clinic will get jail sentence for unhealthy knowledge safety


DUCK.  How terrible should which have been, eh?

As a result of it wasn’t simply that that they had the sufferers’ ID numbers and monetary particulars for a way they paid for his or her remedy.

And it wasn’t simply that that they had some notes… apparently, the periods have been recorded and transcribed, and *these* have been uploaded.

In order that they principally had every thing you’d stated to your therapist…

…and one wonders whether or not you had any concept that your phrases can be preserved perpetually.

Might need been within the small print someplace.

Anyway, as you say, that’s what occurred.

The blackmailer went after the corporate for, what, €450,000 (which was about half one million US {dollars} on the time), and so they weren’t inclined to pay up.

In order that they thought, “Hey, why don’t I simply contact all of the sufferers? As a result of I’ve acquired all their contact particulars, *and* I’ve acquired all their deepest, darkest secrets and techniques and fears.”

The criminal figured, “I can contact them and say, ‘You’ve acquired 24 hours to pay me €200; then I’ll provide you with 48 hours to pay me €500; after which I’m going to doxx you – I’m going to dump your knowledge for everyone to see’.”

And I did learn one article that recommended that when the sufferers didn’t provide you with the cash, he really discovered individuals who’d been talked about of their conversations.


DOUG.  Didn’t somebody’s mom get roped into this, or one thing like that?


DUCK.  Sure!

They stated, “Hey, we now have conversations together with your son; we’re going to dump every thing that he stated about you, from a non-public session.”

Anyway, the excellent news is that the victims determined they have been undoubtedly not going to take this mendacity down.

And a great deal of them did report it to the Finnish police, and that gave them impetus to take this as a severe case.

And the investigations have been ongoing ever since.

There’s someone… I imagine he’s nonetheless in custody in Finland; he hasn’t completed his trial but for the extortion aspect.

However in addition they determined, “You understand what, the CEO of the corporate that was so shabby with the info ought to bear some private legal responsibility.”

He can’t simply go, “Oh, it was the corporate; we’ll pay a fantastic” (which they did, and finally went bankrupt).

That’s not sufficient – he’s imagined to be the boss of this firm; he’s imagined to set the requirements and decide how they function.

So he went to trial as effectively.

And he’s simply been discovered responsible and given a 3 month jail sentence, albeit a suspended one.

So if he retains his nostril clear, he can keep out of jail… however he did get taken to process for this in court docket, and given a felony conviction.

As mild because the sentence may sound, that does sound like begin, doesn’t it?


DOUG.  Plenty of feedback on this publish are saying they need to pressure him to go to jail; he ought to really spend time in jail.

However one of many commenters, I believe rightly, factors out that that is frequent for first-time offenders for non-violent crimes…

…and he does now have a felony report, so he could by no means work on this city once more, because it have been.


DUCK.  Sure, and maybe extra importantly, it can give anyone pause earlier than permitting him the authority to make this sort of poor determination in future.

As a result of it appears that evidently it wasn’t simply that he allowed his IT staff to do shabby work or to chop corners.

It appears that evidently they did know they’d been breached on two events, I believe in 2018 and 2019, and determined, “Properly, if we don’t say something, we’ll get away with it.”

After which in 2020, clearly, a criminal acquired maintain of the info and abused it in a method that you simply couldn’t actually doubt the place it got here from.

It wasn’t simply, “Oh, I ponder the place they acquired my electronic mail handle and nationwide id quantity?”

You may solely get your Clinic X non-public psychotherapy transcript from Clinic X, you’ll anticipate!


DOUG.  Sure.


DUCK.  So there’s additionally the facet that in the event that they’d come clear in 2018; in the event that they’d disclosed the breach as they have been imagined to, then…

(A) They might have accomplished the proper factor by the legislation.

(B) They might have accomplished the proper factor by their sufferers, who may have began taking precautions upfront.

And (C), they might have had some compunction upon them to go and repair the holes as a substitute of going, “Oh, let’s simply hold quiet about it, as a result of if we declare we didn’t know, then we don’t should do something and we may simply keep on within the shabby method that we now have already.”

It was undoubtedly not thought-about an harmless mistake.

And due to this fact, on the subject of cybercrime and knowledge breaches, it’s potential to be each a sufferer and a perpetrator on the identical time.


DOUG.  A very good level effectively put!

Let’s transfer on.

Again in February 2023, we talked about rogue 2FA apps within the app shops, and the way generally they simply sort of linger.

And linger they’ve.

Paul, you’re going to be doing a stay demo of how one among these well-liked apps works, so everybody can see… and it’s nonetheless there, proper?

Beware rogue 2FA apps in App Retailer and Google Play – don’t get hacked!


DUCK.  It’s.

Sadly, the podcast will come out simply after the demo has been accomplished, however that is some analysis that was accomplished by a pair of unbiased Apple builders, Tommy Mysk and Talal Haj Bakry.

On Twitter, you’ll find them as @mysk_co.

They recurrently look into cybersecurity stuff in order that they’ll get cybersecurity proper of their specialist coding.

They’re programmers after my very own coronary heart, as a result of they don’t simply do sufficient to get the job accomplished, they do greater than sufficient to get the job accomplished effectively.

And this was across the time, in case you bear in mind, that Twitter had stated, “Hey, we’re going to be discontinuing SMS-based two-factor authentication. Due to this fact, in case you’re counting on that, you will want to go and get a 2FA app. We’ll depart it to you to search out one; there are hundreds.”

Twitter tells customers: Pay up if you wish to hold utilizing insecure 2FA

Now, in case you simply went to the App Retailer or to Google Play and typed in Authenticator App, you bought so many hits, how would you realize which one to decide on?

And on each shops, I imagine, the highest ones turned out to be rogues.

Within the case of the highest search app (at the very least on the Apple Retailer, and a number of the top-ish apps on Google Play), it seems that the app builders had determined that, in an effort to monitor their apps, they’d use Google Analytics to report how folks use the apps – telemetry, because it’s known as.

A number of apps do that.

However these builders have been both sneakily malicious, or so ignorant or careless, that in amongst the stuff they collected about how the app was behaving, in addition they took a replica of the two-factor authentication seed that’s used to generate all of the codes for that account!

Mainly, that they had the keys to all people’s 2FA castles… all, apparently innocently, by program analytics.

However there it was.

They’re accumulating knowledge that completely ought to by no means depart the cellphone.

The grasp key to each six-digit code that comes each 30 seconds, for evermore, for each account in your cellphone.

How about that, Doug?


DOUG.  Sounds unhealthy.

Properly, we might be trying ahead to the presentation.

We’ll dig up the recording, and get it out to folks on subsequent week’s podcast… I’m excited!

Alright, transferring proper alongside to our closing subject, we’re speaking about juicejacking.

It’s been some time… been about over ten years since we first heard this time period.

And I’ve to confess, Paul, once I began studying this, I started to roll my eyes, after which I ended, as a result of, “Why are the FBI and the FCC issuing a warning about juicejacking? This should be one thing huge.”

However their recommendation is just not making an entire lot of sense.

One thing should be happening, but it surely doesn’t appear that huge a deal on the identical time.

FBI and FCC warn about “Juicejacking” – however simply how helpful is their recommendation?


DUCK.  I believe I’d agree with that, Doug, and that’s why I used to be minded to put in writing this up.

The FCC… for many who aren’t in america, that’s the Federal Communications Fee, so on the subject of issues like cell networks, you’d suppose they know their oats.

And the FBI, after all, are basically the federal police.

So, as you say, this grew to become a large story.

It acquired traction everywhere in the world.

It was definitely repeated in lots of media retailers within the UK: [DRAMATIC VOICE] “Beware charging stations at airports.”

As you say, it did appear to be just a little little bit of a blast from the previous.

I wasn’t conscious why it might be a transparent and current “huge consumer-level hazard” proper now.

I believe it was 2011 that it was a time period coined to explain the concept a rogue charging station may simply not present energy.

It might need a hidden laptop on the different finish of the cable, or on the different aspect of the socket, that attempted to mount your cellphone as a tool (for instance, as a media gadget), and suck recordsdata off it with out you realising, all beneath the guise of simply offering you with 5 volts DC.

And it does appear as if this was only a warning, as a result of generally it pays to repeat previous warnings.

My very own checks recommended that the mitigation nonetheless works that Apple put in place proper again in 2011, when juicejacking was first demonstrated on the Black Hat 2011 convention.

While you plug in a tool for the primary time, you’re supplied the selection Belief/Do not Belief.

So there are two issues right here.

Firstly, you do should intervene.

And secondly, in case your cellphone’s locked, someone can’t get on the Belief/Do not Belief button secretly by simply reaching over and tapping the button for you.

On Android, I discovered one thing related.

While you plug in a tool, it begins charging, however it’s important to go into the Settings menu, enter the USB connection part, and swap from No Information mode into both “share my footage” or “share all my recordsdata” mode.

There’s a slight warning for iPhone customers if you plug itinto a Mac.

In the event you do hit Belief by mistake, you do have the issue that in future, if you plug it in, even when the cellphone is locked, your Mac will work together together with your cellphone behind your again, so it doesn’t require you to unlock the cellphone.

And the flip aspect to that, that I believe listeners ought to pay attention to is, on an iPhone, and I think about this a bug (others may simply say, “Oh no, that’s an opinion. It’s subjective. Bugs can solely be goal errors”)…

…there isn’t any method to overview the listing of gadgets you’ve gotten trusted earlier than, and delete particular person gadgets from the listing.

By some means, Apple expects you to recollect all of the gadgets you’ve trusted, and if you wish to mistrust *one* of them, it’s important to go in and principally reset the privateness settings in your cellphone and mistrust *all* of them.

And, additionally, that choice is buried, Doug, and I’ll learn it out right here since you most likely gained’t discover it by your self. [LAUGHS]

It’s beneath Settings > Common > Switch or Reset iPhone > Reset Location and Privateness.

And the heading says “Put together for New iPhone”.

So the implication is you’ll solely ever want to make use of this if you’re transferring from one iPhone to the subsequent.

However it does appear, certainly, as you stated on the outset, Doug, with juicejacking, that there’s a chance that somebody has a zero-day meaning plugging into an untrusted or unknown laptop may put you in danger.


DOUG.  I’m attempting to think about what it might entail to usurp one among these machines.

It’s this huge, garbage-can dimension machine; you’d should crack into the housing.

This isn’t like an ATM skimmer the place you possibly can simply match one thing over.

I don’t know what’s happening right here that we’re getting this warning, but it surely looks like it might be so laborious to really get one thing like this to work.

However, that being stated, we do have some recommendation: Keep away from unknown charging connectors or cables in case you can.

That’s one.


DUCK.  Even a charging station that was arrange in completely good religion may not have the decency of voltage regulation that you prefer to.

And, as a flip aspect to that, I might recommend that if you’re on the street and also you understand, “Oh, I instantly want a charger, I don’t have my very own charger with me”, be very cautious of pound-shop or dollar-shop super-cheap chargers.

If you wish to know why, go to YouTube and seek for a fellow known as Massive Clive.

He buys low-cost digital gadgets like this, takes them aside, analyses the circuitry and makes a video.

He’s acquired a incredible video a couple of knockoff Apple charger

…[a counterfeit] that appears like an Apple USB charger, that he purchased for £1 in a pound-shop in Scotland.

And when he takes it aside, be ready to be shocked.

He additionally prints out the producer’s circuit diagram, and he really goes by with a sharpie and places it beneath his digital camera.

“There’s a fuse resistor; they didn’t embrace that; they left that out [crosses out missing component].”

“Right here’s a protecting circuit; they not noted all these elements [crosses more out].”

And finally he’s right down to about half the elements that the producer claimed have been within the gadget.

There’s a degree the place there’s a spot between the mains voltage (which within the UK can be 230 volts AC at 50 Hz) and a hint on the circuit board that may be on the supply voltage (which for USB is 5 volts)…

…and that hole, Doug, might be a fraction of a millimetre.

How about that?

So, sure, keep away from unknown connectors.


DOUG.  Nice recommendation.


DUCK.  Carry your individual connectors!


DOUG.  It is a good one, particularly in case you’re on the run and you have to cost shortly, other than the safety implications: Lock or flip off your cellphone earlier than connecting it to a charger or laptop.

In the event you flip off your cellphone, it’ll cost a lot quicker, in order that’s one thing proper there!


DUCK.  It additionally ensures that in case your cellphone does get stolen… which you can argue is a little more possible at one among these multi-user charging stations, isn’t it?


DOUG.  Sure!


DUCK.  It additionally signifies that in case you do plug it in and a Belief immediate does pop up, it’s not simply sitting there for another person to go, “Ha, that appears like enjoyable,”and clicking the button you didn’t anticipate.


DOUG.  Alright, after which we’ve acquired: Think about untrusting all gadgets in your iPhone earlier than risking an unknown laptop or charger.

That’s the setting you simply walked by earlier beneath Settings > Common > Switch or Reset iPhone


DUCK.  Walked *down* into; method down into the pit of darkness. [LAUGHS]

You don’t *want* to try this (and it’s a little bit of a ache), but it surely does imply that you simply aren’t risking compounding a belief error that you could have made earlier than.

Some folks may think about that overkill, but it surely’s not, “You have to do that”, merely a good suggestion as a result of will get you again to sq. one.


DOUG.  And final however not least: Think about buying a power-only USB cable or adapter socket.

These can be found, and so they simply cost, they don’t switch knowledge.


DUCK.  Sure, I’m undecided whether or not such a cable is out there within the USB-C format, but it surely’s simple to get them in USB-A.

You may really peer into the socket, and if it’s lacking the 2 center connectors… I put an image within the article on Bare Safety of a motorbike mild I’ve that solely has the outer connectors.

In the event you can solely see energy connectors, then there’s no method for knowledge to be transferred.


DOUG.  Alright, superb.

And allow us to hear from one among our readers… one thing of a counterpoint on the juicejacking piece.

Bare Safety Reader NotConcerned writes, partially:

This text comes off a bit naive. In fact, juicejacking isn’t some widespread downside, however to low cost any warning primarily based on a really fundamental check of connecting telephones to a Home windows and Mac PC and getting a immediate is sort of foolish. That doesn’t show there aren’t strategies with zero clicks or faucets wanted.

What say you, Paul?


DUCK.  [SLIGHT SIGH] I get the purpose.

There could possibly be an 0-day meaning if you plug it in at a charging station, there could be a method for some fashions of cellphone, some variations of working system, some configurations… the place it may one way or the other magically bypass the Belief immediate or mechanically set your Android into PTP mode or File Switch mode as a substitute of No Information mode.

It’s not unimaginable.

However in case you’re going to incorporate most likely esoteric million-dollar zero-days within the listing of issues that organisations just like the FCC and the FBI make blanket warnings about, then they need to be warning, day after day after day: “Don’t use your cellphone; don’t use your browser; don’t use your laptop computer; don’t use your Wi-Fi; don’t press something in any respect”, for my part.

So I believe what worries me about this warning is just not that you need to ignore it.

(I believe that the element that we put within the article and the ideas that we simply went by recommend that we do take it greater than significantly sufficient – we’ve acquired some first rate recommendation in there that you could comply with if you would like.)

What worries me about this sort of warning is that it was introduced as such a transparent and current hazard, and picked up all around the globe so that it sort-of implies to folks, “Oh, effectively, that signifies that once I’m on the street, all I have to do is don’t plug my cellphone into humorous locations and I’ll be OK.”

Whereas, actually, there are most likely 99 different issues that may provide you with much more security and safety in case you have been to do these.

And also you’re most likely not at a big threat, if you’re wanting juice, and you actually *do* have to recharge your cellphone since you suppose, “What if I can’t make an emergency name?”


DOUG.  Alright, glorious.

Properly, thanks, NotConcerned, for writing that in.


DUCK.  [DEADPAN] I presume that identify was an irony?


DOUG.  [LAUGHS] I believe so.

In case you have an attention-grabbing story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.

You may electronic mail [email protected], you possibly can touch upon any one among our articles, or you possibly can hit us up on social: @nakedsecurity.

That’s our present for in the present day; thanks very a lot for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, till subsequent time, to…


BOTH.  Keep safe!

[MUSICAL MODEM]

Featured picture of punched laptop card by Arnold Reinhold through Wikipedia beneath CC BY-SA 2.5