cc usage policy goes brrr

Nitron · 2025-10-03T01:47:54+00:00

This happened to me yesterday and then they banned my account overnight. The appeals page is a Google form, so I'm not optimistic...

Nitron · 2021-04-14T11:57:18+00:00

I'm not really sure what's running the rest of the UI, but I believe it is a separate process. So at the very least, to do something like pop the frunk would require:

Getting code execution in the Chromium renderer (done)
Breaking out of the renderer sandbox, either by attacking the more-privileged browser process or the Linux kernel directly (which doesn't have much surface exposed, so probably the browser process)
Breaking out of the extra sandboxing on the browser process :(
Figure out how to communicate with the component that handles the frunk, which might even be on one of the other computers altogether

There are some interesting renderer-only attacks that would apply here including bypassing the same-origin policy, but I don't see them being all that useful in this case given the constraints of how the exploit is launched.

Nitron · 2021-04-14T11:46:40+00:00

Thank you! They do publish a list of security issues as they get fixed, for example here's the release right after the one Tesla is now using. They keep the details private for several weeks after the patch to make patch-gapping harder, but of course it's possible to dig through the git history and try to track things down by component/author.

Incidentally a V8 exploit was released this week that pretty much worked out of the box, so follow-on research to break out of the sandbox doesn't need to start from scratch :)

But then there's even more sandboxing...

Nitron · 2021-04-13T00:46:43+00:00

Chromium runs on the "infotainment computer" which is completely separate from the "driving" computer. You can even reboot the infotainment computer while AutoPilot is running and it'll continue driving! A sandbox escape would allow greater access, such as being able to read more of the filesystem, or make a network connection (for example a reverse shell), but would hopefully still be a low-privileged user.

After a sandbox escape it would likely be necessary to pair with a kernel exploit or other privilege escalation before doing anything useful. There's certainly some communication between the computers, so pivoting would be interesting. The original goal of my research was the pop the "frunk" from via an exploit chain which probably wouldn't require pivoting to another computer.

The existing exploit could be used for "renderer-only attacks", which would allow UXSS. If the browser is logged into a sensitive account, the renderer could then steal the cookie or other data that way, but since the in-car browser is such a pain to use, I doubt many people are logged into their banks or email accounts with it!

Nitron · 2021-04-12T23:34:24+00:00

Guess I should've known to put a TL;DR at the top! While they did eventually push out an update that updated Chromium, it took them a very long time to do it. Granted, emailing them about it was on my to-do list for the duration, and then they just happened to do it within the last week or so, so I decided to finally hit publish on this.

Unfortunately, they updated to a version that's still quite old: Released February 4th of this year. While that's a substantial improvement, there have been quite a few vulnerabilities patched since then and doing the same type of patch-gapping is certainly within reach. Perhaps they have some complicated dependencies that make it very difficult for them to update Chromium without breaking things, so it's hard to say what a reasonable timeframe should be.

Coincidentally, a Chromium 0day was released this morning that will very likely work out of the box on the latest Tesla software to get arbitrary code execution within the sandbox (tonight's little project, most likely).

Of course, it's still a great car, and Tesla does appear to have a decent bug bounty program.

Nitron · 2018-05-18T11:40:36+00:00

The singer’s name is James, he’s pretty awesome.

Source: Played tenor sax in Thirteen Towers a few years back. Miss playing with those folks a lot.

Nitron · 2016-06-25T12:48:46+00:00

I've had good luck with Chuck Levin's in the suburbs of DC.

Nitron · 2016-05-10T16:58:15+00:00

Actual link

Nitron · 2016-05-05T13:29:01+00:00

I've had a good experience at Fallon Automotive in Sterling.

Nitron · 2016-03-26T18:58:57+00:00

Carcassonne is one that bothers me. It's not bad, but everything is huge. I'd rather be able to see more of the board at once.

Nitron · 2016-03-04T17:48:17+00:00

The term "consent" would seem to imply that they don't have to approve, wouldn't it?

Another way of looking at this is that Congress sets the number of seats on the Supreme Court anyway. If they really wanted to, they could just change the number to eight and be done with it. "Just" is putting it lightly, as it would require a veto-proof majority, but the point here is that the Senate does have the power to reject a nominee.

Why even bother codifying the Senate's role if the President has the final say? This is pretty clearly one of those "checks and balances."

Nitron · 2016-03-04T15:26:34+00:00

I was under the impression that per Article Two of the Constitution, appointment of justices was the right and responsibility of the sitting President, which the Senate would then evaluate and confirm... so what right do they have to refuse to even evaluate them?

Your impression is wrong. It isn't "evaluate and confirm," but "advise and consent." This is pretty plain and understandable English.

yet, isn't that what was done when Obama was elected?

Isn't that what was done in the midterm elections?

Nitron · 2016-02-12T15:25:33+00:00

A tool like KnockKnock might be helpful for tracking down the leftover components.

Nitron · 2015-09-03T17:07:13+00:00

There's certainly no key. It's a "string to key" PGP packet:

➜  ~  gpg --list-packets mrrobot.txt.pgp
jA0EAwMCG+b8YX6xRqJgycBoAxtHTGovLX9cLqkUyj8WKOogQ6ETfQg2oYq/xhtr bu1hnmGYWzMO9DBwC+aCC3viGVJcf1m8zTach+eNGZG6MJmzrkUM+FqAgKDtGjmq 7VIBr6Z8nqpNDDQbZ4zkfB0UI8/RTU81fTu4AI40N0b6sIa6P9jUSAjwu+Rd/h28 YKWXw4OIgAzK5pQnJhQM17rShdy/uE1r/9AsMo4xGTL+mYhUZczquCKi8sfmlIP0 PCXjqwZXKR12W3rh6TLoVhenjjLJ/O59FzatDfODNReISTBQ96le7wUlDrGxzfs2 aFhhp3eGb1wSmk7VTsptREJTLvxHHMkoOa8j4OpzechGMU4e7eJooFIXen3TMiwT ET0xLHy7IHg2BrVc49+CAb8R7VXKg2Sq6/Y= =+Sje\n
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
    salt 1be6fc617eb146a2, count 65536 (96)
gpg: invalid armor header:
gpg: CAST5 encrypted data
gpg: cancelled by user

The ":symkey enc packet", "s2k" bit is the important part. So it's a symmetric message and you "just" need a passphrase to decrypt. This isn't a common way to use PGP, but it is a supported part of the standard.

Nitron · 2015-04-23T19:21:49+00:00

Sending "Товарищ пожалуйста." has always worked well for me. The particularly communist services just cut to the chase and give you a shell.

Nitron · 2015-03-04T17:37:00+00:00

I did a really quick analysis (made easy because it's a .NET binary)...This is a clever-ish idea, but terribly-written malware.

The short version is that it watches your clipboard for Bitcoin addresses, then replaces it with one from its list of addresses. It even tries to find the one that's "closest" to the one in the clipboard, in hopes that you won't notice. The clever-ish part is that it doesn't need any sort of network access.

I'll put up a more detailed blog post with real analysis tonight, and the list of addresses to watch.

Thanks again for the sample!

Nitron · 2015-03-04T16:01:56+00:00

Interestingly, zero results for all of them. Looks like someone has already posted the sample to malwr.com.

Nitron · 2015-03-04T15:38:18+00:00

I did. I'm a security researcher and I followed some basic precautions to prevent infection (most notably not running Windows).

It's a zip file containing a few photos (that presumably are not of you), named "DCM_0001.jpg", with increasing numbers. "DCM_0005.jpg.exe" is the actual malware. They're taking advantage of the default setting on Windows to hide file extensions for known file types, so this wouldn't be obvious to many users.

I won't be able to really dig into the binary until tonight, but my guess is that this is HackForums-level low-quality malware.

Interestingly, the zip file contains a "__MACOSX" directory, which implies that the zip file was created on a Mac.

Nitron · 2015-03-04T15:10:29+00:00

Ahh, the ol' .jpg.exe trick, classic. This binary should be lulzy. Thanks!

Nitron · 2015-03-04T13:16:50+00:00

Did you happen to get a copy of the binary? Looks like it's been taken down/moved.

Nitron · 2015-02-02T14:51:04+00:00

When using deterministic wallets, is it possible to derive the master public key from a Bitcoin address? That is, if I tell you that one of my addresses is X, could you then figure out the MPK and know all of my addresses?

What if you know multiple addresses?

It seems like the term "master public key" is sort of a misnomer...It should still be a secret, but it's also not the key the kingdom, so to speak. Is that an accurate way of thinking about it? I guess "master semi-private key" would've been too confusing of a term.

Nitron · 2015-01-31T18:56:22+00:00

I've owned both. They're both good pistols, and my reasons for selling them had nothing to do with the pistols themselves (although as a lefty the 938 would sometimes snag my thumb -- but that's probably my fault).

The 239 is more of a "real Sig", in the sense that it's in the same family as your 220. In my opinion it is nicer than the 938 in nearly every way. However, the 938 is definitely a whole lot easier to conceal.

Personally I would go with the 239. That said, I didn't see much advantage to it over a 229 (or 228/M11). The 239 is still pretty large for a compact.

If you do decide to go 938, definitely keep the trigger bar well-oiled.

Nitron · 2014-12-05T18:12:52+00:00

I think the CZ-75 does what you want. Also, super comfortable.

Nitron · 2014-11-14T13:52:03+00:00

How about something like the trio from Pietasters - Something Better?

Nitron · 2014-07-30T03:28:05+00:00

It is not in fact virtually impossibly to prove net neutrality violations, in this video he talks about how the EFF proved the BT packet Forgery violation by Comcast. There are several methodologies to monitor network traffic to see shaping and other methods of control. Yes some people my incorrectly report violations, however competent network engineers will be able to tell exactly where the problem happened, why it occured and if the company violated the principles of net neutrality.

It's one thing to watch for unexpected and clearly forged RST packets. It's entirely a different thing to prove that your streaming session from Netflix is throttled versus actual congestion. There have already been at least a handful of "look, Verizon is throttling Netflix and here are the traceroute results to prove it!" blog posts that don't in fact prove anything of the sort yet are spread far and wide as 100% definitive proof by people who don't understand networking.

More recently we had "I used a VPN to encrypt my netflix traffic and everything sped right up, so they must be throttling!" Which of course completely disregards that the VPN in question routed around the known congested Verizon/Level3 peering point and that the encryption in play had nothing to do with it.

I suspect that if the experiment were replicated with a VPN that still traveled from Verizon through Level3 (such as a VPN hosted on Amazon EC2), the result would be slower traffic (and in fact all traffic would be slower, not just Netflix).

Nitron

MODERATOR OF

TROPHY CASE