April 12, 2018 at 17:59Transcription of the twelfth issue of the Procurator podcast
In time immemorial, on all of us, our favorite resource (that is, right here) was a type of publication called a “podcast”. Since then, a lot of water has flowed, podcasts have disappeared from Habr, but survived the rise, fall and new rise, bringing us to today's day. We thought for a long time whether we should conduct an experiment on transcribing an hour-long podcast into text, but somewhere after the third request to “read” but not “listen”, we realized that it would have to be done. Quick reference:
- Yes, the podcast is called the Procurator, but not of Judea, but of information security.
- No, the picture is not Pontius Pilate, but Nicolo Machiavelli, because his "Princesps" (or "Sovereign") was the first to describe the methodology of seizing power and management methods - this is what (we try to capture and control) we constantly encounter in the field of and any other "security".
- Yes, we decided to make a text decoding of one of the issues of the podcast, first of all for those who do not yet know, it would be interesting for him to listen to such discussions, and secondly for people who better understand the text than the audio.
- No, we will not do the decryption of each podcast regularly.
- Yes, this is the twelfth edition of the podcast, its name is 0c . It was published on March 30 - in the process of reading (or listening) you will understand why it is important to understand this in mid-April.
Sasha Kozlov : Hello everyone! With you, the Prosecutor for the account, it seems, is 12, what name we will come up with for him in our calculus system is a good question and we will discuss it a bit later, I think, with our colleagues.
In the meantime, you are here today, the full cast of the podcast. The Procurator, which includes Sasha Kozlov , also known as shapelez , is me, and everything is clear with me, next to me are Kostya kpp Ignatov , Artem janatem Shvorin , Sasha user318 Zubkov and Artem ximaera Gavrichenkov .
We continue our interesting experiment with the lack of a common document, and now we consciously bring each of our own topics to the podcast in which everyone is interested. Well, I’ll probably start: I won’t call it a tradition, we just need to start somewhere!
Legislative point of view
Sasha Kozlov : I brought with me a wonderful story about Oracle’s trial with Google regarding the use of Java in the Android mobile operating system, which has been going on since 2010. Yes, Artem?
Artem Gavrichenkov : Yes, I now doubted it, give comments about the whale and elephant or about the toad and viper. But while I'm confused in zoology, Sasha, go on.
Sasha Kozlov : Well, let's recall the historical background of all this, because I’m not sure that everyone has been following this since 2010, when the first lawsuit between the two companies began.
In fact, the whole story, of course, started much earlier, at the start of the creation of the Android mobile operating system under the leadership of such an organization, which was called the Open Handset Alliance at one time, that is, if you did not know, it was she who created this operating a system led by Andy Rubin, where Google was on equal footing at that point in time with many other companies, including Samsung. In general, who was not there!
In 2009, it seems, or at the end of 2008, a corporation such as Oracle took over another company that at that time was already in a rather miserable condition - this is Sun Microsystems. Actually, Java was the intellectual property of Sun Microsystems, it is clear that this intellectual property was transferred to Oracle. Everything would be fine, but after 8 months, respectively, in the US court - now we will not go into details about the state in which they sued, because this is a big question ...
Artem Gavrichenkov : Not in Texas, by any chance ?
Sasha Kozlov: I think that one of these lawsuits definitely took place in Texas, but which of the three rounds of statements and appeals is a big question. Because they, indeed, have passed since 2010 whole, respectively, 3 full circles: when the lawsuit was filed, there was a meeting, a decision was made, then an appeal was filed, and then a decision was made again. So the last 2 appeals Google lost.
Actually, this is the whole complexity of their current situation, because from the legalistic point of view ...
Kostya Ignatov : Which one?
Sasha Kozlov : Legislative point of view ...
Kostya Ignatov : Did you now translate the English word into Russian using transliteration, or what?
Sasha Kozlov : Yes.
Artem Gavrichenkov : There really is such a word!
Sasha Zubkov : But someone already translated it before.
Sasha Kozlov : From this very point of view, the following story turns out: in order to escalate the lawsuits further, Google now has no other chance but to go to the Supreme Court of the United States, i.e. Supreme Court, as I understand it.
Artyom Shvorin : Stop, but before that it was about which state it was happening in - and this is important, because in some of the states there is a nest of patent trolls - is it Texas?
Artyom Gavrichenkov : Yes, it is Texas! Eastern District.
Sasha Kozlov: Seems to be yes! And by the way, there is another interesting story: at one of the previous podcasts, remember, I told you about the judge, who flocked to all the difficult cases associated with such situations, when the code is analyzed during the trial? So - this is a Texas judge.
Artyom Shvorin : Just at the beginning of this story, there really was some judge who wanted to learn the basics of Java in order to understand whether “Hello, world” is a unique property.
Sasha Kozlov: Here you go! And at the last meeting on this appeal, which Google lost, there, in fact, they also tried to make ... That is, one of Google’s positions in his defense was that the Java code was written as executable on the desktop, and in this case, speech it’s about applications in mobile operating systems, which expands this system of application of this code and where the intellectual rights to some developments that have already been twice overbought by the current moment begin and end, well, they pull this whole bunch of legacy.
So, the intrigue: will Google go to the Supreme Court or pay almost 9 billion dollars? Or will somehow agree to reduce this amount? This, I think, is what we will see soon in the news. Yesterday, a very large number of people wrote about this, and Bloomberg released super-large material, and quotes are falling - both companies, so Oracle did not win anything here, because to kill Android is to kill Android. What do you think?
Artyom Gavrichenkov : Well, why kill?
Kostya Ignatov: Kill the project will fail at the same time. And Google, of course, will go to this Supreme Court with this, but it seems to me that they will refuse to accept the application, as, in my opinion, it has already happened. Another nuance is interesting here: if you look at this story, it turns out that Oracle, in fact, wanted to run into the desktop extension, i.e. Chrome is already running not only on mobile systems, but Chrome OS also exists, which runs on desktops, and Oracle really wanted to run into it.
Artem Shvorin : So there Java is not in Chrome.
Kostya Ignatov: No, not in Chrome, but in Chrome OS - it’s not the same as the browser, it’s exactly a full-fledged OS that lives by the same principles and has the same APIs. And, in general, the hit is not even on the code, not even on the JVM, but on the API, i.e. just for all the little things that lead to the fact that you can call a function that has some name and does some kind of thing. As far as I understand, the hit is on the list of names and what they do.
By the way, the restriction, written in the official position of Oracle, applies not only to mobile, but also to cloud platforms. Those. desktop is the only platform on which you can use Java or its any other implementation, and not be afraid that you ...
Sasha Kozlov: And Oracle does not mind. Artem, say: you are a long-term Android user, you had a lot of Android phones - are you not worried?
Artem Gavrichenkov : Whether I’ve been a user for many years depends on the definition of the word “a lot,” because I have been using it for less than a year, so if 0.9 is a lot, then it really is. In fact, we are not talking about any “platform killing”, but rather about someone’s attempt to bite someone else’s piece of the pie, because they didn’t manage to distribute it.
It is especially funny that actually the dead (Sun Microsystems) didn’t have time to share the cake, which makes this story even funnier. Nevertheless, I am inclined to believe that it is not a whale elephant, but a giant mutated toad and no less mutated snake. I saw something similar in some Japanese films.
Sasha Kozlov: Quite possible. Unless, of course, anime can be called Japanese films, although why not.
Artem Gavrichenkov : No, no, no!
Sasha Kozlov : Do you mean some kind of feature films?
Artem Gavrichenkov : There was something with Godzilla and there was some hefty worm ... Matra, or something like that.
Privacy
Sasha K : Artem, since we started talking about phones, I know that you wanted to tell something about Phantom Secure - a company with which an interesting story has happened.
Artem G : Yes. This is a wonderful story. For those who don’t know, but few probably know: in the tenth of March, the FBI detained the head of a company that was manufacturing secure mobile phones. Moreover, really protected Androids with physically remote GPS, with a remote standard browser, with built-in PGP and an encrypted messenger - not a Telegram, in the sense, but a really secure protected messenger. And the FBI arrested people who produced such telephones and are now preparing a case in court.
At the moment, if you have not heard about this news before, you probably think that this bloody American gebenya oppresses freedom of speech and so on. But the fact is that the main market for such phones was Latin American drug cartels. The company was called, or called, Phantom Secure ("phantom security"), and they really had this market positioning.
Their owner was caught when he made, in the best tradition, a test purchase. The Canadian police called, naturally introduced themselves as drug dealers and asked the officer if his phone was safe to discuss methamphetamine delivery to Montreal. To which the company representative joyfully replied that it’s absolutely safe for this, you can use it. On the one hand, it’s a lot of fun to substitute.
Sasha Z : Have you posted the portfolio?
Artem G : Woo! Yes Yes. My point is that when I read this, my first reaction was “shut up and keep my money”. Where can I buy this phone? But really.
You know, there is such a Toyota Hilux car , it is very famous ... Not so. She is very popular because she is known for her indestructibility. Toyota Hilux is the car that Clarkson and May from Top Gear drove to the North Pole , they had a slightly different rubber, but, in principle, the same Hilux. This is the same machine that Top Gear put on the roof of a multi-story building.before the building was blown up, and this car started up and drove after that. But Hilux gained fame when it suddenly turned out that everything ... How to describe it? Arab groups?
Sasha K : Firstly, because of our wonderful Roskomnadzor, we are immediately forced to make the following reservation under the law: “Organizations banned in the Russian Federation”.
Artem G : Yes, as well as organizations that are apparently authorized, because there is Hezbollah, but I don’t know about it. In general, organizations, including those prohibited in the Russian Federation, used these Toyota naturally for everything. As a result, the people had a question: why are they not immediately delivered with turrets?
If anyone wants to google at their leisure, read funny Wikipedia articles: there is such a thing as the Toyota War. This is a much-there-week-long conflict in the Middle East where two groups clashed, most likely banned in the Russian Federation, and both groups used these Toyota Hilux for transportation.
Sasha K : There really everything is very cool, i.e. they make tanks out of them, armor them, etc.
Sasha Z : Now they can still add phones there.
Sasha K : Smart car (laughs).
Artem G : And now look.
“Phantom Secure Phone. Approved by drug cartels. ”
Great!
Sasha K : The best advertisement is not only in the southern hemisphere, for anyone ...
Artem G : Any Blackphone can simply be closed after that.
Kostya I: An interesting remark, by the way, regarding a secure connection - a messenger that seems to be there and what you just said about Telegram. Just for the listeners it may be interesting that we are recording from two different points in the world, and we are now communicating with each other via Telegram.
I also wanted to talk about one fact discovered on the topic of Android. Perhaps you know that officially you can call Android only a very specific OS, it must be certified by Google, it should not only have what Google publishes in the form of open codes, but also part of their libraries and Google Play Services, in particular. It is believed that if this is not on the phone, then this is not Android, i.e. You cannot use this trademark to call it that. Therefore, what is produced in large quantities in China, generally speaking, is not considered Android.
Artem Sh : It is considered, but not called.
Sasha Z : Who will stop them.
Kostya I : For the same reason, Lineage and what used to be called CyanogenMod are also not called Android.
An interesting nuance is that such a well-known brand as Xiaomi does not release many of its phones for sale anywhere, except in China. Accordingly, if you buy a phone that was purchased in China and somehow imported here, then most likely it should not have Google Play Services, or if they are there, then the people who brought this phone should be , unlocked the bootloader, installed some other firmware, maybe just stuffed Google Play Services, blocked the bootloader back and sold it to you. This applies to almost all Chinese manufacturers, that is, if you buy some kind of Chinese phone, then you need to check in which territory it is officially distributed.
It was an interesting discovery that I discovered in the process of studying one forum. I found that people began to encounter this problem: they run the freshly installed Lineage, which Google Play Services was pushed into, and Google does not allow them to register. Users enter their regular e-mail, everything is as it should, a password and here, grunting and google answers that your device is not certified. Those. Since this month, Google does not allow logging in from devices that it has not certified or signed with some terrible signatures.
Artem Sh : The question is: “what the hell?”, Or what?
Kostya I: There is some workaround there, of course, but by and large - yes, "what the hell"? Workaround consists in the fact that you can manually find out the code of your phone with some manipulations and register it in the end on a Google server so that the system binds it to you, and everything will seem to work, but the point is that even in the near future those people who already have devices already configured and connected to Google may encounter a problem that Google will soon give them a message that the device is not certified and the system will refuse to work on it, send a claim to the manufacturer.
Artyom G: And now I will tell you why this is good news, at least from what I understood. I even have a modest suspicion that I know where these legs come from, why all of a sudden Google after 10 years of left-handed phones was thinking about it. It is unlikely that the company has begun to lose market share? The point, perhaps, is another.
For a long time, developers of Android applications for ... rowing users sitting on Chinese phones manufactured by some company with an unpronounceable name, which has 256 megabytes of memory, some MediaTek processor, etc. The fact is that people install - not even a game, an audio player! - which this phone simply does not pull, and they give the application a rating of 1 out of 5. As a result of evaluating applications on Google Play, this is a rather useless thing.
In the Russian Google Play, it does not make sense to read these ratings at all, because if I’m not mistaken, the only application that has very few low ratings is Wi-Fi in Metro , because it is simple, works everywhere, solves the problem and helps fight the evil authority represented by Maxima Telecom . And everyone else has a set of one-star ratings of the format “slows down / buggy / falls out”, and there, as a rule, either the phone is not marked, or something is marked with hieroglyphs.
What I mean: maybe Google has heard developers who, I believe, are sick of it. And, again, if this helps bring the rating structure on Google Play to some understandable state in which it can be used, it will be very good.
I really don’t really feel sorry for those who are sitting with ... On the other hand, what kind of phones are uncertified by Google? In my opinion, this is, say, something like Kindle Fire, but Amazon has its own app store. That is, in my opinion, this is exactly the Chinese noname.
Sasha K : Yes.
Kostya I : Even if you just install custom firmware, then your phone just with factory reset will change this identifier and the device will no longer be certified in terms of Google.
Artem G : No, it is not. I looked, Google has a whitelist of firmware that you can sign up to. True, I don’t know what the process is there, and I’m not sure that this process is so simple, but Lineage seems to be already in the white list.
Sasha Z: Well, at least I have not experienced such problems.
Kostya I : Well, this is a completely new thing, firstly. That is literally a matter of days. And secondly, it’s not enough to be firmware, i.e. there is a combination of firmware and phone.
Sasha K : That is, how, directly, the iron itself?
Kostya I : As I understand it, they do just that. But I, in fact, raised this subject-story in order to bring to another conversation about some other heavy applications. The fact is that somewhere from the beginning of this year I am conducting an experiment on not installing Google applications and, in principle, Google Play Services on my phone. Those. it turns out that I have that phone, which we call a routine Android between us, formally, as such, it is not an Android.
Sasha K: Route pseudo-Android.
Kostya I : Routovanny Lineage OS.
Sasha Z : Android Open Source Platform.
Kostya I : But it’s still not Android, that is, yes it is an open source platform, it provides you with source codes from which you can build, for example, Lineage OS or something else if you wish.
So, I am a Facebook user, but I am not subscribed to Mark Zuckerberg, nevertheless, I see this physiognomy of the person over the past 3 weeks, as a user who opens the application every 2-3 days.
Sasha K : You rarely open because. Need to open more often.
Kostya I: Probably, but the problem is this: everyone just found out that Facebook is collecting data. Who was this discovery for?
That is, with these rooted Androids on all sorts of Lineage and other Privacy Advisor, people noticed that Facebook applications have been climbing into everything, wherever possible on the phone, for many years.
Sasha K : Wait, let's take a small step back and in order to make this a topic, you need to mention the facts due to which all this information appeared on the Internet, and Konstantin Ignatov, who opens Facebook every two days, began to see Mark Zuckerberg everywhere.
Seven and a half gigabytes per dead man's chest
Sasha K : This story is related to Cambridge Analytica, and we will not go into details now, just if you have not heard about it, then most likely you are not listening to our podcast, which means that you do not exist.
Therefore, we will not concentrate on the story with Cambridge Analytica, but I really would like to recall 2 points:
1. In 2010, BusinessInsider published a very interesting screenshot of Mark Zuckerberg’s correspondence with one of the early co-founders of Facebook after they released the very first version - it’s not Hot or Not, but Facebook, for Cambridge users - when it was possible to register there, only having a university e-mail. The screenshot shows a dialogue where Mark writes to his friend:
- Can you imagine? Thousands of people came and gave me everything: e-mails, names, surnames, family ties - everything!
- How so? How did you ask them?
“Yes, I did nothing at all.”
And then there was a wonderful expression in English, which seems to sound like “dumb fucks”, i.e. conditionally, Mark called all those who came and registered as "stupid idiots."
Artyom Sh : In soft translation.
Sasha K : Yes, in soft translation. Of course, now, as soon as the stories with Cambridge Analytica began to flare up, they remembered that right there. This was precisely the reason for the emergence of the Quit Facebook movement: here is the Jim Carrey who drew an interesting caricature, which on Twitter became super popular in one day and blew everything up, and so on.
The story with Cambridge Analytica made people go and look at the settings of their Facebook accounts once again, someone made them move on and leave, and someone went to dig the logs that Facebook lets you export, from where you can find out everything that happens to your information actions.
We all reacted differently to this.
Artem Sh : No one cares.
Sasha K : No, nothing so apocalyptic is happening yet.
Sasha Z : It seems to me that Facebook even behaves well in this situation, because it provides this information.
Sasha K : Yes, at least he doesn’t hide her.
2. Well, in general, one researcher who had the Facebook Messenger application on his Android phone, which synchronizes his own contacts with the phone’s address book, found out that it collects metadata about calls and SMS: to whom, when, duration, etc. d. I think that this was the topmost berry of this multi-story cake related to Facebook, privacy, using our data.
And, of course, the situation where Mark was silent for several days, and then bought the newspaper pages of the largest American publications for one day and wrote that “you entrusted us with your data, if we can’t do it, then this is bad” ... Well, yes - bad . And what will you do with it, Mark?
Of course, everyone knows that any company sells user data, and this is obvious, because at the moment when we use something for free, we are a product. It is very important to be aware of this. Those who forget about it, then fall into unpleasant stories.
Kostya I : The main trick is that we lose a simple thread. Perhaps some company, perhaps people, bought up options against Facebook, but nothing new happened. All these topics have been discussed many times.
When I had a phone with one gigabyte of RAM a few years ago and a very small amount of memory on the phone itself, I was constantly having problems due to the fact that I was going to install the Facebook application. It on the then Android, like the fifth version, occupied about 200 MB, eating about 30-40% of the free space on the phone. Even then, I thought about what settings the program asks for and how to tear it down, which I did in the end, for the very reason. Since then, I open Facebook only in the browser. But even those iOS users who believe that they are more protected: well, yes, Facebook will not crawl into you, but do you think that Apple protects you?
Sasha K : No, of course. Artyom?
Artyom G: Firstly, I would like to say that if I understand the situation correctly, you should not have praised Facebook for making it clear how much data it collects. As I understand it, the European Commission is worth praising for this, with its GDPR, which contains the human right to have information about how much data about him is collected, as well as the right to oblivion.
In particular, Google also has such an export, you can see the links in the description of the podcast. Of course, I went through all these links. So, all of Facebook knows about me 55 MB of data in compressed form, but Google knows about me in compressed form of 7.5 GB.
True, I have not yet downloaded them. And this, of course, is only the main account. There, however, of these, 5.56 GB is clearly mail, but, again, on the other hand, it will be 5.56 in unzipped form ... Well, in general, I still have to study. But, apparently, Google knows how awesome it is about me, and about you all, most likely, too.
It's me that Facebook is not the only one. And just on this subject I have one life joke.
I went to Brussels for the weekend. Naturally, I looked there all 3 pissing sights of Brussels: a boy, a girl, a dog. And there are only 5 sights from more or less known to the average man, in my opinion, 3 of them are pissing, 2 are not pissing. In general, I looked at them all, and I still had a lot of time left.
I decided to go somewhere. Someone from Moscow told me that there is one craft bar, of course, I did not go there, because if someone from Moscow knows about it, then this is clearly a temptation for tourists. So I found three local dudes of an alternative kind and hung out with them. They turned out to be very correct European alternativeists, vegans, of course, and all that, but the fact that they drank beer suited me perfectly.
In the course of the conversation, I asked them in between cases, if you are on Facebook, if there is, then let me add you, we will keep in touch. To which they chorus to me, they indignantly replied that no, you don’t have us on Facebook, because Facebook sells data to Russians - my emphasis on Moisily did not bother anyone, of course Facebook sells data to Americans! We only use Twitter.
I mean, all this hype around Facebook looks just like a hot topic, at the moment, because, well, I don’t know, probably Zuckerberg was apparently to blame for the loss of the democratic party in the elections. I see no other explanation for this hype.
Kostya I : Have you read very interesting articles? From the series: he was going to prepare tools on his Facebook to go to the presidency himself ...
Sasha K : Wow-wow-wow, this, of course, speculation ...
Kostya I : Well, of course, speculation ...
Sasha K : ... it was just a very funny moment when Mark Zuckerberg began acting like a presidential candidate. It was really a joke!
Artem G : I started to go to some factories, yes, it was fun.
Sasha K: Let's move on, we still have topics that we really would like to talk about.
Buy High, Sell Low
Sasha K : I would like to give the floor to our colleagues, who have not yet been particularly involved in the conversation, and I know that Artem read something old and wanted to tell us about exchange spammers. The topic is interesting and rich, Facebook short has just happened, didn’t you want to say that?
Artyom Sh : This still does not quite apply to the exchange. The point is that MIT students conducted a study that was reported at a conference last year. They were interested in spam, which offered to buy various stocks. Therefore, the question is: what is behind this? They do not just send spam emails, they probably want some profit from this.
It was easy to guess that the pump and dump strategy, i.e. first fill the market, and then slow it down. The meaning is simple: there are stocks, quite small, cheap, which ...
Sasha K : I think, most likely you mean a small amount, right?
Artem Sh : Yes, I mean the volume, because the word "cheap stock" - it is meaningless, it seems to me.
Sasha Z : Low liquid.
Artem Sh : Here, take them and raise their price by mailing, well, before that, buy, of course, and then when their price goes up, sell it. The guys wondered - is it possible to saddle this mechanism. Is anyone doing this, and is it possible for them ... to parasitize on parasites.
The study turned out to be quite large, there is a lot of everything. It turned out that although this is difficult to do, it is, in principle, possible. First, you need to understand who exactly pumps, i.e. what stocks are worth buying, and, secondly, understand the moment when to sell.
After several attempts, they managed to ride the wave. The waves there, of course, are all shallow, and very often it does not work, and very often the spammers themselves are pricked, i.e. they buy shares for 100 thousand, and then they sell for about the same price, but they still bear the cost of spam.
Sasha Z : They then figured out who else makes profit for all this and who doesn’t.
Sasha K : Wait, but did the guys who conducted the research themselves, they remained in the black, in the end, or not?
Artem Shvorin: Well, I don’t know this, they don’t talk about it, although they said that this, in principle, is possible, although very difficult.
Sasha K : Yes, I understand, they confirmed the concept, conditionally.
Artem Sh : Their main result is not to make money, but to conduct a study and get some information.
Sasha K : Actually, I also wanted to add to this that very many speak in approximately the same way, i.e. They say that information can command the price of some assets and quite actively. It is clear that it has an influence on them, but when only information can very much affect the value of assets, this is something that exists only in the current, XXI century, probably. This was not the case before.
Artem Sh: No, this is still information in a general sense, it influences strongly, and it has always influenced. Here we are talking about spammers, and which is quite surprising ... Here is the thing for which I sometimes feel ashamed of the human race - that people who believe this kind of advertising, they exist in such small quantities that they can have an entire ecosystem to build.
Sasha K : And then to investigate it again and ...
Sasha Z : It’s all originated not only with spam, it’s all these boiler rooms, even some kind of movies about it ... It's the same, just spam - this is another tool.
Sasha K: I just wanted to say that, in fact, there has been a lot of manipulation of information in recent years. In particular, I recall the study of AMD CPU vulnerabilities, which was released by a completely remarkable, Israeli, or rather, a research company that has very few details, all described in general terms. The most important thing is that to exploit each of these vulnerabilities, you need admin rights ...
Kostya I : This is in the best case, and even more.
Sasha K : Well, yes, that is, specifically local access to the car, in my opinion, they were all of this order. However, AMD nodded almost 20% per day.
Sasha Z : Moreover, the names there are more beautiful than the essence.
Sasha K: Yes, it is a very beautiful name, and it can be said that short AMD was extremely successful.
Artyom Sh : at least here is a rather complicated mechanism with complex information, where it was not clear in advance how people would behave and so on. And when from the same spam emails, when they say “buy stocks like that!” Hamsters break to buy ...
Sasha K : Spammers have longer cycles. It happens much faster and more intensively.
Sasha Z : I still think that those comrades had a better chance of success than those spammers.
Sasha K : Yes, I’m talking about the same thing as the effectiveness of such actions, it is a priori still higher in the current society.
Artem Sh : Yes, but the mechanism is much more complex, yet it is a hacking of human souls.
Sasha K : Some research is also needed here.
Artem G : I imagine, there’s quite a criminal offense called “using insider information”, right? And I’m trying to imagine how the exchange regulator in the future will call the search and publication of vulnerabilities in this way in order to influence the stock market - “outsider information”?
Artem Sh : Well, this pump and dump mechanism, even without insider information, is also ...
Sasha K : Pump and dump existed, conditionally, a very long time ago, of course.
Artem Sh : Yes, but just about this, there are also some regulations, up to criminal restrictions, but even in the simplest case, this is not insider information.
Sasha K: It is about this that Artem says that, of course, it is difficult to call it that.
Artem Sh : Even in the simplest case, it’s very difficult to prove something to someone ...
Sasha Z : There, most likely, it’s not about the insider attraction, but some other points. That they force people to buy, deceive, relatively speaking.
Artem G : I just have an idea, what, look: this is an obvious manipulation of the stock market, right? Regardless of the fact that these vulnerabilities are really there ... well, they really exist along the way, by the way, because AMD has already announced that it will release firmware patches, that is, there is a fact of vulnerability, the issue is in the submission.
Since this quite obviously looks like a market manipulation, of course, once - okay, but for this, repeated many times, the market regulator will not pat on the head. I mean, there are many companies - both vendors and individual companies - to which people constantly send information about bugs, based on bug bounty and all that, and then these people are prosecuted, but, as a rule, it’s nothing ends. Or, let’s say, having received no response, after 3 months they publish this in open posts and then companies also sue them, also to no avail.
Here, but I’m interested, here is a company that did not respond to bugs, and then suffered due to this, if it comes from the point of view of exchange manipulation, will it have a greater effect or not? Because it seems to me that it will be.
Sasha K : I think that will be, I agree with you, because by and large AMD here can talk primarily about lost profit due to the release of this report here.
Sasha Z : But this is not an exchange manipulation.
Artem G : It's just in the States ... Security is security, and this is finance, this is the most ... This is blood.
Sasha K : In the case when the company is present in the public market, this is an exchange manipulation.
Sasha Z : No, I mean lost profits.
Sasha K: Lost profit is damage.
Sasha Z : You see, from the fact that their quotes sank, they did not experience any damage from this.
Sasha K : Well, this is the value of the company, as it were, it still affects some of its future. Well, God bless her, with AMD ...
Kostya I : By the way, it’s interesting here that it seems to me that it won’t be like that anymore, it’ll just stop affecting the stock market, well, people are just ...
Sasha K : Well, wolves are wolves , wolves are wolves.
Artem Sh : Well, this has been done for a long time, constantly.
Artem G : Like, 13 vulnerabilities in processors were detected, right? And the market is: “Ah, but whoever doesn’t have them!”.
Sasha Z: And, most importantly, such a wave can now go that they will manipulate the market, throwing out some kind of empty vulnerabilities. And it may turn out that people will more simply relate to this.
Sasha K : Nochetokopokalipsis.
Sasha Z : And when will the next Specter come out ...
Kostya I : Well, actually, yes, because, apart from Specter and Meltdown, there was nothing more serious so far, right? However, when Specter and Meltdown come out, primarily affecting Intel processors, stocks are a little down. But a month later, Intel is in the black, i.e. stocks have grown ...
Sasha K : No, Intel has steeped the whole story related to Specter and Meltdown very cool.
Kostya I : Well, yes ... what have they done since then?
Artyom Sh: This is not Intel, probably it happened.
Sasha K : Well, I think that this is a lot of Intel's contribution.
Sasha Z : Yeah, that means processors have been selling for six months ...
Kostya I : The same ones. So what? They stopped selling these processors, or what?
Sasha K : Well, of course not.
Kostya I : And new processors that are, as it were, not susceptible to these vulnerabilities - they have just been announced. Microsoft, meanwhile, announces bounty, $ 250,000, in my opinion, to someone who finds a similar vulnerability. Just to warn in advance, and not ...
Sasha Z : Found a vulnerability, you are manipulating the market.
Sasha K : Microsoft has a purchase, I think, and so there were no problems.
Kostya I: I just think that this will not particularly affect the market, just people are really used to it.
RKN-Chan
Sasha K : Good, I see. Let's move on: Sasha Zubkov, I know, wanted to tell us a funny story about how a provider like Transtelecom had problems in Russia about a week ago.
Sasha Z : Specifically, he experienced.
Sasha K : Yes, and this topic is naturally related to our wonderful warriors, who in Telegram exist as a wonderful anime character named RKN-Chan.
I'm trudging right here. There are people who draw new stickers about each news feed. It is very nice. They really are loving in their work.
Sasha Z : Well, yes, once again there was an incident with locks. This time, TTK - Transtelecom - that is, suffered. what happened: added a bunch of addresses to DNS records ...
Kostya I : In the DNS record of blocked resources.
Sasha Z : Yes, blocked resources.
Sasha K : And these, with smoking mixes.
Sasha Z : Yes, it’s not important, anyone could do it. There may even be what was previously discussed: people no longer need blocked domains, they drop them, the next one comes, sees that he is already on the list, picks it up and can do anything with it.
Many providers block these sites by wrapping traffic on some filtering systems of their own, and doing this by introducing a route to a given address in the routing table. For routers, the route table is limited in memory by the number of entries it may contain. About one million records happened there that day.
Kostya I : And these guys recorded in one DNS record by many, many IP addresses.
Sasha Z : Accordingly, the Transtelecom provider routers could not stand it. As a result of this, the Transtelecom provider just failed for 4 or 5 hours.
Artyom G: This is accompanied by the Greek choir of people who looked at the address list recorded there and said: “pff, Transtelecom - suckers. It was possible to aggregate up to / 17 ", it seems.
Sasha Z : Well, yes, perhaps on this basis there was a desire to ban the Amazon.
Sasha K : A, i.e. Finish Zello with just a shovel ?!
Sasha Z : Well, yes, maybe they thought that it’s really, and why there is a million records to unload - you need blocks!
Artem G : On one legendary non-existent site there was a tradition when the syrani came there - and, of course, wrote the first post, which was complete horror - they started to merge him, and the syrani liked to be discouraged by the fact that “you understand nothing. It was an IKSPIRIMENT, and you are all victims of an IKSPIRIMENT. ”
I mean, I’m now in the affected area of the experiment of the Federal Service for Supervision of Communications, which decided to ban the whole Amazon, because Trello is hosted in Amazon. And Trello at Amazon IPs that ...
Kostya I : Zello.
Artem G : Oh, Zello, yes.
Kostya I : Trello is a task tracker which.
Sasha Z : I think it will not matter soon.
Artem G : He will be there. We will all be there. I mean, at the moment, there is some kind of preparation for really banning the whole Amazon. Together with Amazon, Softlayer and someone else get there.
Creepy. I think that in the near future we will find out what our critical infrastructure is in reality and who will fall from it. It will be a lot of fun if it does happen.
Sasha K : I get it. What is critical infrastructure and how critical will it be.
Artem G : I found the right expression. Critical days await the Russian Internet infrastructure.
Serious talk about life and death
Sasha K : Alright. Kostya, you were holding something for a long time on a topic that you didn’t show to anyone, some research came out, no one saw them. More precisely, Kostya saw, we did not see. Kostya promised to tell us on a podcast about a chemical plant in Saudi Arabia and funny stories that almost happened to him.
Kostya I : Somewhere in early March, or in mid-March, an article was published in the NY Times where journalists asked several researchers about one incident that occurred last August. Why is this topic interesting to me now?
Recently, we have become accustomed to treating security as something, like: if you have bad security, well, they’ll write off your money from the card and that’s the maximum that can happen to you. Then you call the bank, block it, then they will return them to you too - that’s all security.
Right now, all sorts of IoT devices are appearing. The people at the hotel were blocked remotely while this is ... the maximum that was observed. But, nevertheless, situations when the attack occurs on, since such a word has been used, critical infrastructures (and not necessarily critical) - they really take place.
It would seem that there is this story about one chemical plant in Saudi Arabia, even rather its infrastructure, which was attacked in August and all stood up. The plant shut down, the hard drives were worn out, and restoration took several months. It would seem to us something? Apparently, well, it’s some sort of showdown between Iran and Saudi Arabia, because no one could get any money from this, what could be the profit from the fact that the plant stopped, except for political influence.
And the money to carry out this attack, to do quite a lot of work, a lot of utilities - unique, as I understand from the report of the researchers - to write, you need a lot. Naturally, this means that this is the state level. Well, Iran, what do we need?
So the fact that, most likely, the utilities that allowed to do this, in general, were close to success.
The fact is that over the past few years there have been several major explosions in chemical plants, and there, of course, employees were killed, and a huge number of other employees were injured, and the poisoning of what was around, of course, had unpleasant, to put it mildly , effects. And the fact that this did not happen in August turned out to be a problem of just literally one bug in the code that was uploaded, as far as I remember, into the controllers from Schindler. So these controllers are used around the world.
Sasha K : Schindler is the world's largest supplier of electrical equipment for industrial enterprises.
Kostya I: Yes, well, and of course, that it has certain security features and it seems to have key-in security there, that is, you can change any settings of this equipment only physically: you come in, physically insert the key and change something. It seemed to be so.
Details have not yet been disclosed, but apparently the guys who carried out this attack managed to somehow get around this and practically provoke an explosion at this plant. And only thanks to their bug (I realized that almost segfault happened there) as a result, all systems simply turned off instead of exploding.
But if this is the case and such utilities fall on the black market or in general in free access, then security questions develop from IT infrastructure and some, in the worst case, unclosed doors in a too smart house, into questions of quite human lives. And the conversation about how Uber knocks down a person on autopilot ...
Sasha K : Yes, we will discuss this a little further. I wanted to say that in a world that is becoming a computer, everything will merge, of course. Everything will become one and the same.
Artem Sh : Infrastructure is already understood as infrastructure in the most general sense, and not just IT infrastructure.
Kostya I : Yes, of course. In principle, we have already talked about this in previous podcasts.
Sasha Z: By the way, with the same Amazon, I remembered there was some case when they had some problems, and because of this there were problems at some hospitals that even simply used ...
Kostya I : No, there was last year a direct attack on medical infrastructures.
Sasha K : No, wait, these are cryptographers. Artyom?
Artem G : Yes. When I saw the word “chemical plant” in the podcast plan, for some reason I decided that now there would again be something about the poisoning of Archduke Skripal.
The topic, indeed, of questions about the threat to human life, was some news. At first there was news that an Uber autopilot car hit a man to death. It was perfectly clear that someday this would happen. And it is clear that nothing will stop there now, because ... there is that anecdote about the Vyatka lumberjacks, to which the Soviet government gave the chainsaw. A chainsaw bounces off the rails, but that’s no reason to chop wood with axes and keep people driving a car, right? Of course, there will be no future person driving in the city, this is understandable.
Sasha K: I would like to add a little on Uber, which in my opinion everything, of course, became apparent after the first death at the wheel of Tesla in autopilot mode. When Tesla's coolest fan, the dude who helped them write firmware, who received permission from Mask to modify, within certain limits, his own car that he had. He himself reflashed it, talked several times with engineers on this subject, and so on.
And so he made light modifications to the autopilot, which allowed him to go on the road a little lower class than allowed default Tesla autopilots. Well, an accident occurred when a timber truck at a difficult intersection, where there was no part of the marking, drove into his side, and he did not have time to react, and, accordingly, the person died.
Here we are no longer observing the death of the driver behind the wheel, but a direct hit in the car with the autopilot mode of another person.
Artem G : These are the lines of code that handle the situation inside the Teslovsky car - I do not think at all that these are the first lines of code that are written in blood. We have a lot of things that already in safety have a positive or negative effect on life and health.
There is another topic about this: we are now talking about the fact that code can carry a potential threat. I wanted to talk about code that poses a direct threat, that is, the purpose of which is, in fact, killing people. Because such a code exists.
As many know, in the arsenal of the armies of many countries of the world are drones in which there is no physical person. One way or another, he still controls it, but sits far enough from the drone itself, that is, somewhere behind the remote control, and the drone itself is light and small, it flies and shoots some Afghan villages - with terrorists, presumably.
In early March, there was news that Google - in the words of the journalist The Intercept, "quietly" - signed a contract in order to work on a new initiative by the US Department of Defense to use artificial intelligence in piloting drones. That is, Google, of course, signed up for a military contract, according to which it will research and develop deep learning technologies that allow better control of the drone and better target the weapons that are on board, as well as the automation of the swarm of these drones etc. This is what, first of all, Skynet is actively writing ...
Sasha K : “Don’t be evil,” as it were, no longer exists.
Artyom G: Yes, absolutely natural. Apparently, as I understand it, this development process will include field tests, that is, in Afghanistan, well, or I don’t know where the American troops will be at that time.
Remember that wonderful moment from “Three Billboards Outside Ebbing, Missouri”, when, they say, “a person has a supervisor, and he recently came from another country. I will give you a hint, there is a lot of sand in this country. ” And the answer is that this did not really narrow the circle.
In general, in some country this will happen. I mean, I just like the wording: “Starting this month, Google, aka Don't Be Evil, has officially started working to kill people.”
Sasha K: And I would like to add such a thing here: Intel, if I haven’t signed anything yet, will definitely do it very soon, because Intel is, in fact, the company with the greatest results and achievements in the field of drone management for today. Have you watched a performance with drones from the last Olympics that took place in Korea? Not?
In general, the fact is that Intel is now carrying around the world an awesome visual show, which, of course, is created entirely by drones. With hundreds of drones that are synchronized with each other, different bulbs hang on them, they themselves, depending on the level of the battery, land, they get a replacement. This is really cool!
But if you think that on each of these drones there will be explosives or, conditionally, some kind of firearms, then, seriously, it looks wildly scary.
Artem G : But this is not the drone, it is, as I understand it, quadrocopters, right?
Sasha K : Yes, it is quadrocopters.
Artem Sh : The point is that they are not designed for design.
Sasha Z : The thing is, how they coordinate and work, in management ...
Sasha K : Yes, but the thing here is that we go to the point that the current drones are inferior in efficiency to a swarm of drones, because a swarm of drones cheaper than any there ... I don’t remember what the American drones are called, they have all sorts of cool interesting names . Because, for example, it’s very difficult to blow up a landing ship with a drone. A swarm of drones - lightsimply. That is, let's see what comes of this all, it will spill over into some kind of new military doctrine, and so on.
Artyom Sh : Pelevin already wrote about this, and it is possible that the method of fighting drones described there, he will do.
Artem G : I have a continuation of the topic, but not about drones, but the one with which we started, one more little news, which also passed somewhere around the 22nd. Forbes wrote that the American police ...
Yes. What am I doing - we discussed how they will kill people, now let's discuss why .
Forbes wrote that the police in the states now officially, without hesitation, use the fingers of deceased people, for example, suspected criminals, to unlock their phones and other wearable equipment. It turns out that the police do this without blushing, because from a formal point of view it is absolutely legal, because a person who has died loses the right to privacy.
Sasha K : Well, his rights are not violated, in short.
Artem G : Yes.
Sasha Z : And if he did not die, but lost his hand?
Artem G : Yes, but this just makes the whole story a little worse.
Indeed, if a person just cuts off his hand, it is not very legal to unlock the phone with this hand. But if it’s as if to solve the problem ... What’s it: if before they tried to detain the suspects or accused alive to interrogate ...
Artem Sh : Now this is not necessary.
Sasha Z : Now it’s even unprofitable!
Artem G : ... taking into account the information that the phone collects, and all other data, and which you just need to access, but if the person survives, you don’t get it, it turns out even unprofitable to take them alive now.
Sasha K : I now realized that from all phones you need to take a receipt under article 51 of the Constitution of the Russian Federation, which allows you not to incriminate yourself, relatives, relatives and everyone else.
Artem G : And the phone.
Artem Sh : Actually, returning to our previous topics about biometric identification and everything else, we can once again repeat the thesis that "biometrics are not suitable for cryptography," that's all.
Sasha K : Ok
Sasha Z : Or do you offer to adopt a phone?
Demand creates supply
Sasha K : We actually talked about phones, and now I remembered about this story, which you and I once did not discuss at all, but right there in March the competition between the two companies actually started, which the core of the product that it creates is unlocking iPhones, it seems.
Those. first there was a story that there is an Israeli company, products, in particular, which the FBI purchases. And with it, it unlocks locked phones without a PIN. She has a competitor who, think of it, just for 15 thousand bucks sells a box that unlocks everything except 10 iPhones, which on the latest version of iOS, conditionally.
Artem Sh : That did not manage to patch.
Sasha K: I think that the patches will be released, but here it is the price, here it is the cost, in fact, of all the personal data that your phone has collected about you and he knows. And of course, buying such a box for 15, you can, of course, you can work with more phones.
IETF 101
Sasha K : Artem, I think that you will probably tell us as a final topic about your world tour and, in particular, about the last IETF conference held in London, and this, probably, our twelfth prosecutor will end, so you word!
Artem G : Well look, in March there were two major events that I was at. Firstly, it was the ICANN Community Forum in Puerto Rico, in which I participated at the invitation of ICANN in Fellow status, I will write a detailed report about it, I will publish it.
ICANN meeting is quite a stormy, complicated event. For those who are not in the know, ICANN is a non-profit organization that is responsible for managing domain name systems and supporting everything related to this, that is, supporting a common platform for communication between operators of root DNS servers, and so on and so forth. .
On the topic of "non-profit" there was a funny story. So, this all happened, firstly, in Puerto Rico, on an island that in the middle of last year was simply wiped off the face of the earth by two hurricanes in a row. And part of the reports was devoted to the restoration of Puerto Rico as a civilization. I posted a photo of a slide on Facebook with two photos of Puerto Rico from the ISS. One before the hurricanes, and the second at the end of February this year 5 days before the ICANN meeting (or at the beginning of March). And it’s straightforward to see that - despite the fact that in the city as such it is already not clear that everything was bad there - but in fact in Puerto Rico there are still 100 thousand people sitting without light, and well, from the ISS it’s clear that the island has become much dimmer.
So, during the opening and during the whole meeting, the most popular and discussed topics there were 2, by and large, one - GDPR, and the second - ICANN budget cuts. Accordingly, one of the speakers at the opening came up with such an aphorism, he said that "Yes, we are not-for-profit organization, but we are also not for loss." And I liked the wording “not-for-loss organization” so much, I will apply it now.
Sasha K : This is elegant.
Artem G : Yes, but there will still be a report on Facebook, I will not stop there.
And there was really IETF 101, again, a lot of things were happening there. The IETF is generally 7 days of waste, there first 2 days of hackathon, then there is no time for anything either. But what, in fact, is significant, and this we also discussed in the summer in one of the podcasts after the Prague IETF - this is again the story about TLS.
Firstly, the TLS 1.3 standard was released after many years of preparation, we have now updated the latest TLS standard, which means that further its implementation will begin to spread around the world.
For reference: no, Cloudflare does not support it, it supports it, I checked it in the draft version 23, and the final draft is, um, 27, it seems, or 28, well, in general, newer than 23. And there still something has changed since then.
A separate applause to Eric Rescorle for TLS 1.3, a separate applause to Alexei Melnikov from Internet Engineering Steering Group, which ... In the TLS 1.3 standard, for reference, 155 pages, plus about 40 pages of DTLS 1.3 - which is the same, but over UDP, - and plus 10 more pages of the standard, which I’ll discuss separately now.
In general, Alexey Melnikov from the Steering Group really read all these 155 pages and really found fault with the commas, for which he thanks a lot from the community because he found some cool bugs there.
And, in fact, what I wanted to talk about was that ... It is clear that the next attempt to make TLS visibility, decrypt the TLS connection transparently in the middle of transport , it again failed, the question is not that. Encrypted SNI, i.e.Server Name Indication , in TLS version 1.3, was not included either: there was a discussion, and Guitema (Fr. Huitema) stated that there was a consensus on the issue that this is something that needs to be worked on - so that even over encrypted traffic it was impossible to say which hostname and which site are being addressed, what can be done now - there is consensus in the working group that we need to work on this, simply no one has any clearly good ideas on how to do this. Well, the work will continue.
But this is not the question again! I realized that all out-of-band DPI solutions will die much earlier, because now a document called “ draft-ietf-tls-exported-authenticator ” is coming out in Last Call”, Which is the following idea: if we first authenticate the remote side in TLS, that is, we send a request, including with the host expanded to cleartext, we get a certificate (in TLS 1.2) also in cleartext, we verify the certificate and only after that we encrypt the connection, then exported authenticator works the other way around: first we encrypt the connection anyway, we get an encrypted session, and then either inside it or through a different communication channel, we make sure that the certificate and the keys that were used to sign the session are valid to refer to what we once wanted to join.
This is a general idea, generally there are 10-12 pages of a draft, it is better to read them. It’s just the idea itself - it is claimed by a lot of people, as it turns out, and, secondly, of course, no out-of-band DPI can do anything about this business, because the connection was first encrypted, and then some data passed through it . This is to say that in what interesting and evolving world we live
Epilogue
Sasha K : Well, thanks, Artem. Really interesting, well, it’s worth saying that these are all our topics for today. Definitely, more diverse events took place in March, but why do we need all of them when there are key ones, and especially those that we like.
Thanks for listening!
Kostya I : Let me warn my listeners so that those who like to use Firefox Nightly carefully think about whether they want to do it now, because Firefox has been doing some strange things for quite some time now. This time they decided to conduct research on their users ...
Sasha K : On developers. The point is that it is the development version that sucks sooo much information.
Kostya I: It’s not that it sucks in a lot of information, but simply ... for example, in this version they launched an experiment to wrap DNS queries on an HTTP server, and this server is fixed there, this HTTP server is one of the servers ...
Sasha K : Mozilla ? Not?
Kostya I : No! Cloudflare They signed up, agreed, and everyone who installs Firefox nightly now ... and I do not agree that these are only developers, because you never know why people are doing this. Perhaps they want something to work faster for them, to feel what will be there tomorrow.
Artem G : Wait, it's about DNS-over-HTTPS, right? About DOH.
Kostya I : Yes.
Artyom G: This, in fact, is a pretty cool standard, it was written by Paul Hoffman - from ICANN just. This is a pretty cool thing.
The idea is that our DNS is now unencrypted - once, and accessing the DNS from various JavaScripts, including, but not limited to, browser extensions - is hard to resist. Actually, DOH offers an extension for both tasks, i.e. there the DNS wire-format is taken and shoved into POST.
Kostya I : This is understandable, no one argues that the standard is good. But the fact that they registered a fixed address and, in general, it is turned on by default, and some companies that you did not subscribe to, take and find out everything you go there ...
Artem G : Well, I join that merging all DNS queries into Cloudflare is a strange idea.
Kostya I: Yes, and therefore, maybe it is worth looking for comrades who are interested, after all, for free Firefox assemblies, since they exist, they exist for a mobile phone, maybe you should look at Firefox Klar, for example.
Artem G : Yes, do not use nightly. I have such a story: I was absent from the last podcast, I was in Kathmandu at that time.
I was there for a reason, APRICOT took place there - or rather, the forty-fifth meeting of the APNIC community and the APRICOT 2018 conference dedicated to this. One friend spoke at the conference, who spoke about DNS resolution and mentioned 8.8.8.8 and 9.9.9.9, and said that these are resolvers open to everyone, and if you use them (and they are free), you should understand that if you use a free product, then, as was said today in the podcast, “if the product is free, then the product is you".
So, in the hall were guys from Quad9who are so offended by this! The fact is that they provided some sound evidence that this, to put it mildly, is unfair to them, because Quad9 is 501 (c) (3) nonprofit American, that is, it is completely transparent, it is funded by IBM and PacketClearingHouse, and with technical support from PacketClearingHouse, which is also not particularly seen in anything. And in itself it is nonprofit, transparent, it does not drain data to anyone and it cannot receive money from anyone, and if it starts, everyone will know about it and may refuse to use it.
I mean, do not put nightly and use 9.9.9.9 instead of 8.8.8.8, because it will not be worse from this for sure.
Sasha K: Yes, thank you, now for sure, thanks for listening to us. It was the twelfth prosecutor and today it was literally full, and what is complete is a separate issue.
Artem G : This lineup makes me fat.
Sasha K : Here and now they diverge: Sasha Kozlov is me, Artem Gavrichenkov, Kostya Ignatov, Sasha Zubkov and Artem Shvorin. Thank you for listening (ed.: And reading), let’s hear in a month.